Our concerns about compliance capabilities for our members and clients, especially where data storage and syncing technology is concerned, prompted us to ask Darrin Lee of Vault1440, one of our trusted vendors, to explain the possible risks incurred when a business uses a consumer-grade file sync solution (CGFS). He has alerted us to the facts as to why CFGS solutions pose many challenges to businesses that care about control and visibility over company data, and he warned us that allowing employees to utilize CFGS solutions can lead to massive data leaks and security breaches. We thank Darrin for writing this guest blog for us so NL can share his advice with our readers.
You might think that the consumer-grade file-sync solution (CGFS) that you use for sharing pictures with your family and friends could be a perfect tool for you, your business and your protected business data. The truth is that using a CGFS can be very risky. Below are what I consider to be seven of the biggest risks that these solutions pose in a business environment:
- Compliance violations: Since CGFS solutions have loose (or non-existent) file retention and file access controls, you could be setting yourself up for a compliance violation. Many compliance policies require that files be held for a specific duration and only be accessed by certain people; in these cases, it is imperative to employ strict controls over how long files are kept and who can access them.
- Law suits: CGFS solutions give carte blanche power to end-users over the ability to permanently delete and share files. This can result in the permanent loss of critical business documents as well as the sharing of confidential information that can break privacy agreements in place with clients and third-parties.
- Loss of accountability: Without detailed reports and alerts over system-level activity, CGFS solutions can result in loss of accountability over changes to user accounts, organizations, passwords, and other entities. If a malicious admin gains access to the system, hundreds of hours of configuration time can be undone, if no alerting system is in place to notify other admins of these changes.
- Data theft: Most of the problems with CGFS solutions emanate from a lack of oversight. Business owners are not privy to when an instance is installed, and are unable to control which employee devices can or cannot sync with a corporate PC. Use of CFGS solutions can open the door to company data being synced (without approval) across personal devices. These personal devices, which accompany employees on public transit, at coffee shops, and with friends, exponentially increase the chance of data being stolen or shared with the wrong parties.
- Data loss: Lacking visibility over the movement of files or file versions across end-points, CFGS solutions improperly backup (or do not backup at all) files that were modified on an employee device. If an end-point is compromised or lost, this lack of visibility can result in the inability to restore the most current version of a file, or any version for that matter.
- Corrupted data: In a study by CERN, silent data corruption was observed in one out of every 1500 files. Businesses can usually trust their cloud-based solution, business-level service providers to make sure that stored data maintains its integrity year after year. However, most CGFS solutions don’t implement data integrity assurance systems to ensure that any “bit-rot” or corrupted data is replaced with a redundant copy of the original.
- Loss of file access: Consumer-grade solutions don’t track which users and machines touched a file and at which times. This can be a big problem, especially if you’re trying to determine the events leading up to a file’s creation, modification, or deletion. Additionally, many solutions track and associate a small set of file events which can result in a broken access trail, for example if a file is renamed.
Many companies have formal policies that forbid or at least discourage employees from using their own accounts. But while blacklisting CFGS solution may curtail the security risks in the short term, employees will ultimately find ways to get around company firewalls. The best way for a business to handle this is to deploy a company-approved application that allows IT to control the data, yet grants employees the access and functionality they feel they need to be productive.
Darrin Lee, Recovery Expert, Vault1440, firstname.lastname@example.org
Darrin Lee, the founder of Vault1440 has personally been through large organization data loss. To provide recovery assurance, he started Vault1440™. Your data is important to you, and it needs to be recovered 24x7x365. We specialize in backup, recovery, and restore. We provide live support and store your data in two geographically different data centers. Check us out at www.Vault1440.com. You can reach us at email@example.com or call us at 1.877.353.8080.