WHITE PAPER. Business-Class File Sharing Best Practices SPONSORED BY. An Osterman Research White Paper

Transcription

1 WHITE PAPER Business-Class File Sharing An Osterman Research White Paper SPONSORED BY Osterman Research, Inc. P.O. Box 1058 Black Diamond, Washington USA Tel: Fax: twitter.com/mosterman

2 EXECUTIVE SUMMARY It is a fact of corporate life that information workers need to share files and messages with one another and they need to do so regularly and often to be productive. Increasingly, employees are relying on a variety of tools that are outside of IT s control and management, such as: consumer-focused Webmail, personal USB sticks and smartphones, various file-sharing services, and physical courier delivery. Employees are driven to these solutions because of limitations in the corporate tools that are available to them, these alternatives ease-of-use and ubiquity through any Web browser, or the fact that more users are working from home or other remote locations and simply don t have IT-provided tools readily available. From the perspective of the typical user, these alternatives make file sharing easier and faster. However, from a corporate perspective, this phenomenon is creating three very serious problems as users take it upon themselves to implement better file sharing capabilities: These tools do not enable IT to manage content in accordance with corporate compliance obligations. They increase corporate risk because it is harder to find critical business records during e-discovery or compliance audits because content is often not archived nor is an audit trail available. They increase the potential for breaches of sensitive or confidential data, resulting in greater exposure to risk of statutory violations and sanctions. What organizations of all sizes need is the best of both worlds: tools that will enable users to do their work easily and efficiently, while at the same time satisfying the compliance and governance requirements of the entire organization. THE STATUS QUO DOESN T WORK Simply stated, this file-sharing scenario doesn t work as well as it should: Users are stymied because company systems often do not permit file attachments of more than 10 to 20 megabytes to be sent, and it is not efficient at sending more than a few files at a time. Moreover, doesn t typically include a return receipt so the sender can know if the recipient ever received the . Also, when is used for file transfer, it imposes increased storage and bandwidth costs, slow message delivery, long backups, long restores, high IT management costs. Many users will turn to their personal Webmail account because of their ability to send very large files through these systems. However, when users do so there is no IT visibility into the sent or received content, no tracking, no auditability, and no archiving. Moreover, corporate content can reside in personal Webmail repositories for many years, long after an employee may have left the company. While this makes life easier for users, it increases the risk to the organization. Organizations need to balance end user simplicity with IT control by providing tools that enable employees to do their work easily and efficiently, while at the same time satisfying the compliance and governance requirements of the entire organization. USB sticks, tablets and smartphones create the same problems: lack of security, higher costs, their likelihood of being lost or stolen, and the potential for content on them to be accessed by unauthorized parties. Dropbox-like file sharing tools and cloud services can be effective, but they do not permit IT management or governance of content. And, they often are individual accounts and not under the sanction of IT which means that IT doesn t have the visibility or insight into what is being transferred, nor does IT maintain any type of audit trail for this content. SharePoint and similar tools are useful for sharing information if both senders and recipients are using it. However, SharePoint require the deployment of a 2012 Osterman Research, Inc. 1

