Taneja Group and InfoStor jointly ran a survey asking IT managers about their experience with corporate file sharing. Taneja Group defines corporate file sharing as the ability to share large numbers of files between business users across networks and mobile devices.
File sharing heavily intersects with Bring Your Own Device (BYOD) and the cloud. BYOD is the phenomenon of employees using personal mobile devices for personal and business applications and data access. File sharing as a business usage is closely associated with BYOD as end users seek to easily share files between their own and others’ multiple computing devices.
File sharing is also bound up with cloud usage. File sharing on mobile devices does not strictly require file sharing services using the cloud; basic secure sharing can be done via VPN just as one would email a file or share its pathname over the LAN. However, this solution is less than ideal for file sharing because it is poorly scalable and lacks any file sharing application functionality.
In contrast, most file sharing products use the cloud because the environment is highly scalable and delivers application functionality such as file versioning and locking. Many file sharing products also use the cloud to host a shared file repository, and most integrate with Active Directory and other SAML-based access management applications. Given a huge growth in data files and in mobile access needs, this approach is far superior to simply sending files using VPN connections.
This is no surprise to end users, who happily use file sharing applications like Dropbox to easily share files. Yet not all file sharing applications are created equal and consumer file sharing applications can threaten corporate data security. Vendors are quickly developing business- and enterprise-level file sharing applications in response to valid concerns about file sharing security, scalability, management, usability and compliance.
These are serious questions and should be serious concerns for IT in businesses of any size. However, our survey found that although some respondents have file sharing solutions and policies already in place, many did not. Some respondents have solid short-term plans to do so but others have no plans in place. Why? Taneja Group has observed that when IT denies a need for secure file sharing in a BYOD environment, they usually lack the time, sense of urgency, executive support and/or budget to deal effectively with the problem.
For more on file collaboration/BYOD issues and vendors, download Taneja Group’s File Collaboration Landscape Market Report.
Question #1: Does your company have policies about sharing files on computers and personal mobile devices?
|No policy in place but plans to develop one||30.0%|
|No policy in place; users choose their file sharing applications||26.7%|
|Policy plan in place but users generally ignore the policies||23.3%|
|Policy in place and users can only use approved file sharing applications||13.3%|
66.6% of respondents believe that having enforceable policies is a good idea, but organizations that have policies and enforce them are in a minority of 13.3%. A larger 26.7% set of respondents deliberately leave file sharing decisions to their users, pointing to insufficient interest, cycles or budget to tackle the issue.
Lack of data security is risky enough given potential data loss or intrusion. However, regulated industries have an even bigger problem: the inability to prove compliance with data being shared over personal devices. This is extraordinarily risky behavior, and compliance concerns alone are driving file sharing application adoption at regulated business. IT should provide file sharing applications that enable security and compliance management, file locking and versioning, and controlled user access.
Question #2: Is your organization’s IT department responsible for securing shared files on mobile devices against data intrusion or theft of the device?
|IT is responsible and has security procedures in place||50.0%|
|Users are responsible for security||26.6%|
|IT is responsible but has not found a good solution||23.3%|
73.3% of respondents believe that file sharing security is IT’s responsibility but only 50.0% of them have put security procedures in place. The remaining respondents are either leaving file sharing security to the end-users (26.6%) or have not found the right solution (23.3%). We understand that managing file sharing security is complex given massively growing data and very large numbers of user mobile devices.
However, consumer-level file sharing applications lack the strong encryption and user access control of the enterprise products. They also lack the ability for IT to set and enforce security policies for shared files. This leaves company data exposed due to a lost or stolen device or hacked in-transit. Even if data theft is unlikely for a given organization, they face steep compliance fees if they cannot get their BYOD/file sharing house in order. We are aware that many IT professionals would rather not be involved with users’ personal mobile devices, but if said users are sharing corporate data than IT had better get involved.
