Will the Cloud Send Your Compliance Policy Down the Sync?
That Sync-ing Feeling Infographic Summary Introduction
Concerns Over File Sync Planning a Service Keep it In House
How Do You Control it?
Data Loss: The Worst Case
Will the Cloud Send Your Compliance Policy Down the Sync?
Conclusion IDG Connect is the demand generation division of International Data Group (IDG), the world’s largest technology media company. Established in 2005, it utilizes access to 35 million business decision makers’ details to unite technology marketers with relevant targets from any country in the world. Committed to engaging a disparate global IT audience with truly localized messaging, IDG Connect also publishes market specific thought leadership papers on behalf of its clients, and produces research for B2B marketers worldwide. For more information visit: www.idgconnectmarketers.com/
The Pros and Cons of Cloud Based File Synchronization
Research conducted by IDG Connect in association with Varonis
That Sync-ing Feeling Infographic Summary Introduction
Concerns Over File Sync
Is Cloud Based File Synchronization Safe? Perceptions of cloud based synchronization based on interviews with 100 US IT decision makers in May 2012
Tomorrow
Today
80%
Planning a Service Keep it In House
14%
How Do You Control it?
6%
Data Loss: The Worst Case
Conclusion IDG Connect is the demand generation division of International Data Group (IDG), the world’s largest technology media company. Established in 2005, it utilizes access to 35 million business decision makers’ details to unite technology marketers with relevant targets from any country in the world. Committed to engaging a disparate global IT audience with truly localized messaging, IDG Connect also publishes market specific thought leadership papers on behalf of its clients, and produces research for B2B marketers worldwide. For more information visit: www.idgconnectmarketers.com/
of companies at present do not allow cloud based file synchronization of companies are satisfied with the controls that cloud based file sync services have in place
70%
of companies would use cloud based synchronization if the management tools were as robust as internal tools
of companies are not satisfied but are going ahead anyway
What are your biggest data management costs?
What are your priority data management and protection challenges?
35%
STOP
hardware and software
! 34% reacting to problems after the event
39% 37% 35% 32% 24% security breaches
leakage of sensitive information
breaches of compliance regulations
eliminating duplicate data
granting of access rights
29%
24%
time spent managing access rights
data migrations
That Sync-ing Feeling Infographic Summary Introduction
Concerns Over File Sync Planning a Service Keep it In House
How Do You Control it?
Data Loss: The Worst Case
Conclusion IDG Connect is the demand generation division of International Data Group (IDG), the world’s largest technology media company. Established in 2005, it utilizes access to 35 million business decision makers’ details to unite technology marketers with relevant targets from any country in the world. Committed to engaging a disparate global IT audience with truly localized messaging, IDG Connect also publishes market specific thought leadership papers on behalf of its clients, and produces research for B2B marketers worldwide. For more information visit: www.idgconnectmarketers.com/
Introduction As an increasing number of workers are asked to divide their time between working on the move, at home and in the office, the amount of support they can get is limited. So naturally, they are turning to consumer friendly tools to help them coordinate all their work environments. Which is why corporate computing is becoming consumerized and IT managers have, for the first time, little say in the buying decisions of hardware and software that is used on their network. Free file synchronization apps are a case in point. The ease of use and convenience of consumer apps like DropBox, Sugarsync and Huddle have quickly persuaded professional users to adopt these as the de facto tools for sharing work between offices. Unwittingly, however, these gifts have acted as a sort of Trojan Horse, breaching the defenses of a corporation and opening them up to all kinds of counter charges. Beware of Geeks Bearing Gifts Their very strength – ease of use – is their vulnerability. By creating a virtual folder, which looks and seemingly acts like a real folder, they encourage users to replicate their files simultaneously, somewhere else. The process of replicating files is a no brainer. Therein lies the problem, since no brainers often have consequences. Users are rushing to marry up their computers and, as the adage says, you marry in haste and repent at leisure. The biggest consequence of file synchronization services is that security is breached. Private data can become public property, which means that all kinds of rules have been broken. Depending on the circumstances, the person responsible for securing company data could fall foul of regulations on corporate governance, the most common being Sarbanes-Oxley (SOX), HIPAA and PCI DSS. In this study, we asked 100 decision makers, from companies of 100 plus employees, about their attitude to this new development in consumerization of their corporate computing environment.
Having brought their own devices, the Bring Your Own Device (BYOD) crowds are now bringing their own services too. In the latest development of the Bring Your Own Service (BYOS) trend, end users are using apps that offer file synchronization services that control the movement of data across their various computing devices – from laptops to iPads. This phenomenon is a great case study on the potential cause and effects, and opportunities and threats, of the BYOS movement. The overall picture that emerges from this study is that the majority of organizations would like to harness the power that file sync technology gives them. The majority (70%) said they would use these services if their controls were as robust as the controls available on their internal systems. In the meantime, most (60%) said they would actively block the use of these tools and 20% planned to regulate it. In other words, the vast majority wants the benefits of these tools but doesn’t allow their use. A solution that provided both controls and the functionality would, presumably, be valuable. Meanwhile, another section of the IT community (20%) plans to plough ahead regardless. Their brave sacrifices could benefit us all, as they stumble through the minefield of this uncharted territory, and show us where the hidden dangers lie.