3 dedicated infrastructure and training for end users, and it is not always easily accessible by remote workers or people external to an organization. Basic FTP client-server systems, while useful, require both the sender and recipient to have access to the FTP server to share information, which can be an ongoing provisioning burden for IT. Physical delivery of information such as CD-ROMs or DVD-ROMs that are burned and sent through overnight services is expensive and the speed of delivery is slow. KEY TAKEAWAYS What organizations need is a straightforward business-class file sharing solution that will address these issues. Specifically, such a file transfer solution should: Allow users to send files and messages whenever they need to do so, giving them an easy-to-use, straightforward and convenient way to send files. Send the content independently of , but preferably from the client (e.g., with an Outlook plug-in) or from a Webmail-like browser interface. Not force users to change the way they work. Allow IT to manage and control file sharing according to corporate policies, ensuring that all of an organization s compliance obligations are satisfied and thereby minimizing corporate risk. Provide full audit trail and archival of all transfers for purposes of e-discovery or regulatory compliance. ABOUT THIS WHITE PAPER This paper contrasts the issues against alternate solutions available from traditional file sharing solution providers like Ipswitch File Transfer, thereby helping IT to implement a solution that s best for their organization and their users. THE STATUS QUO OF FILE TRANSFER BETWEEN PEOPLE TRENDS IN CONTENT SHARING AND COLLABORATION There are a number of trends occurring in the workplace, trends that are having important impacts on how employees share information and collaborate on projects: Workers are becoming more geographically distributed as companies implement telework policies in an effort to reduce the costs of rent and other expenses associated with providing employees a physical place to work. The result is that employees who can no longer collaborate face-to-face instead rely more on the sharing of documents by in order to work jointly on projects and to provide status updates. The quantity and size of content is growing as users create more documents, create video files, etc. This is especially true as the use of graphics and video increases for corporate presentations, training and related uses; and as consumer content authoring tools become more sophisticated and easier to use. The network of business partners, contractors, customers and others outside of an organization is growing, meaning that a growing proportion of users with whom information must be shared are external Osterman Research, Inc. 2

4 Despite the growing use of alternatives to social media, unified communications, Web conferencing, instant messaging and other tools the use of continues to increase. For example, an Osterman Research survey published in October 2011 found that 42% of users are using more today than they did 12 months ago, while only 10% are using less. The Bring Your Own Device (BYOD) trend is accelerating as users opt to employ their own smartphones, tablets and services because of their ease of use, their functionality and the fact that IT often cannot afford to provide all of the capabilities that users desire. These trends are resulting in more content being created on more devices, which results in an accelerating degree of file sharing between employees, business partners and others. COMPLIANCE IS BECOMING MORE CRITICAL In addition to changing trends in the way that employees work and how they create and share content, there are three important issues with which every organization must contend: Compliance regulations are demanding a higher degree of content protection. For example, all but four US states now have data breach notification laws. Allowing sensitive or confidential data to be breached can trigger a variety of consequences, including a statutory obligation to notify victims of the breach, provision of credit reports to victims, adverse media coverage, loss of future revenue, and other consequences all of which represent expensive short-term and long-term problems to remediate. These obligations to protect sensitive and confidential information include HIPAA, PCI DSS, Gramm-Leach-Bliley, Sarbanes-Oxley, encryption laws in Nevada and Massachusetts, the Bundesdatenschutzgesetz (German Federal Data Protection Act), the Personal Information Protection and Electronic Documents Act (Canada) and a host of other requirements around the world. Related to the increasing tenor of corporate governance over sensitive and confidential information is the need for IT to have greater control over content. For example, to comply with data breach notification and other requirements, IT departments must know where data is sent, how it is sent and where it is stored. Moreover, they must have control over all of these processes so that the organization can adequately respond to e-discovery requests, legal holds, regulatory audits, data loss protection, and other situations that demand production and management of corporate business records. Finally, IT must have greater visibility into content delivery in order to recall content when needed, the ability to set timelines for availability of content, provide for guaranteed delivery receipt for certain types of information, and improve their security of corporate content. Moreover, the metadata associated with a file transfer must also be available for purposes of e-discovery and the like. The Bring Your Own Device (BYOD) trend is accelerating as users opt to employ their own smartphones, tablets and services because of their ease of use, their functionality and the fact that IT often cannot afford to provide all of the capabilities that users desire. It is important to note that all of these issues represent significant exposure for an organization that does not adequately address them. As noted above, remediating these issues can be very expensive and can create legal and/or regulatory exposure for senior IT and business managers. A LARGE PROPORTION OF FILE EXCHANGES ARE AD HOC It is also important to note that a large proportion of file exchanges are one-off transfers sent from one employee to another, from an employee to a business partner, and so forth. These are unscheduled, unplanned transfers that are critical to employees getting their work done in a productive and efficient way. Users need 2012 Osterman Research, Inc. 3

