Corporate data doesn't stay on the desktop computer anymore. Employees are using consumer-grade social networking and file-sharing tools for collaboration, and blocking access to these services is no longer an option, thanks to the bring your own device,
Setting corporate policies around the distribution of sensitive information may mitigate risk only to a point. Some enterprises are turning to encryption and authentication methods to provide secure collaboration and social networking for their employees and to secure their sensitive data across public, cloud-based applications.
Secure collaboration, file sharing for the enterprise
File encryption tools can offer security should a cloud-based service experience a breech, said Brad Shimmin, principal analyst at Washington, D.C.-based Current Analysis Inc. "A public or private key system can offer a secondary layer of security, and give [businesses] peace of mind when exchanging sensitive communications over public airwaves," he said.
The number of vendors that secure corporate data in consumer-grade file-sharing environments is growing. "Enterprises are looking at how these tools are used, and there are different ways for them to deal with this [employee] behavior because access to file sharing isn't easy to stop," said Michael Suby, vice president of research at the Stratecast division of San Antonio-based Frost & Sullivan Inc. While sharing on social media does represent a security risk for the enterprise, the bigger risk lies in file sharing, he said.
Enterprises have increasingly become comfortable using social media sites and file-sharing applications as collaboration tools, but sharing information on public services can lead to trouble if the wrong people see the information. Instead of restricting social media usage and file sharing, the enterprise should protect data before it leaves the employee's computer or mobile device, said Steven Sprague, CEO at Lee, Mass.-based Wave Systems Corp.
More on secure collaboration
Business collaboration benefits: Assessing technology
Keeping meetings private: Video conferencing security
Enterprise social tools edging out internal email
Wave Systems recently released a cloud security and privacy service, Scrambls for Enterprise. The Web plugin allows employees to use existing social media tools to enter status updates, tweets and blog posts, as well as share files via email and popular consumer file-sharing tools -- like Dropbox -- without the risk of security or privacy breaches. Scrambls encrypts the data before it leaves a user's device, Sprague said.
The enterprise version of Scrambls can be downloaded on any computer or mobile device – corporate-sanctioned or not -- and works across any online social site or application. Unlike many cloud privacy services, Wave Systems never sees a customer's data because the information is encrypted on the employee's device.
"Many enterprises are afraid of their data being readable by their cloud service provider of a [unified communications] tool -- like Microsoft is the operator for Yammer -- or anyone who may successfully hack into the cloud UC service," he said. "The data is protected in the cloud by the encryption keys in the client device."
The service also offers IT auditing capabilities. "Enterprises want to have control over what data is consumed and by whom," Sprague said. "[Encryption services] are helping to move these current entertainment services, like social media, and other consumer tools, like Dropbox, into more of an internal communications service for enterprise use."
Authentication should precede encryption for secure collaboration
Before encryption, access control and authentication is an important first step for secure collaboration, Current Analysis' Shimmin said.
"Enterprises are not encrypting everything that goes to social media -- it's a bigger solution than what is needed," Stratecast's Suby said. Many companies are employing authentication structures to define who can send and receive data as a first step.
Because access is no longer limited to corporate-owned endpoints, access control needs to happen before encryption. "Enterprises can base permissions on names, roles, titles and departments, and then filter outgoing files or tweets," Suby said.
Once access is granted, authentication must be employed, Suby said. "Enterprises can control access to their data over public services by asking users for usernames and passwords, while still allowing employees to access data from a variety of devices."