That Sync-ing Feeling Infographic Summary Introduction
Concerns Over File Sync Planning a Service Keep it In House
How Do You Control it?
Data Loss: The Worst Case
Conclusion IDG Connect is the demand generation division of International Data Group (IDG), the world’s largest technology media company. Established in 2005, it utilizes access to 35 million business decision makers’ details to unite technology marketers with relevant targets from any country in the world. Committed to engaging a disparate global IT audience with truly localized messaging, IDG Connect also publishes market specific thought leadership papers on behalf of its clients, and produces research for B2B marketers worldwide. For more information visit: www.idgconnectmarketers.com/
What are the Biggest Concerns about Cloud Based File Synchronization? In this next round of probing, we asked questions designed to draw out the fears that prevent our study group from enjoying the benefits they desired. We sought more detail over the types of threats they imagined and asked them to give a name to their fears. By unravelling the details of their insecurities, we aimed to help to provide some clarity over each problem and provide a more realistic assessment of its gravity. The answers given provide some clues over how these fears can be addressed and resolved. The answers revealed a laissez-faire attitude that reflects a lack of awareness of the developing problem. Surprisingly, given the audience that was questioned, the collective anxiety revealed a relaxed attitude to the gathering storm that is being created by cloud tools. For example, only half (51%) were worried about maintaining correct access rights and authorization. This is a worryingly low level of awareness, given that this is arguably one of the greatest threats of exposure to which the survey group are about to be subject to in the coming years. In other words, half of those surveyed (49%) are not worried about the issues that will surely cause them hours of lost time if they’re lucky, and more serious business and legal problems if they are not. Similarly, a majority (61%) said there were not worried about the issue of authentication (while 39% said they are). Only a quarter (26%) said they were nervous about data loss or auditing access activity. This could be because they have a number of more pressing priorities, or because the scale of the problem facing them has not become obvious yet. It might be worth investigating further and testing whether they are happy to devote time in the future to retrospectively patching up and apologising for the damage their negligence caused.
Overall, the figures reveal a dangerously oblivious attitude to the consumerization and slackening of IT security culture.
Concerns about cloud based file syncronization
51%
worried over authentication
26%
worried about maintaining correct access rights and authorisation
39%
worried about data loss or auditing access activity
That Sync-ing Feeling Infographic Summary
Are you Planning to Allow People to use a Cloud Based File Synchronization Service? And Why Not?
Introduction
Concerns Over File Sync Planning a Service Keep it In House
How Do You Control it?
Data Loss: The Worst Case
Conclusion IDG Connect is the demand generation division of International Data Group (IDG), the world’s largest technology media company. Established in 2005, it utilizes access to 35 million business decision makers’ details to unite technology marketers with relevant targets from any country in the world. Committed to engaging a disparate global IT audience with truly localized messaging, IDG Connect also publishes market specific thought leadership papers on behalf of its clients, and produces research for B2B marketers worldwide. For more information visit: www.idgconnectmarketers.com/
According to market analysis (see Footnote 4) there are enterprises that have entirely forbidden the use of personal file synchronization products. In this study, we investigated the extent of this reaction to this new danger and whether this was a feasible course of action.
IT plans to allow the use of cloud based file synchronization service
Most organizations, our evidence suggests, believe that they have no option to turn back the tide of devices flooding into their organization and the service undercurrents that these devices enable. Our investigation wanted to delve deeper into the response of IT decision makers and see how they were responding to the challenge. Were they seeking to stop the use of ad hoc solutions, or trying to advise users to use systems that meet their approval? Our survey showed that 31% of the study group said they would plan to allow cloud based file synchronization services. In other words, they were not currently allowing them. Or rather they thought they were not allowing them - this is a ban that is not enforceable, as many companies have discovered. Meanwhile an alarming majority (69%) would not even entertain the idea of allowing the services to be used. With huge amounts of proprietary and regulated data leaking onto non corporate devices, many of the survey group decided that file sync was not an allowable activity as it takes them outside of enterprise controls and audit trails. An approved and supported service for personal productivity, through synchronization of files, could help IT decision makers take back control and prevent this collision of interests.
No Yes
69%
31%
That Sync-ing Feeling Infographic Summary Introduction
Concerns Over File Sync Planning a Service Keep it In House
How Do You Control it?
Data Loss: The Worst Case
Conclusion IDG Connect is the demand generation division of International Data Group (IDG), the world’s largest technology media company. Established in 2005, it utilizes access to 35 million business decision makers’ details to unite technology marketers with relevant targets from any country in the world. Committed to engaging a disparate global IT audience with truly localized messaging, IDG Connect also publishes market specific thought leadership papers on behalf of its clients, and produces research for B2B marketers worldwide. For more information visit: www.idgconnectmarketers.com/
Ideally Would you Trust Cloud Data if you Could Manage it Like an Internal Resource? The next query was a What If question. [Q5 on slide 21] If cloud services could be managed as robustly as you manage internal resources, would you use them? The comparison with existing internal controls, rather than a product set based in the cloud, was designed to give the group a tangible benchmark.
based file services a majority of over 70% (15) indicated that they are satisfied with the controls they have in place.
