Dropbox, Box, SugarSync, SkyDrive – or whatever it is now to be called.
These and other cloud storage suppliers should be enough to send any business person concerned with governance, risk and compliance into paroxysms.
The uncontrolled use of external file storage/share systems is a major threat to the management of an organisation’s intellectual property, yet banning their use is not a real option either.
Cloud file storage is here to stay – gaining better enterprise control over how it is used has to be the aim.
The use of a cloud-based file sharing system can actually be a good thing.
In the past, the main way of “sharing” a document was to email it.
A lot of “sharing” was not sharing at all – it was a case of the user needing to work on a document from home and so emailing it to themselves so that they could access it from a different machine.
The problem then became the number of different versions of a document that existed – and which one was deemed to be “live”.
Too often, a user would pick up the wrong version and do extra work on it, leading to errors in the overall information contained in the document.
The additional technical costs of storing, archiving and searching across multiple different copies of essentially the same file also counted against this kind of information sharing being a strategic option – as well as the security issues of how emails can be so easily moved around.
Accessing documents from different devices
The growth of mobile devices has led to an increasing need for an individual to be able to access documents from different devices. Rather than use email, users are now turning to cloud-based storage systems.
This gives them a single version of a document to work on, with the benefit of knowing that no matter what device they come in from, it will be the latest version. Cloud storage is also off-premise – this can be good news if anything happens to the primary file store; the cloud provides a direct backup for the files without the need for the user to go through internal help desks and data recovery processes.
So, there is goodness in cloud storage systems but the amount of information lying outside the reach and control of the organisation still means that something has to be done to make it work for the user – and the organisation.
This means viewing cloud storage from a multi-user point of view, not just the individual’s. Teams often need to collaborate on documents and making sure everyone is working with the correct version is more important than when just one person is involved. Versioning, access control and data security all have to be taken into account.
Choosing a user-friendly system
There is the option to install an on-premise equivalent – an environment where users can place files and access them from anywhere. Systems such as SharePoint or Alfresco are suitable examples – but they are not particularly liked by users.
They are “too stuffy and too enterprise”.
And, an on-premise system also suffers from that same problem – unless backups are off-site, any major issue with the datacentre could lead to all data being lost. What users want is something that is still “consumer” and easy to use, almost transparent to how they work.
An organisation will have to match whatever the user would choose themselves with something that gives the levels of functionality and security it needs. It could look at putting a nice web front-end on its file servers, but as these are likely to be distributed throughout the organisation, this may not be a good idea – and the same problem of backup and restore remains.
Leaving users to their own devices misses the value of team-working
However, there are alternatives appearing.
AppSense provides its DataNow virtual appliance that pulls together all corporate information systems and makes them available to users in a seamless manner, but still securely. RES Software has a similar concept with its HyperDrive technology.
Another approach is leave the user to their own devices, but capture the data stream as it passes to their chosen storage environment.
For this to work, you need to have total control of how they are accessing corporate information.
The use of a virtual private network (VPN) connection creates a point of control where the user has to touch the organisation’s network.
At this point, data leak prevention from suppliers including Symantec, Barracuda. Mimecast and Websense, can be applied.
Virtual desktops such as those provided through Citrix or VMware, with additional functionality from suppliers such as Centrix Software and RES Software, can apply even greater levels of control.
The users total work environment still resides in the datacentre, with the device acting purely as a window to that desktop. “Sandboxing” can help eliminate copying and pasting or other means of placing data directly on the device. In conjunction with a suitably secure cloud-based storage system, such as that provided by Egnyte, a highly functional enterprise-class information management platform can be put in place.
Numecent’s cloud paging technology enables applications to be run securely at a device using the local compute power of the device itself and the data can be stored securely wherever a user wants it – and if necessary the data will be able to be automatically deleted when the user’s session is ended.
This allows the user to continue using Dropbox or a similar application – but with better corporate controls in place.
But leaving users to their own devices misses the value of team-working. Using apps built for individuals prevents the value of team file sharing to be accrued – the single live document; the team’s capability to work across different locations and time zones with the latest correct information; and the capability for the organisation to search and report against all the information that should be at its disposal. Most of the consumer cloud-based storage systems have a business version as well.
This could be a good way forward, but it has to be done strategically.
It is no good negotiating a licence for thousands of business seats of a system if the users still carry on using their individual consumer versions – particularly if that happens to be the one-person version of what you are trying to put in place.
If you sign up for a business version of a cloud storage system, then you have to make every employee aware of this – and make it easily available to them, maybe through the use of a corporate app portal.
This has the further advantage of providing users with a full menu of all approved apps that they can use.
You also have to make them aware of why you have done this – enhanced team working, corporate risk mitigation and overall information value. You may also need to put in place a rule stating that use of a non-preferred system could be a disciplinary issue, as this may be the only way to force their hand. You may also need to swallow a bitter pill and allow the employee to use the cloud storage for their personal data as well – only through providing a single data storage system that they can use for everything can you hope to get them on board.
Finally, the use of a business version of a cloud storage system does not abdicate the organisation from its data availability and security issues. Encryption of data that needs to be “classified” should still be carried out; data should be backed up or otherwise synchronised with an on-premise data store so that the organisation has a capability to carry on working should the cloud provider go out of business or suffer from a major security breach. Overall, a strategic approach of a targeted replacement of what users are already using with a strategic option that still works seamlessly for the user but adds the teamwork functionality, information security and helps to address the governance, risk and compliance needs of an organisation has to be the preferred way forward.
Clive Longbottom is founder of analyst Quocirca.
Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners.
If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Related content from ComputerWeekly.com
This was first published in September 2013