Question #3: Can your remote device users access the network via VPN, and/or share large files using FTP?
|Both VPN and FTP||20.0%|
VPNs are widespread in the corporation and respondents report a total of 86.7% of VPN ownership. FTP for large file uploads is losing popularity but is still in the running with 30.0% of respondents reporting that they own an FTP solution. Of these, 20.0% report that they own both VPN and FTP solutions.
VPNs by themselves are a secure transport layer and offer no application functionality. However, corporations that are highly concerned with data security frequently stick with VPNs and refuse to use clouds as a remote data transport option. In these cases corporations can still use file sharing products by choosing a private cloud and running a file sharing application that does not require external cloud access. Another option is to choose a file sharing vendor who delivers their application from the cloud but retains all data in-place on the company network, or in a repository on a private cloud behind the firewall. These options safeguard data security and compliance and still allow the business to realize the advantages of a file sharing application.
Question #4: Is your organization’s IT department actively managing BYOD and file sharing?
|Yes, we provide file sharing applications for user devices||40.0%|
|No, and we have no short-term plans to do it||23.3%|
|No but we plan on starting within the next 6 months||13.3%|
40.0% of respondents have instituted control via a file sharing application with mobile device support. An additional 13.3% of respondents plan to provide a solution in the short-term. However, this represents a combined total of only 53.3% of IT respondents who accept that managing file sharing is IT’s responsibility. A generous slice of respondents at 23.3% lacks the budget, priority, or executive support (or all of the above) to accomplish it.
Most IT departments want to maintain control over corporate data that is flying around the globe. They need to be able to supervise data retention, versions, security, controlled access, policies to administer the management environment. Malware management is another serious problem when users are combining personal and corporate data and applications on a personal device. Some IT departments decide that they will not interfere with an end-user’s personal device, claiming that that device is the user’s business. But IT is ultimately responsible for keeping information secure and available to approved users and devices. Denying that they are responsible does not make it so.
Question #5: What file sharing products are you using now?
These responses were all over the vendor map, not surprising for a new market segment with many entrants. Egnyte and Acronis ActivEcho gained a slight lead but the majority of respondents did not own the listed products, instead going with mid-level/SMB applications like Dropbox for Teams or SugarSync, or a file sharing product that accompanies data protection such as Druva or Vembu.
We find that file collaboration/sharing products fall under one of three main groups: Unified Communications (UC), Data Protection and Pure Plays. UC file sharing consists of Citrix, Cisco and IBM Connections. Of the three, only Citrix ShareFile is available as an independent product. Cisco and IBM provide some file sharing as an intrinsic piece of their video and audio communications suites. Data protection and storage companies are adding file collaboration capabilities as a natural development of their technology. Some have developed internally and others through acquisitions. Notable entrants include Acronis, CTERA, Druva, EMC, and NetApp for the enterprise. Vembu also has a promising product for mid-market that is scaling to enterprise. Pure play file sharing startups comprise the third and largest category and include both consumer and business/enterprise products. Of these vendors, the ones capable of enterprise file collaboration include Egnyte, Huddle, OxygenCloud and SkyDox. We would also add SoonR in this category. Although they began life as a data protection company they have now concentrated all of their resources on file collaboration.
Taneja Group Opinion
IT may be anxious about BYOD and insecure file sharing but these drivers are not always at the top of IT’s very full agenda. Nor are end users complaining – they are not agitating for corporate control over their files sharing and devices. The Dropboxes of the world do fine by them, and if their workgroup needs a more secure file sharing space then they take care of it on a small level.
Yet securing corporate data is IT’s lookout, and consumer-grade file sharing products will not cut it. These solutions lack strong encryption and user access control, cannot scale appropriately, and do not grant centralized control and monitoring to IT. Best practices for corporate file sharing enable IT to control user access and authentication across the entire file sharing chain, encrypt files without depending on users to do it, give IT the ability to remotely wipe corporate data off of user remote devices, and grant a central management point for shared corporate data. These drivers will only get more important as data and user devices grow massively. Vendors are responding. Will IT?