According to a 2012 Ponemon Institute study, more than 60 percent of enterprise users store business confidential data in Dropbox. That is an extremely frightening statistic to any IT department. While services like Dropbox, Google Drive and others provide workers tremendous productivity benefits, they still lack many controls designed to keep corporate data secure and compliant with industry regulations. So what are organizations ranging from Fortune 500 companies to small businesses supposed to do?
Right now the BYOD trend is very much the Wild West. As new smartphones and tablets are developed, users move quickly to explore possible business productivity uses. IT is stuck between a rock and a hard place when it comes to personal device support. They face pressure from end users who are demanding freedom and flexibility to access corporate data on the go, but also have a responsibility to keep some constraints in place in order to protect the organization. Striking a balance between these two objectives is not easy.
And the problem extends beyond smartphones and tablets. Think about an organization that for years provided all employees with Windows-based laptops. While Windows PCs remain the majority, more users – including many from the C-suite – are opting for Mac notebooks. At the surface, this doesn’t seem like a big deal, but for IT departments, this can be a nightmare. Along with added device support complexity, IT teams are challenged to provide easy access to Windows-centric server and storage infrastructure from non-Windows devices.
So what can organizations do to help their employees work smarter while maintaining proper IT controls? The answer is simple – build a culture of responsible data access.
The biggest barrier to restricting use of services like Dropbox is the lack of appealing IT-provided alternatives. Users typically do not care whether data resides in the cloud or in a corporate data center. They care about experience and ease of use. If IT makes it as easy to access corporate data “responsibly” as it is to use Dropbox, most users will embrace a corporate sanctioned approach. While expecting the worst from users is a time-honored IT tradition, the reality is that most people will do the right thing if you make it easy for them to do so.
Achieving a culture of responsible data access requires give and take from both IT and users. For IT teams, this means taking a hard look at perimeter-based security measures like VPNs and two-factor authentication. They exist for valid reasons, but they come with user experience baggage that sends users running.
The reality is that enterprise data access is becoming less about letting devices connect securely to the trusted corporate network. In fact, with personal devices, IT teams may specifically not want the devices connecting fully to the internal network. A better approach is to assume every device is untrusted but apply policy focus to where data is stored, how it can be accessed, and how it can be removed from a device remotely if needed. Security at the device level must give way to data and application controls that apply – and perhaps even adapt – as a user moves between devices.
This is a classic people, process and technology conundrum. The technology is there but the challenge comes with people and process. Most users are on the “get it done and ask for forgiveness later” mantra. They will break IT rules just to get the job done and close that important business deal. Against this backdrop, no data management approach is completely secure. Keeping data behind a rock-solid perimeter provides the appearance of security but ultimately fosters irresponsible behavior such as putting sensitive data in consumer cloud services or simply e-mailing files to a personal e-mail account. It may be a difficult sell to the security team to skip the VPN and security tokens, but it may in fact actually lead to improved security, as IT teams will at least have control over where data is being stored and how it is being accessed.
By taking a fresh look at data access and security, IT departments can provide users the freedom and flexibility they strive for while ensuring the proper IT governance is in place. How are you managing the data access challenge?
About the Author
Doug Lane is a seasoned marketing and product management professional with a successful 15-year record of bringing innovative technology products and services to market. He is presently Director of Product Marketing at AppSense, the leading provider of user virtualization solutions to enterprise organizations.
Before joining AppSense, Lane was employee number one at Virtual Computer, where he led marketing and product management as the company emerged as a groundbreaking client-side virtualization vendor. In addition to his experience with virtualization technology, Lane’s prior roles at companies such as VeriSign, Guardent, and GTE Internetworking/Genuity spanned technology areas such as information security, RFID/supply chain, DNS/critical Internet infrastructure, Web hosting, and telecommunications/IP backbone services.
Lane earned a BS from Emerson College and an MBA from Boston University.