When the question was put this way the answers indicated a strong preference for such a solution. A resounding majority, 70% of the survey, answered that yes, if file sync services could be as stringently policed as internal services, then they would be happy to empower their users with them. Respondents indicated that they wanted to block unapproved software on workstations and multi-function devices. They would consider using internal type controls, such as an on premises server or anything that gave them the same level of control as their internal infrastructure.
If cloud services could be managed as robustly as you manage internal resources, would you use them?
However, 30% responded no. In a separate line of questioning, it was established that the main technical areas in which they wanted to have more confidence were: use of active directory, access auditing and provisioning. The vast majority of organizations indicated that they would integrate cloud based file services with their internal controls (70%.) Keeping control close appears to be a key requirement for, or benefit to, organizations. Nearly 60% of surveyed US organizations indicated they would be or are actively blocking cloud based file synchronization via policy and blocking. Another 20% use company policy to regulate cloud based file synchronization. A fifth of US enterprises surveyed said they allow cloud based file services. Of those 21 organizations who do allow cloud
These findings will be explored more comprehensively in the next slide.
Yes
70%
30% No The stronger group of yes, in other words, are waiting for the controls to be made available. Those who object do so on the grounds of wanting better utilities from the cloud, such as active directory integration, access auditing, provisioning.
That Sync-ing Feeling Infographic Summary Introduction
Concerns Over File Sync Planning a Service Keep it In House
How Do You Control it?
Data Loss: The Worst Case
Conclusion IDG Connect is the demand generation division of International Data Group (IDG), the world’s largest technology media company. Established in 2005, it utilizes access to 35 million business decision makers’ details to unite technology marketers with relevant targets from any country in the world. Committed to engaging a disparate global IT audience with truly localized messaging, IDG Connect also publishes market specific thought leadership papers on behalf of its clients, and produces research for B2B marketers worldwide. For more information visit: www.idgconnectmarketers.com/
How do you Control the People Who Demand File Sync Services? Since the issue of file sync is all about control, and technology and processes are not yet options for control, our next line of questioning looked at the most volatile of control variables: people. We asked: “How do you prevent employees from using cloud based file synchronization services?”
Prevention of employees from using cloud based file synchronization services:
20%
The answers seemed to indicate that, desirable though control of the workforce is, it is not really a practical goal. The techniques used seemed to indicate that there is either an acceptance of the inevitable loss of control or a cheerful oblivion to the problems that are only going to get worse. For example, a significant minority, 20%, said they rely on policy to keep on top of the mass leakage of proprietary and regulated data. A further 59% use both policy and blocking techniques to try and stem the tide of enterprise files that could spill onto multitenanted public servers and become vulnerable to attack or unauthorized access. The most effective policy, according to these results, seems to be the stick of policy enforcement and possible technical controls, along with the carrot of officially endorsed, approved and supported services. That leaves a significant fifth (21%) who don’t bother blocking access to file sync tools. Not that they are entirely happy about it. Of the companies that don’t prevent their staff from getting access to these file sync tools, there is a significant number that are crying out for help. As many as 30% said they are not blocking access because they are not satisfied with the controls they have in place. On the other hand, the other 70% who responded were seemingly quite relaxed about the fact that they have no controls (neither policy nor technical tools) to defend themselves against the leakage of confidential information or the loss of business critical data.
use a double whammy of policy backed up with blocking techniques
rely on policy
21%
59%
use neither
Of the one fifth of companies that don’t block access to these productivity tools:
seem quite blasé about the fact that they are unable to block access are not satisfied with the controls they have in place
30%
70%
That Sync-ing Feeling Infographic Summary
What do you see as the Most Punishing Consequences of Inconsistent Data Management?
Introduction
Concerns Over File Sync Planning a Service Keep it In House
How Do You Control it?
Data Loss: The Worst Case
Conclusion IDG Connect is the demand generation division of International Data Group (IDG), the world’s largest technology media company. Established in 2005, it utilizes access to 35 million business decision makers’ details to unite technology marketers with relevant targets from any country in the world. Committed to engaging a disparate global IT audience with truly localized messaging, IDG Connect also publishes market specific thought leadership papers on behalf of its clients, and produces research for B2B marketers worldwide. For more information visit: www.idgconnectmarketers.com/
The survey sample was asked which of four potential data management problems would have the worst consequences. Downtime seemed to be foremost in the minds of the professionals quizzed. It was the most prominent issue for nearly half the sample (46%). This is unsurprising, given the amount of publicity that has been given to the fatal effects of downtime, ever since the Millennium Bug first threatened to wreak havoc among the western economies. There are not only countless studies on the risks, costs and mortality rate of downtime, there are plenty of online calculators and other tools to help nervous IT managers quantify their fears. Businesses lose an average of about $5,000 per minute in computing outages (Source The Uptime Institute- see Footnote 5) As an indicator of reliability, Dopbox record does not inspire confidence. During a four hour period in June 2011, Dropbox authentication allowed anyone to log into ANY account. (See footnote 1) Since awareness of downtime has been aggressively promoted for a dozen years, and high profile incidents in the US, Japan and the UK have exemplified its lethal effects, it is small wonder that downtime is the most recognized threat. What is more surprising, however, is that less publicized and less dramatic threats, such as lost productivity (33%) and compliance violations (30%) are not far behind downtime in terms of recognition. While downtime isn’t necessarily attributable to data management issues, productivity and compliance problems are primarily caused by poor data governance. Financial services firms can be fined millions of dollars (see Footnote 6) for failing to keep complete and accurate records of data. Lost files can prove painfully expensive.