5 easy access to these capabilities that their employers often do not provide hence, the growth of user-selected tools like Dropbox or other file-sharing capabilities that they can implement at no charge. The bottom line is that the methods for file transfer in most organizations are becoming more dispersed, IT is losing control of them, IT lacks insight into file sharing processes, users are frustrated, and the consequences of losing control and insight are creating more risk. THE NEED FOR IMPROVEMENTS IN HOW FILES ARE SHARED Despite the utility of individually managed file sharing, there are serious problems created by these processes: Control When employees use Dropbox-like services, USB sticks, Webmail or personally owned devices to send files, control of these file transfers shifts to the user and away from the IT department that has traditionally been responsible for managing content. While IT is still responsible for ensuring compliance with corporate obligations to manage content, many current ad hoc file-sharing methods strip IT of its ability to effectively manage this content. Visibility Ad hoc file sharing that is under the control of individual users minimizes or eliminates IT s visibility into file transfers: IT does not know what information has been shared, where it is stored, whether or not it is encrypted, or where to find it when necessary. Security Individually managed file sharing can easily result in sensitive or confidential data stored without encryption or on devices that can be lost or stolen, such as consumer Webmail systems, USB sticks or smartphones. This not only increases the possibility that sensitive or confidential information will be exposed to unauthorized parties during transfer and at rest, but it increases the risk of noncompliance with a growing variety of legal and regulatory obligations to protect sensitive data. Compliance Although IT is charged with managing and demonstrating compliance of corporate content, individually managed file-sharing largely prevents IT from carrying out its compliance obligations simply because it does not have the audit and other tools to do so. Also, some organizations need a way for employees to communicate by sending messages or short notes in a highly secure, governed and auditable way even when not sharing files. While can serve as a channel for these types of communications, s are not always encrypted or archived as they should be, resulting in compliance and governance problems. Functional problems Although is a simple method for sending files, it was originally designed as a medium for sending only short messages, much like instant messaging is used today. When on-premise is used for transporting files, particularly large ones, server performance slows, message delivery can be delayed, and more infrastructure (servers, storage and bandwidth) are required over time to accommodate the additional burden placed on the infrastructure. Moreover, growing storage and the problems related to it are a major issue for many administrators and these problems are directly related to using as a file transport system Osterman Research, Inc. 4

6 Retention of data is often not performed Another important point is that for purposes of e-discovery or regulatory audits, the files that are sent along with the accompanying message must be retained, something that many ad hoc file transfer systems do not do. WHY IT NEEDS TO PROVIDE AND MANAGE FILE SHARING , personal Webmail, personally owned devices, consumer-focused file-transfer services, and USB sticks all work as file transfer solutions, but they increase risks and the costs of managing a business. Consequently, there needs to be a better way of sending files, particularly in cases where users need to share files on an ad hoc basis. To address these problems, all organizations should seriously consider the use of an IT-managed file-sharing solution. The benefits of such a solution include: User access to the tools they need The use of free file sharing tools, personal Webmail and other resources by end users is borne out of users necessity to do their work efficiently, coupled with the fact that IT departments often do not provide what users need. If IT can provide file-sharing and messaging capabilities that are as easy to employ as user-selected alternatives, users will be happy and, as explained below, so will IT. Monitoring and reporting for purposes of demonstrating compliance Similarly, IT needs a way to monitor file transfers senders, recipients, the content that is shared, when it was sent and received, etc. for purposes of demonstrating compliance with legal and regulatory requirements. This also allows senders to track when their content was received and, in many cases, who opened it and when they did so. This is an important benefit for demonstrating that commitments and other obligations are met. Maintenance of messages and files It is important to note that a record of both the file and the message/note associated with it are often required for auditing purposes. It is critical that a file-sharing solution maintain these elements together. Centralized administrative control An IT managed file sharing solution provides IT with the administrative controls they need to satisfy corporate compliance obligations while allowing users to send the content in a way that makes them productive and efficient. IT control is essential to minimize the risk associated with unmanaged file sharing. Ideally, IT s administrative control will be manageable via a single pane of glass for managing all types of file and transfers within the organization between systems, people, business partners, etc. Having a single interface into all file, data and message exchanges enables administrators to consistently apply security and IT policies to all transfers with a single centralized reporting, logging and audit capability. Integration with existing authentication services Another important capability for any business-class file sharing solution is the ability to integrate with existing authentication services so that only authorized users can send content, and so that the sending of specific types of content can be managed. The use of free file sharing tools, personal Webmail and other resources by end users is borne out of users necessity to do their work efficiently, coupled with the fact that IT departments often do not provide what users need. If IT can provide filesharing capabilities that are as easy to employ as userselected alternatives, users will be happy and so will IT. Eliminating most of the content sent through servers One of the primary advantages of an ad hoc file transfer solution is that it bypasses the corporate server, sending content through an alternative channel, eliminating the majority of the traffic that currently flows through . The benefits of offloading attachments include more responsive Osterman Research, Inc. 5

