Cloud-based file sharing and collaboration solutions are ripe for the picking, but what’s right for one organization might not be right for another. Accellion presented the pros and cons of various cloud computing choices at the InfoSec World 2013 Conference & Expo last month. To learn more about the top cloud considerations for file sharing and collaboration and to find out where you stand on the privacy and public cloud debate, check out this presentation entitled ”Do You Know Where Your Data Is?
2. 2
Key points
• Public cloud file sharing has risks as well as
advantages
• Private cloud and hybrid solutions can be
good alternatives
• Whether public or private, some key
considerations for evaluation
8. 8
What IT needs …
LDAP/AD Integration
SSO (SAML, Kerberos, …)
Access control
Encryption in transit, at rest
Logging & Reporting
AV and DLP Integration
Access to Enterprise Content
Archival Integration
10. 10
… and what users want
Mobile Access
Collaboration
File Commenting
File Version Tracking
Synced Files/Folders
File Transfer
Notification
11. 11
Why users love the public cloud
“It just works”
“Can get at it from
anywhere”
“Can use whatever device I
want”
“Can share with anybody”
“Don’t have to work with IT!”
12. 12
Dropbox has become “problem child” of cloud security
iCloud Hacking Could Tarnish Apple’s Image
Patriot Act can “obtain” data in
Europe, Researchers Say
Gmail, Google Drive, Chrome experience
outages
Feds Tell Megaupload Users to Forget
About Their Data
Safe Harbor not Safe Enough for EU Cloud Data
13. 13
Why do you believe that public cloud computing services
will have little or no impact on your organization’s IT
strategy over the next five years?
Souce: Evaluating Cloud File Sharing and Collaboration Solutions, ESG,
2012
14. 14
Security concerns
• Public cloud sites are big targets
• You’re at the mercy of their operation
security
• Who has access to the data?
• Some sites don’t encrypt data or restrict
additional sharing
• But …
• Public cloud security is generally
improving
• Some sites do pay a lot of attention to
security
• Have to weigh risks …
15. 15
Legal and privacy concerns
• Third-party doctrine
• Data location
– Country-of-origin rules
– Article 29 Working Party
– PATRIOT Act concerns
• Will you get notified (and have a chance to fight) about any
court orders?
• What rights does the service provider claim with respect to
your data?
16. 16
Terms of Service: Google Drive
http://www.google.com/intl/en/policies/terms/
"When you upload or otherwise submit content to our Services,
you give Google Drive (and those we work with) a worldwide
license to use, host, store, reproduce, modify, create derivative
works (such as those resulting from translations, adaptations or
other changes we make so that your content works better with
our Services), communicate, publish, publicly perform, publicly
display and distribute such content. The rights you grant in this
license are for the limited purpose of operating, promoting, and
improving our Services, and to develop new ones. This license
continues even if you stop using our Services…”
17. 17
Terms of Service: Google Drive
http://www.google.com/intl/en/policies/terms/
"When you upload or otherwise submit content to our
Services, you give Google Drive (and those we work with) a
worldwide license to use, host, store, reproduce, modify, create
derivative works (such as those resulting from
translations, adaptations or other changes we make so that your
content works better with our
Services), communicate, publish, publicly perform, publicly
display and distribute such content. The rights you grant in this
license are for the limited purpose of operating, promoting, and
improving our Services, and to develop new ones. This license
continues even if you stop using our Services…”
18. 18
All about control
• Our must-have feature checklist:
• Proven functionality that “works”
• Tight security controls:
• File tracking and reporting
• Access permissions
• Encryption at rest and transit
• LDAP/Active Directory integration
• Around-the-clock reliability
• BYOD support
• Multiple OSs and devices
• File synchronization
• Remote wiping
• Support for all file sizes and formats
• We wanted control within our own datacenter
19. 19
Private cloud as an alternative
• Hosted in your own data center
• Under your control
20. 20
Why users love the private cloud
“It just works”
“Can get at it from anywhere”
(subject to corporate policies)
“Can use whatever device I want”
(subject to corporate policies)
“Can share with anybody”
(subject to corporate policies)
“Don’t have to work with IT!”
(once the system’s up and running)
21. 21
Private Cloud or Public Cloud?
• Mininimize investment? Achieve
excellence?
Investment in IT and
operational security?
• CFO preference?CapEx vs OpEx?
• Patriot Act, Safe Harbor Privacy
Data Physical
Location?
• No solution is 100% secureCorporate DNA and
tolerance for risk?
22. Enterprise Considerations for File
Sharing and Collaboration
• Security controls
• Compliance and reporting
• Scalability and availability
• Leverage existing content stores
• Enterprise integrations
22
Whether public or private cloud …
23. Accellion Confidential 23
Compliance and Reporting
Reporting
Granularity of auditing and
reporting
Export to 3rd party reporting
Log formatting for export
SNMP (Monitoring)
Compliance
PCI /SOX / HIPAA
FIPS Compliance
Archiving and E-Discovery
Integration with SIEM, IT GRC
24. Accellion Confidential 24
Security Controls
Enterprise Security
•Anti-Virus
•Data Loss Prevention
•Restricted Admin Access to Content
•Hardened Server Appliance
•Data Residency
Authentication / Authorization
•SSO with SAML / OAuth / Kerberos
•Multi-LDAP and AD integration
•Two-Factor Authentication
•Password Policies
•RBAC
•Granular Authorization
Encryption
•Encryption – Data at Rest and in Motion
•Encryption Strength
•Ownership of Encryption Keys
•FIPS 140-2 Certification
Mobile Security
•Secure Mobile Container
•Whitelisted Helper Applications
•Server Side Viewing
•Remote Wipe
•Offline PIN
25. Accellion Confidential 25
And don’t forget about the users!
“It just works”
“Can get at it from anywhere”
(subject to corporate policies)
“Can use whatever device I want”
(subject to corporate policies)
“Can share with anybody”
(subject to corporate policies)
26. 26
Conclusion
• No one right answer
• Public cloud has risks along with benefits
• Private cloud is a viable alternative
• Hybrid approaches (mix of public and private
cloud) may be the best answer
• Security evaluation criteria apply no matter
whether it’s public or private
27. Accellion provides enterprise-class mobile file sharing
solutions that enable secure anytime, anywhere access to
information while ensuring enterprise security and
compliance.
The world’s leading corporations and government agencies
select Accellion to protect intellectual property, ensure
compliance, improve business productivity and reduce IT
cost.
Learn more about Accellion here: www.accellion.com
Connect with Accellion here:
About Accellion
Notas del editor
It must offer Secure Mobility. Business users have to take comfort in knowing that the enterprise content they work with is always secure.Everything that a mobile user does with a file, (download, upload, save, edit, send, or just keep locally) should be allowed to happen in a secure environment transparently and w/oburdening the mobile user. And behind the scenes, it should offer the best encryption technology, and support logging and tracking of content required to comply with regularity requirements. Even files that are just at rest in on a device are placed in a container.This is vital, particularly for enterprises in regulated industries.