These responses could reflect the fact that IT managers are aware that – despite the often irresponsible marketing hype from some quarters – not every compromise of IT is fatal and the incidents are not as common as some alarmists have suggested. On the other hand, lost productivity and compromised compliance are far more realistic threats, being more difficult to police and more likely to happen. This is reflected in the ratings that IT managers gave. The BYOS trend, embodied by file synchronization, was seen as the first security priority for around a third of IT managers. By the same token, a fifth (20%) saw data theft or loss as the primary issue that would arise from inconsistent data management. However, data theft or data loss carries a much higher risk and once again, there is a significant body of end users who seem cheerfully oblivious of the dangers that face them!
Perceived consequences of inconsistent data management:
STOP
?
46% downtime
33%
loss of productivity
30%
compliance violations
20%
data theft/ loss
That Sync-ing Feeling Infographic Summary Introduction
Concerns Over File Sync Planning a Service Keep it In House
How Do You Control it?
Data Loss: The Worst Case
Conclusion IDG Connect is the demand generation division of International Data Group (IDG), the world’s largest technology media company. Established in 2005, it utilizes access to 35 million business decision makers’ details to unite technology marketers with relevant targets from any country in the world. Committed to engaging a disparate global IT audience with truly localized messaging, IDG Connect also publishes market specific thought leadership papers on behalf of its clients, and produces research for B2B marketers worldwide. For more information visit: www.idgconnectmarketers.com/
Conclusion There is a potentially devastating wave of disruption that could spread over corporations. The popularity of file sync services is booming and DropBox alone has 25 million users. More such services are launched by the day. The BYOD swell was not a one off and it is about to be followed up with a MUCH more powerful phenomenon, BYOS. Bring Your Own Device softened up the enterprise’s defenses, and now Bring Your Own Service threatens to surge in, sweep past all the company defenses and carry away all the company data. The reaction of companies seems to be two fold. Some imagine that they can surf this wave or others seem to be paralyzed by indecision as it approaches. A significant number of companies (70%) have said they would use file synchronization services if they had the peace of mind that the tools for the cloud were as rigid as those for internal disciplines. But in the meantime, they are powerless to do anything about their users adopting these dangerous practices. The file sync issue is not going to go away; indeed it will only get worse as the number of subscribers to DropBox surges upward by the day. In the meantime, IT decision makers seem to be divided into those who are fixated by the past and those who are fearful of the future. The risk of downtime, for example, remains a pre-occupation, even though this is both misplaced and out of proportion to the likelihood of it happening. Meanwhile, at the other end of the scale, there are a significant number of companies (20%) willing to be early adopters of file synchronization services, without any discernible means of protection. These are the companies that will be at the bleeding edge. Their painful lessons may serve to remind the rest of the market of the need for stronger security. Do IT managers try to fight it and risk being overrun? Or should they, like Judo experts, use the momentum of this
movement and skillfully steer their subjects in the direction they want them to go? A wise IT security pro will not try to meet the problem head on, as there are too many points of contention. Rather they will attempt to attract the attention of the subject and draw their sting. Arguably, with the the right file synchronization offering in place, IT managers could grapple with threats and render them harmless. But how do they empower themselves to do this? FOOTNOTES 1 For example, during a four hour period in June 2011, DropBox’s authentication allowed anyone to log into ANY account (http://blog.dropbox.com/?p=821) 2. A study of Google searches made by IT security researchers shows that 16,000 searches were made for the exact phrase “DropBox replacement”. 3. As of April 2011, DropBox claimed to have 25 million customers (www. dropbox.com/press/20110418 4. A Gartner study in Jan 31 2012 How to Control File Synchronization Services and Prevent Corporate Data Leakage revealed that undisclosed numbers of its enterprise clients had attempted to ban file synchronization products 5. Research by Emerson Network Power for the Uptime Institute Symposium in Santa Clara, California reports that businesses lose an average of $5,000 per minute in an outage or $300,000 per hour. 6. U.S. health insurance company BlueCross BlueShield of Tennessee (BCBST) was fined $1.5 million for a 2009 data breach in which information on one million BlueCross members fell into the wrong hands through data loss. BCBST was the first company in the US to face the consequences of this particular legislation. In the UK The Financial Services Authority fined HSBC £3m in 2009 for failing to properly look after its customers’ information and private data. Zurich Insurance was fined £2.27m by the Financial Services Authority (FSA) for losing the personal details of 46,000 customers.
