SOURCE: Osterman Research

Osterman Research

June 19, 2013 10:00 ET

Osterman Research: Current File Sync and Share Fraught With Security, Governance and Control Issues for Corporate IT

Enterprise Market Expected to Grow Significantly

BLACK DIAMOND, WA--(Marketwired - Jun 19, 2013) - Osterman Research, an independent analyst research firm, today released research indicating an enterprise file sync and share market that is growing rapidly, but that is not fully meeting the needs of corporate governance requirements.

According to the research, file-sharing and synchronization (FSS) tools are widely used today and will represent a Total Available Market of $106 billion by 2017. However, most of the FSS tools in use today are low-cost, cloud-based solutions that do not provide sufficient enterprise-grade features. While these tools most often work as advertised, they create serious risks for corporate governance. Virtually all organizations should, therefore, deploy enterprise-grade solutions that will mitigate the risks imposed by commonly used FSS tools.

"Corporate IT faces a tremendous challenge from any FSS app that does not satisfy enterprise requirements for data protection and IT control over corporate content," said Michael Osterman, president, Osterman Research, Inc. "Until IT can once again regain control of their data, they risk serious regulatory, governance and security issues."

Serious Problems with Current FSS Tools
It is important to note that the FSS market is not a monolith. Many of the free or low-cost, cloud-based tools provide robust functionality but are seriously lacking in enterprise-grade features, as discussed below. A minority of FSS tools in use are truly enterprise grade, meaning that most use of FSS today imposes significant risk on several levels.

Minimal or no compliance and governance capabilities
Content shared using most FSS tools is normally not encrypted unless the user specifically chooses to do so and installs additional software to encrypt the content. Consequently, sensitive or confidential corporate data can be sent over the Internet and stored in a third party's cloud data center unencrypted, possibly exposing it to interception in violation of regulatory obligations (e.g., the Health Insurance Portability and Accountability Act [HIPAA], the Payment Card Industry Data Security Standards [PCI DSS], or various state data breach statutes). For example, Dropbox encrypts customer data on the server, but not at the client.

Minimal IT control over content
A serious shortcoming of most FSS solutions is that they provide IT with little control over the lifecycle of data. For example, these tools typically do not offer any control over when content will expire, they provide no policy-managed encryption, and they do not provide any policy-managed permissions or access control. Moreover, corporate policies that manage encryption, backup, archiving or DLP for content sent through email or FTP systems cannot be applied to content sent through most FSS tools. In short, the lack of IT control over the content sent through most of these tools puts the employee in charge of employer-owned data, when in reality the opposite should be true. As shown in the figure on the next page, the proportion of Dropbox deployments under control of individual employees -- and not IT -- increases with the size of the organization.

eDiscovery and regulatory compliance are more difficult
When content is stored in an FSS vendor's data center, accessing it for purposes of eDiscovery or a regulatory audit becomes impractical or impossible because IT must gain access to every account and then search it, assuming they are even able to do so. Moreover, tools like Dropbox are not compliant with a number of compliance standards like HIPAA, PCI DSS, ISO 27001, ISO 9001 or the Family Educational Rights and Privacy Act (FERPA).

Security capabilities are sometimes lacking
Another problem with many cloud-based FSS tools is that they typically do not scan content for spam or malware. This allows content from an unprotected home computer or smartphone, for example, to be infected with malware, uploaded to the cloud, and then downloaded to a user's work computer. This circumvents in-house security systems and permits malware to penetrate corporate defenses much more easily. Dropbox, for example, admits that it does not scan for malware: in a February 2012 forum post, a Dropbox moderator noted that "Checking [for malware] will only be done on your own machine after it has downloaded."

No control over the physical location of data storage
Most cloud-based FSS providers do not allow their customers to control the physical location of data storage. This can lead to regulatory problems or other issues in jurisdictions that require sensitive data to be stored only in certain geographies. For example, a non-US company will typically prefer that its data not be stored in a US-based data center in order to avoid its access under the PATRIOT Act. Some types of data held by countries in the EU are required to be stored only in certain geographies.

Mixed corporate and personal data
Another problem with the use of many FSS tools is that they can be used to send and share a mix of corporate and personal content because employees are in charge of their management, not IT. For example, mixed with sensitive company information might be an employee's personal photos, résumé, recipes or personal tax returns. This not only makes activities like eDiscovery or regulatory compliance more difficult because reviewers must sort through personal data as they search for corporate records, but it raises the often onerous issue of employee privacy rights. This can be a very serious issue in some jurisdictions.

About Osterman Research Inc.
Osterman Research helps vendors, IT departments and other organizations make better decisions through the acquisition and application of relevant, accurate and timely data on markets, market trends, products and technologies. We also help vendors of technology-oriented products and services to understand the needs of their current and prospective customers through rigorous primary market research and in-depth analysis.

Contact Information