7 servers, faster message delivery times, slower growth in storage, lower costs for additional infrastructure, lower IT labor costs, shorter backup windows, and faster restores after a system crash. It is also important to note that using a separate file transfer infrastructure can help an organization extract greater value from their existing (and typically significant) investment in the infrastructure by postponing or eliminating upgrades to storage and servers. There is a need to send secure messages too In addition to files, secure messages must also be sent, either as standalone messages or when files are transmitted. For example, when communicating about a sensitive project, users may want to send messages in a more secure or managed way than sending them through . Similarly, accompanying notes or explanations often need to be sent when transmitting files, such as instructions about changes in a file or an explanation of what a file contains. Other capabilities Finally, other capabilities are vital to ensure appropriate management of filesharing processes, including the ability to encrypt content; and also to maintain control over content throughout its lifecycle, such as recall of sent files and messages, and the ability to impose expiration policies on content. QUESTIONS TO ASK WHEN CHOOSING A FILE SHARING SOLUTION There are several important questions that should be asked when evaluating ad hoc file sharing solutions: Is the solution as easy to use as and Dropbox? One of the most important issues for an ad hoc file sharing solution is its ease of use. A solution that is difficult for users to employ, or that requires a significant change in user work processes, simply won t be used in most organizations. The result will be a waste of IT s budget and a failure to resolve the fundamental problem for which the solution was deployed. Best-practice is a simple Outlook plugin that integrates seamlessly into company . Moreover, the solution should also be accessible from a Web browser to permit users to send data at work, from home, while on the road, etc. Also, it is critical that any ad hoc file transfer solution not change users habits or routines so that user adoption will be maximized and calls to the support desk will be minimized. Can the solution integrate with extended or external project team members? Content must often be shared between team members, business partners and others. As a result, content must be very easy to share with an extended team. Can the content be managed by IT? A critical aspect of any ad hoc file sharing solution is the ability for IT to manage and govern content sent through the system. This is an important aspect of a corporate file sharing solution, since IT is responsible for business records sent through the system for purposes of e-discovery, regulatory compliance and the like. This is what differentiates a true, business-grade, ad hoc file transfer solution from the variety of file sharing Web sites and cloud services that do not allow management or governance of file transfers according to corporate policies, or that do not integrate with corporate file transfer systems. Examples of the content management that can be applied using a managed file transfer solution include the ability to apply timed end-of-life for files, limits on the number of downloads that are permissible, and robust encryption. How much training is required for the solution? Related to the point above is the need to minimize training for an ad hoc file 2012 Osterman Research, Inc. 6