Concerns Over File Sync Planning a Service Keep it In House
How Do You Control it?
Data Loss: The Worst Case
Will the Cloud Send Your Compliance Policy Down the Sync?
Conclusion IDG Connect is the demand generation division of International Data Group (IDG), the world’s largest technology media company. Established in 2005, it utilizes access to 35 million business decision makers’ details to unite technology marketers with relevant targets from any country in the world. Committed to engaging a disparate global IT audience with truly localized messaging, IDG Connect also publishes market specific thought leadership papers on behalf of its clients, and produces research for B2B marketers worldwide. For more information visit: www.idgconnectmarketers.com/
The Pros and Cons of Cloud Based File Synchronization
Research conducted by IDG Connect in association with Varonis
That Sync-ing Feeling Infographic Summary Introduction
Concerns Over File Sync
Is Cloud Based File Synchronization Safe? Perceptions of cloud based synchronization based on interviews with 100 US IT decision makers in May 2012
Tomorrow
Today
80%
Planning a Service Keep it In House
14%
How Do You Control it?
6%
Data Loss: The Worst Case
Conclusion IDG Connect is the demand generation division of International Data Group (IDG), the world’s largest technology media company. Established in 2005, it utilizes access to 35 million business decision makers’ details to unite technology marketers with relevant targets from any country in the world. Committed to engaging a disparate global IT audience with truly localized messaging, IDG Connect also publishes market specific thought leadership papers on behalf of its clients, and produces research for B2B marketers worldwide. For more information visit: www.idgconnectmarketers.com/
of companies at present do not allow cloud based file synchronization of companies are satisfied with the controls that cloud based file sync services have in place
70%
of companies would use cloud based synchronization if the management tools were as robust as internal tools
of companies are not satisfied but are going ahead anyway
What are your biggest data management costs?
What are your priority data management and protection challenges?
35%
STOP
hardware and software
! 34% reacting to problems after the event
39% 37% 35% 32% 24% security breaches
leakage of sensitive information
breaches of compliance regulations
eliminating duplicate data
granting of access rights
29%
24%
time spent managing access rights
data migrations
That Sync-ing Feeling Infographic Summary Introduction
Concerns Over File Sync Planning a Service Keep it In House
How Do You Control it?
Data Loss: The Worst Case
Conclusion IDG Connect is the demand generation division of International Data Group (IDG), the world’s largest technology media company. Established in 2005, it utilizes access to 35 million business decision makers’ details to unite technology marketers with relevant targets from any country in the world. Committed to engaging a disparate global IT audience with truly localized messaging, IDG Connect also publishes market specific thought leadership papers on behalf of its clients, and produces research for B2B marketers worldwide. For more information visit: www.idgconnectmarketers.com/
Introduction As an increasing number of workers are asked to divide their time between working on the move, at home and in the office, the amount of support they can get is limited. So naturally, they are turning to consumer friendly tools to help them coordinate all their work environments. Which is why corporate computing is becoming consumerized and IT managers have, for the first time, little say in the buying decisions of hardware and software that is used on their network. Free file synchronization apps are a case in point. The ease of use and convenience of consumer apps like DropBox, Sugarsync and Huddle have quickly persuaded professional users to adopt these as the de facto tools for sharing work between offices. Unwittingly, however, these gifts have acted as a sort of Trojan Horse, breaching the defenses of a corporation and opening them up to all kinds of counter charges. Beware of Geeks Bearing Gifts Their very strength – ease of use – is their vulnerability. By creating a virtual folder, which looks and seemingly acts like a real folder, they encourage users to replicate their files simultaneously, somewhere else. The process of replicating files is a no brainer. Therein lies the problem, since no brainers often have consequences. Users are rushing to marry up their computers and, as the adage says, you marry in haste and repent at leisure. The biggest consequence of file synchronization services is that security is breached. Private data can become public property, which means that all kinds of rules have been broken. Depending on the circumstances, the person responsible for securing company data could fall foul of regulations on corporate governance, the most common being Sarbanes-Oxley (SOX), HIPAA and PCI DSS. In this study, we asked 100 decision makers, from companies of 100 plus employees, about their attitude to this new development in consumerization of their corporate computing environment.
Having brought their own devices, the Bring Your Own Device (BYOD) crowds are now bringing their own services too. In the latest development of the Bring Your Own Service (BYOS) trend, end users are using apps that offer file synchronization services that control the movement of data across their various computing devices – from laptops to iPads. This phenomenon is a great case study on the potential cause and effects, and opportunities and threats, of the BYOS movement. The overall picture that emerges from this study is that the majority of organizations would like to harness the power that file sync technology gives them. The majority (70%) said they would use these services if their controls were as robust as the controls available on their internal systems. In the meantime, most (60%) said they would actively block the use of these tools and 20% planned to regulate it. In other words, the vast majority wants the benefits of these tools but doesn’t allow their use. A solution that provided both controls and the functionality would, presumably, be valuable. Meanwhile, another section of the IT community (20%) plans to plough ahead regardless. Their brave sacrifices could benefit us all, as they stumble through the minefield of this uncharted territory, and show us where the hidden dangers lie.
