In response to internal demand for collaboration and sharing, companies are moving to cloud-based enterprise file synchronization and storage (EFSS) services that enable users to freely create, manage, organize, and share data within and across organizational boundaries.
Some of the biggest EFSS suppliers include Google Drive, Microsoft OneDrive, and Dropbox. But using EFSS as a service has some serious issues. Privacy and security of sensitive data is a particular challenge with the upcoming General Data Protection Regulation (GDPR) in Europe which will go in effect in May 2018. Growing ransomware attacks and directed criminal and state-sponsored cyber attacks are also on the rise. Events like Brexit or uncertainty around the Privacy Shield data exchange deal with the USA pose a legal risk for the IT admins who have to avoid storing sensitive data in certain countries.
graph from a Proofpoint threat analysis
We provide you three main points to consider when picking an EFSS solution.
Once you sign up for a service, who owns your data? If you pick a hosted solution, you have to accept their terms of services. The vendor has access to your data and can even block you from accessing your own data. They can be compelled to share your data with governments, gag orders forbidding them from telling you about it. And your partners or business customers‘ data are at risk too! You have to ensure you are compliant for current and future regulation, as having to migrate to another solution is rarely easy or affordable. The best way to avoid these murky waters of legal mumbo jumbo is by keeping data either in your own datacenter or at a trusted server provider based in your own country. But how do you pick a good provider that keeps you safe on the legal side?
Make sure you check:
When was the last time your file sync and storage provider informed you of a data breach? Never. There was a massive breach of Dropbox in 2012, but we didn’t know about it until 2016 and this turns out to be rather typical in the industry. Reality check: no software is immune to bugs and security breaches. When you use EFSS as a service, you can’t count on getting informed about a breach, nor might you get timely fixes or access to mitigation.
Even self-hosted solutions are at a risk there: vendors are often hostile to security researchers reporting vulnerabilities. And many invest little in security features beyond what gets them marketing attention.
A few factors to consider:
And a final point: encryption is great. Modern encryption ciphers are rarely broken. Instead, crypto is bypassed! Amazon’s Kindle and Samsung Galaxy protections were bypassed by replacing the key or remove the signature checking code. Bad development practices and a lack of security reviews isn’t fixed with encryption!
I love crypto, it tells me what part of the system not to bother attacking
— Drew Gross, forensic scientist
The market changes quickly and you will need a solution that changes with it. Today you need to share and collaborate. Next year you need to give presentations or have video calls. And you need all this integrated into your infrastructure, in a way you can control.
A simple checklist:
All three focus issues have something in common: transparency of the vendor helps you as a customer. Having access to the code you run on your own or rented servers; being able to see security processes take place in real life; being able to see and perhaps even participate in development. These three factors are how Open Source solutions uniquely help you with legal and security issues and prepare you for the future.
And while there are many prominent Open Source Enterprise File Sync and Share solutions, one stands out. Started by the visionary founder of ownCloud, together with a large team of experienced engineers, Nextcloud is taking the EFSS market by storm.
In the year since its founding, it has established itself as the leading solution for companies looking for a first class security and scalability in a self-hosted technology that facilitates sharing and collaboration. And the large ecosystem of partners and contributors around Nextcloud has developed over 80 applications adding features and capabilities, from authentication and external storage mechanisms to online collaboration and infrastructure integrations.
Picking the right EFSS vendor is not an easy feat. Focus on your legal needs and pick a vendor with a healthy development and strong security expertise to ensure you won’t end up on the list of companies hit by data leaks. Pick a winner that keeps your data safe!