Beyond Dropbox: Requirements for Enterprise Class Secure File Sharing and File Synchronization

Date of Publication: 
November 2011

The temptation is understandable. A business user is working with multiple devices, such as a PC at the office, a Mac at home, a smartphone, and an iPad that travels between home and the office. She wants to share files across all these devices. She also wants to share files with co-workers and business partners, many of whom are working at remote locations. So she signs up for a free file sharing and file synchronization service such as Dropbox and selects which file folders will be shared. The service automatically copies her important files to all her devices and keeps them synchronized so they’re always up-to-date. Co-workers and business partners are granted access to the files, as well. The service is fast, easy, and convenient.
It’s also risky and potentially a violation of industry regulations and federal laws.
Consumer file sharing and folder synchronization services are catching on with business users. But these services lack the rigorous security controls and centralized administrator of enterprise class IT solutions. The consumer services put enterprises at risk for data leaks, security attacks, and regulatory compliance violations. If a user at a health insurance company transmits confidential patient health information, or a user at a brokerage transmits a stock recommendation, via untracked file sharing, the file transmission may constitute a regulatory violation that can result in financial penalties and a tarnished reputation for the organization.
The danger these “Dropbox” type services pose for enterprises is becoming increasingly apparent. One of the most popular consumer services, Dropbox, has been making headlines with its security shortcomings. Password protection was disabled for four hours, for example, and security researchers have discovered a way to make Dropbox accounts sync files with an unlimited number of devices that the account owner will never see.1 IT administrators at businesses have no visibility into how employees are using these services. They have no way of determining how much confidential data their users are sharing improperly. Many IT administrators and compliance officers are frustrated, because they sense that a flood of data is leaving their enterprise networks, and they have no way of monitoring that flood or containing it.