That Sync-ing Feeling Infographic Summary Introduction
Concerns Over File Sync Planning a Service Keep it In House
How Do You Control it?
Data Loss: The Worst Case
Conclusion IDG Connect is the demand generation division of International Data Group (IDG), the world’s largest technology media company. Established in 2005, it utilizes access to 35 million business decision makers’ details to unite technology marketers with relevant targets from any country in the world. Committed to engaging a disparate global IT audience with truly localized messaging, IDG Connect also publishes market specific thought leadership papers on behalf of its clients, and produces research for B2B marketers worldwide. For more information visit: www.idgconnectmarketers.com/
What are the Biggest Concerns about Cloud Based File Synchronization? In this next round of probing, we asked questions designed to draw out the fears that prevent our study group from enjoying the benefits they desired. We sought more detail over the types of threats they imagined and asked them to give a name to their fears. By unravelling the details of their insecurities, we aimed to help to provide some clarity over each problem and provide a more realistic assessment of its gravity. The answers given provide some clues over how these fears can be addressed and resolved. The answers revealed a laissez-faire attitude that reflects a lack of awareness of the developing problem. Surprisingly, given the audience that was questioned, the collective anxiety revealed a relaxed attitude to the gathering storm that is being created by cloud tools. For example, only half (51%) were worried about maintaining correct access rights and authorization. This is a worryingly low level of awareness, given that this is arguably one of the greatest threats of exposure to which the survey group are about to be subject to in the coming years. In other words, half of those surveyed (49%) are not worried about the issues that will surely cause them hours of lost time if they’re lucky, and more serious business and legal problems if they are not. Similarly, a majority (61%) said there were not worried about the issue of authentication (while 39% said they are). Only a quarter (26%) said they were nervous about data loss or auditing access activity. This could be because they have a number of more pressing priorities, or because the scale of the problem facing them has not become obvious yet. It might be worth investigating further and testing whether they are happy to devote time in the future to retrospectively patching up and apologising for the damage their negligence caused.
Overall, the figures reveal a dangerously oblivious attitude to the consumerization and slackening of IT security culture.
Concerns about cloud based file syncronization
51%
worried over authentication
26%
worried about maintaining correct access rights and authorisation
39%
worried about data loss or auditing access activity
That Sync-ing Feeling Infographic Summary
Are you Planning to Allow People to use a Cloud Based File Synchronization Service? And Why Not?
Introduction
Concerns Over File Sync Planning a Service Keep it In House
How Do You Control it?
Data Loss: The Worst Case
Conclusion IDG Connect is the demand generation division of International Data Group (IDG), the world’s largest technology media company. Established in 2005, it utilizes access to 35 million business decision makers’ details to unite technology marketers with relevant targets from any country in the world. Committed to engaging a disparate global IT audience with truly localized messaging, IDG Connect also publishes market specific thought leadership papers on behalf of its clients, and produces research for B2B marketers worldwide. For more information visit: www.idgconnectmarketers.com/
According to market analysis (see Footnote 4) there are enterprises that have entirely forbidden the use of personal file synchronization products. In this study, we investigated the extent of this reaction to this new danger and whether this was a feasible course of action.
IT plans to allow the use of cloud based file synchronization service
Most organizations, our evidence suggests, believe that they have no option to turn back the tide of devices flooding into their organization and the service undercurrents that these devices enable. Our investigation wanted to delve deeper into the response of IT decision makers and see how they were responding to the challenge. Were they seeking to stop the use of ad hoc solutions, or trying to advise users to use systems that meet their approval? Our survey showed that 31% of the study group said they would plan to allow cloud based file synchronization services. In other words, they were not currently allowing them. Or rather they thought they were not allowing them - this is a ban that is not enforceable, as many companies have discovered. Meanwhile an alarming majority (69%) would not even entertain the idea of allowing the services to be used. With huge amounts of proprietary and regulated data leaking onto non corporate devices, many of the survey group decided that file sync was not an allowable activity as it takes them outside of enterprise controls and audit trails. An approved and supported service for personal productivity, through synchronization of files, could help IT decision makers take back control and prevent this collision of interests.
No Yes
69%
31%
That Sync-ing Feeling Infographic Summary Introduction
Concerns Over File Sync Planning a Service Keep it In House
How Do You Control it?
Data Loss: The Worst Case
Conclusion IDG Connect is the demand generation division of International Data Group (IDG), the world’s largest technology media company. Established in 2005, it utilizes access to 35 million business decision makers’ details to unite technology marketers with relevant targets from any country in the world. Committed to engaging a disparate global IT audience with truly localized messaging, IDG Connect also publishes market specific thought leadership papers on behalf of its clients, and produces research for B2B marketers worldwide. For more information visit: www.idgconnectmarketers.com/
Ideally Would you Trust Cloud Data if you Could Manage it Like an Internal Resource? The next query was a What If question. [Q5 on slide 21] If cloud services could be managed as robustly as you manage internal resources, would you use them? The comparison with existing internal controls, rather than a product set based in the cloud, was designed to give the group a tangible benchmark.
based file services a majority of over 70% (15) indicated that they are satisfied with the controls they have in place.