8 transfer solution. A solution that requires extensive training will cost more to deploy and is unlikely to be widely used. Can the solution be used to send messages that are secure, auditable and governed? Can the solution provide for a communications channel independent of that permits sensitive communications even when files are not sent to be governed properly? The ability to send files more securely than is possible with standard systems, or as part of a file-sharing capability that will permit messages not to be lost in the normal flood of hitting most users inboxes each day, is essential to many users. A key element of good governance is the ability for content to be encrypted end-to-end not all file transfer solutions offer this capability. Are there limits on file sizes that can be transferred? One of the fundamental reasons for deploying an ad hoc file transfer solution is its ability to bypass the relatively small file-size limits inherent in most systems, since this is a common method for users to share files. This is particularly important for organizations that routinely send multi-gigabyte files, such as architectural firms, graphics designers, engineering companies, healthcare providers, etc. While file size limits can be imposed in an ad hoc file sharing solution, they should be substantially greater than the typical megabytes in most systems. Can the solution manage the message and attachment together? Another important consideration for a file sharing solution is its ability to encrypt the message and the attachment that are sent, as well as to archive both together for easier retrieval during e-discovery and auditing. Can the solution integrate with other corporate systems? Another important feature of a corporate file transfer solution is its ability to integrate with other corporate systems, such as archiving and security systems. For example, content sent through an ad hoc file sharing system must be archived for long periods for the compliance purposes noted above. Moreover, content sent through the system must be checked for spam or malware, as appropriate. Is the solution part of a larger managed file transfer solution? The benefits of having file sharing as part of a managed file (MFT) transfer solution include the ability to consolidate to a single tool to manage, authenticate, secure and governing all business files and data that is moved and shared between people, systems and business partners. For example, there is enormous benefit in the ability to have one administrative console to define corporate policies and, manage, report and audit compliance with them. Other critical considerations o Can files and messages be sent from sender to recipient and vice versa? o Can folders of files be sent instead of just individual files? o Can limits be set on the number of times a file can be viewed or downloaded? o Does the solution integrate with a global address list? o Are there file extension rules that can be imposed (e.g., not sending.exe files)? o Can the solution not permit sending to certain domains (e.g., not sending to yahoo.com or hotmail.com domains)? The benefits of having file sharing as part of a managed file transfer (MFT) solution include the ability to consolidate to a single tool to manage, authenticate, secure and governing all business files and data that is moved and shared between people, systems and business partners Osterman Research, Inc. 7

9 SUMMARY File sharing capabilities managed by individual users expose organizations to unnecessary risk and prevent IT from fulfilling its mandate to manage corporate compliance. This is a particularly serious concern for regulated firms, but also for less heavily regulated firms that must satisfy legal requirements or best practices for management of files. Consequently, what organizations need is an IT-managed, ad hoc file sharing solution that: Is as easy to use as Dropbox, USB sticks or Webmail. Bypasses the server as a file transport mechanism while still allowing users to employ their interface (e.g., Outlook with a plug-in). Permits IT to manage content according to corporate policies. Minimizes the cost and risk to the organization. IT has a lot to consider when deciding how to optimally enable file sharing within their organization. But are there solutions available that can actually meet the requirements discussed in this whitepaper? While there are numerous vendors on the market today, Osterman Research believes that Ipswitch offers IT and end users what they need in a single, business-class file sharing solution. ABOUT IPSWITCH FILE TRANSFER Ipswitch File Transfer provides solutions that move, govern and secure business information between employees, business partners and customers. Our proven solutions lead the industry in terms of ease of use, allowing companies of all sizes to take control of their sensitive and vital information and improve the speed of information flow. Ipswitch lets you govern file sharing with confidence by balancing the need for end user simplicity with the visibility and control required by IT. Ipswitch File Transfer solutions deliver for thousands of organizations worldwide, including more than 90% of the Fortune 1000, as well as government agencies and millions of prosumers. Learn more at Osterman Research, Inc. 8

10 2012 Osterman Research, Inc. All rights reserved. No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without prior written authorization of Osterman Research, Inc. Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document or any software product or other offering referenced herein serve as a substitute for the reader s compliance with any laws (including but not limited to any act, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively, Laws )) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of the information contained in this document. THIS DOCUMENT IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL Osterman Research, Inc. 9