Mobile content management and BYOD: the Dropbox catch-22
If an auditor had full access to your Dropbox account right now, would they find a single bit of corporate data that shouldn’t be there? MobileIron VP Sean Convery asks
Short of time?
I’ve asked this question a lot, with all sorts of very senior IT folks in the room, and I have very rarely heard someone answer “no".
With 200 million users as proof, Dropbox has created a beautiful, mobile content solution that helps workers be productive on the go. This kind of experience is increasingly driving users to sidestep IT.
The resulting security challenges can be daunting: major risk of data loss and unmet compliance requirements. This problem isn’t unique to BYOD deployments as most users have personal data on their mobile devices regardless of whether they are BYOD or corporate procured.
So the question becomes: how do you manage security and compliance risks without removing the tools employees need to be productive?
To address this, we first have to understand common mobile content management requirements.
I’ve had the pleasure of interviewing key mobility leaders at a half-dozen Fortune 100 customers over the last 30 days. Enterprise content management and mechanisms to address data leakage are front and centre for them.
These organisations want the same basic things: to get users the content they need, synced to all their devices; to allow them to share that content with colleagues; to prevent corporate data from leaking to insecure locations; and to comply with relevant regulatory and audit concerns.
These Fortune 100 companies have considered, and in some cases deployed, a number of different strategies to address these requirements (often more than one at once).
Common approaches to secure content management
1) Mobile-enable SharePoint
When you provide mobile access to your organisation’s content repositories (like SharePoint) you reduce the risk that users will copy this content to a personal cloud repository in order to have easy access to their files. When deployed properly, this approach addresses aspects of all four of the above requirements.
2) Deploy an enterprise cloud sync solution
Cloud file sharing is a hot space. Deploying these best-of-breed solutions with integrated mobile security can address aspects of all four requirements. Though be careful with cloud repository policies. If users can move unprotected enterprise data to insecure locations, you just ran afoul of requirement three.
3) Deploy an enterprise container/persona
By setting up a portion of the device as enterprise-only, you increase the security of mobile-enabled SharePoint and enterprise cloud sync solutions. These containers come in different flavours with different security capabilities. It is critical that organisations achieve this containerization while maintaining as much of the native user experience as possible. If your BYOD programme compromises the employee’s personal experience on the device, it will fail. This approach helps you meet the last two requirements and gives you a foundation to deploy applications that meet the first two.
4) Block Dropbox and Google Drive et. al.
This one is pretty straightforward. Organisations are worried about the data leakage risk associated with personal cloud solutions. To address this risk, and comply with various regulations, companies simply don’t allow these apps to run. Combining this strategy with containerisation is a popular approach. An organisation could, for example, prevent Google Drive only within the container but not on the personal side of the phone. When deployed properly this can help you meet the last two requirements.
>See also: The dangers of shadow IT
So, what’s the Catch-22?
Many enterprises think that by deploying an enterprise file sync and share service, they can turn off Dropbox because they have given users a viable alternative.
Sadly, this isn’t the case. Dropbox’s value proposition is just too strong. Its 200 million users are proof that their simple UI is practically begging for your corporate data to be sent to your user’s account. And with direct integration to dozens of other apps, saying “no Dropbox” also means “no apps that integrate with Dropbox”.
You can’t block Dropbox for personal use. Employees using devices for both corporate and personal purposes want to use Dropbox for personal file sharing (photos, family documents, etc.) If you block Dropbox, users are out of luck once their device is corporate-enabled.
Users could also turn to shadow IT. If you block any popular application, chances are good that your users will be tempted find a workaround, at the expense of security. A 4G connection, a Google account, Evernote, Dropbox, and a web browser are all most folks need to be productive.
Why are users willing to jump through so many hoops to avoid your well-documented and publicised security policy? Because they want the productivity that a true mobile first experience brings.
So that’s the Dropbox catch-22: how will you meet the security requirements of your organisation, without turning off the very service that is violating some of those requirements? The lesson: don’t ignore user demands.
Remember, the auditor rummaging around in your Dropbox account? If you’ve got some corporate data inside Dropbox, ask yourself why. The answer probably has something to do with Dropbox’s awesome experience. It all starts innocuously enough: you just need to share a file with someone but it is too big to send via email. Before you know it, all your most valuable data is in Dropbox and you don’t look back.
This is a big problem, without an obvious solution. The best solution available today is to deploy a containerised enterprise file-sharing tool for business use. Then users can access Dropbox on the personal side of the phone and IT doesn’t have to worry as much about corporate data leakage.
While that's the best mature option in the market today, there’s more to do here. It will be critical to solve this Catch-22 in a way that maximises a user’s choice to work the way they want and gives IT the peace of mind they need.