When the question was put this way the answers indicated a strong preference for such a solution. A resounding majority, 70% of the survey, answered that yes, if file sync services could be as stringently policed as internal services, then they would be happy to empower their users with them. Respondents indicated that they wanted to block unapproved software on workstations and multi-function devices. They would consider using internal type controls, such as an on premises server or anything that gave them the same level of control as their internal infrastructure.
If cloud services could be managed as robustly as you manage internal resources, would you use them?
However, 30% responded no. In a separate line of questioning, it was established that the main technical areas in which they wanted to have more confidence were: use of active directory, access auditing and provisioning. The vast majority of organizations indicated that they would integrate cloud based file services with their internal controls (70%.) Keeping control close appears to be a key requirement for, or benefit to, organizations. Nearly 60% of surveyed US organizations indicated they would be or are actively blocking cloud based file synchronization via policy and blocking. Another 20% use company policy to regulate cloud based file synchronization. A fifth of US enterprises surveyed said they allow cloud based file services. Of those 21 organizations who do allow cloud
These findings will be explored more comprehensively in the next slide.
Yes
70%
30% No The stronger group of yes, in other words, are waiting for the controls to be made available. Those who object do so on the grounds of wanting better utilities from the cloud, such as active directory integration, access auditing, provisioning.
That Sync-ing Feeling Infographic Summary Introduction
Concerns Over File Sync Planning a Service Keep it In House
How Do You Control it?
Data Loss: The Worst Case
Conclusion IDG Connect is the demand generation division of International Data Group (IDG), the world’s largest technology media company. Established in 2005, it utilizes access to 35 million business decision makers’ details to unite technology marketers with relevant targets from any country in the world. Committed to engaging a disparate global IT audience with truly localized messaging, IDG Connect also publishes market specific thought leadership papers on behalf of its clients, and produces research for B2B marketers worldwide. For more information visit: www.idgconnectmarketers.com/
How do you Control the People Who Demand File Sync Services? Since the issue of file sync is all about control, and technology and processes are not yet options for control, our next line of questioning looked at the most volatile of control variables: people. We asked: “How do you prevent employees from using cloud based file synchronization services?”
Prevention of employees from using cloud based file synchronization services:
20%
The answers seemed to indicate that, desirable though control of the workforce is, it is not really a practical goal. The techniques used seemed to indicate that there is either an acceptance of the inevitable loss of control or a cheerful oblivion to the problems that are only going to get worse. For example, a significant minority, 20%, said they rely on policy to keep on top of the mass leakage of proprietary and regulated data. A further 59% use both policy and blocking techniques to try and stem the tide of enterprise files that could spill onto multitenanted public servers and become vulnerable to attack or unauthorized access. The most effective policy, according to these results, seems to be the stick of policy enforcement and possible technical controls, along with the carrot of officially endorsed, approved and supported services. That leaves a significant fifth (21%) who don’t bother blocking access to file sync tools. Not that they are entirely happy about it. Of the companies that don’t prevent their staff from getting access to these file sync tools, there is a significant number that are crying out for help. As many as 30% said they are not blocking access because they are not satisfied with the controls they have in place. On the other hand, the other 70% who responded were seemingly quite relaxed about the fact that they have no controls (neither policy nor technical tools) to defend themselves against the leakage of confidential information or the loss of business critical data.
use a double whammy of policy backed up with blocking techniques
rely on policy
21%
59%
use neither
Of the one fifth of companies that don’t block access to these productivity tools:
seem quite blasé about the fact that they are unable to block access are not satisfied with the controls they have in place
30%
70%
That Sync-ing Feeling Infographic Summary
What do you see as the Most Punishing Consequences of Inconsistent Data Management?
Introduction
Concerns Over File Sync Planning a Service Keep it In House
How Do You Control it?
Data Loss: The Worst Case
Conclusion IDG Connect is the demand generation division of International Data Group (IDG), the world’s largest technology media company. Established in 2005, it utilizes access to 35 million business decision makers’ details to unite technology marketers with relevant targets from any country in the world. Committed to engaging a disparate global IT audience with truly localized messaging, IDG Connect also publishes market specific thought leadership papers on behalf of its clients, and produces research for B2B marketers worldwide. For more information visit: www.idgconnectmarketers.com/
The survey sample was asked which of four potential data management problems would have the worst consequences. Downtime seemed to be foremost in the minds of the professionals quizzed. It was the most prominent issue for nearly half the sample (46%). This is unsurprising, given the amount of publicity that has been given to the fatal effects of downtime, ever since the Millennium Bug first threatened to wreak havoc among the western economies. There are not only countless studies on the risks, costs and mortality rate of downtime, there are plenty of online calculators and other tools to help nervous IT managers quantify their fears. Businesses lose an average of about $5,000 per minute in computing outages (Source The Uptime Institute- see Footnote 5) As an indicator of reliability, Dopbox record does not inspire confidence. During a four hour period in June 2011, Dropbox authentication allowed anyone to log into ANY account. (See footnote 1) Since awareness of downtime has been aggressively promoted for a dozen years, and high profile incidents in the US, Japan and the UK have exemplified its lethal effects, it is small wonder that downtime is the most recognized threat. What is more surprising, however, is that less publicized and less dramatic threats, such as lost productivity (33%) and compliance violations (30%) are not far behind downtime in terms of recognition. While downtime isn’t necessarily attributable to data management issues, productivity and compliance problems are primarily caused by poor data governance. Financial services firms can be fined millions of dollars (see Footnote 6) for failing to keep complete and accurate records of data. Lost files can prove painfully expensive.
These responses could reflect the fact that IT managers are aware that – despite the often irresponsible marketing hype from some quarters – not every compromise of IT is fatal and the incidents are not as common as some alarmists have suggested. On the other hand, lost productivity and compromised compliance are far more realistic threats, being more difficult to police and more likely to happen. This is reflected in the ratings that IT managers gave. The BYOS trend, embodied by file synchronization, was seen as the first security priority for around a third of IT managers. By the same token, a fifth (20%) saw data theft or loss as the primary issue that would arise from inconsistent data management. However, data theft or data loss carries a much higher risk and once again, there is a significant body of end users who seem cheerfully oblivious of the dangers that face them!
Perceived consequences of inconsistent data management:
STOP
?
46% downtime
33%
loss of productivity
30%
compliance violations
20%
data theft/ loss
That Sync-ing Feeling Infographic Summary Introduction
Concerns Over File Sync Planning a Service Keep it In House
How Do You Control it?
Data Loss: The Worst Case
Conclusion IDG Connect is the demand generation division of International Data Group (IDG), the world’s largest technology media company. Established in 2005, it utilizes access to 35 million business decision makers’ details to unite technology marketers with relevant targets from any country in the world. Committed to engaging a disparate global IT audience with truly localized messaging, IDG Connect also publishes market specific thought leadership papers on behalf of its clients, and produces research for B2B marketers worldwide. For more information visit: www.idgconnectmarketers.com/
Conclusion There is a potentially devastating wave of disruption that could spread over corporations. The popularity of file sync services is booming and DropBox alone has 25 million users. More such services are launched by the day. The BYOD swell was not a one off and it is about to be followed up with a MUCH more powerful phenomenon, BYOS. Bring Your Own Device softened up the enterprise’s defenses, and now Bring Your Own Service threatens to surge in, sweep past all the company defenses and carry away all the company data. The reaction of companies seems to be two fold. Some imagine that they can surf this wave or others seem to be paralyzed by indecision as it approaches. A significant number of companies (70%) have said they would use file synchronization services if they had the peace of mind that the tools for the cloud were as rigid as those for internal disciplines. But in the meantime, they are powerless to do anything about their users adopting these dangerous practices. The file sync issue is not going to go away; indeed it will only get worse as the number of subscribers to DropBox surges upward by the day. In the meantime, IT decision makers seem to be divided into those who are fixated by the past and those who are fearful of the future. The risk of downtime, for example, remains a pre-occupation, even though this is both misplaced and out of proportion to the likelihood of it happening. Meanwhile, at the other end of the scale, there are a significant number of companies (20%) willing to be early adopters of file synchronization services, without any discernible means of protection. These are the companies that will be at the bleeding edge. Their painful lessons may serve to remind the rest of the market of the need for stronger security. Do IT managers try to fight it and risk being overrun? Or should they, like Judo experts, use the momentum of this
movement and skillfully steer their subjects in the direction they want them to go? A wise IT security pro will not try to meet the problem head on, as there are too many points of contention. Rather they will attempt to attract the attention of the subject and draw their sting. Arguably, with the the right file synchronization offering in place, IT managers could grapple with threats and render them harmless. But how do they empower themselves to do this? FOOTNOTES 1 For example, during a four hour period in June 2011, DropBox’s authentication allowed anyone to log into ANY account (http://blog.dropbox.com/?p=821) 2. A study of Google searches made by IT security researchers shows that 16,000 searches were made for the exact phrase “DropBox replacement”. 3. As of April 2011, DropBox claimed to have 25 million customers (www. dropbox.com/press/20110418 4. A Gartner study in Jan 31 2012 How to Control File Synchronization Services and Prevent Corporate Data Leakage revealed that undisclosed numbers of its enterprise clients had attempted to ban file synchronization products 5. Research by Emerson Network Power for the Uptime Institute Symposium in Santa Clara, California reports that businesses lose an average of $5,000 per minute in an outage or $300,000 per hour. 6. U.S. health insurance company BlueCross BlueShield of Tennessee (BCBST) was fined $1.5 million for a 2009 data breach in which information on one million BlueCross members fell into the wrong hands through data loss. BCBST was the first company in the US to face the consequences of this particular legislation. In the UK The Financial Services Authority fined HSBC £3m in 2009 for failing to properly look after its customers’ information and private data. Zurich Insurance was fined £2.27m by the Financial Services Authority (FSA) for losing the personal details of 46,000 customers.
