Plenty of consumer storage services are entering the enterprise, but IT doesn't necessarily have to adopt those....
You can develop your own cloud-based file sharing system that works for your business -- and focuses on security.
To properly set up a cloud-based file sharing system, an organization must do three things: establish authentication and authorization controls, register devices, and define audit reporting and review procedures.
Establish authentication and authorization controls
Authentication and authorization controls are the foundation of user-oriented security in an enterprise cloud-based file sharing service. This process includes integrating directory services, configuring user-oriented security controls, and reviewing default security and control permissions.
Integrate directory services. IT admins should use Active Directory or Lightweight Directory Access Protocol (LDAP) directories to manage access controls. These directories already contain information about users and groups and their privileges. Be sure to carefully review existing attributes to ensure that they are sufficient for managing file-sharing services.
In particular, consider your ability to adequately manage new privileges, such as granting access to shared documents and folders, delegating some administrative responsibilities, and sharing links to documents with users outside the organization.
Enterprise-class cloud-based file sharing systems should have mechanisms for using Active Directory or LDAP services, but verify that the directory maintains sufficient information to effectively enforce security policies related to users and devices.
Configure user-oriented security controls. IT security policies should specify requirements for password controls. These typically include such restrictions as minimum password length, password life spans and restrictions on password reuse.
Account lockout rules should also be configured. These include specifying the number of failed attempts allowed and the conditions for unlocking an account. Unlocking may occur automatically after a specific period of time or, in more security-sensitive cases, after an administrator manually unlocks an account.
Security policies should also indicate how to respond to an excessive number of failed login attempts on mobile devices. While locking an account may be sufficient for failed login attempts on an on-premises desktop, excessive login failures on a mobile device may signal that it has been lost or stolen.
If the setting is available in your cloud-based file sharing service, configure alerts to notify admins of excessive login failures on mobile devices. Consider setting your file-sharing or device management service to have excessive login failures trigger a remote wipe, if that feature is available.
Review and revise default security and permission settings. In addition to integrating directory services and configuring password controls, systems administrators should review default security settings on the file-sharing system. The goal of the review is twofold. First, it should reduce the risk of data leaks from a mismatch between the file-sharing system's default configuration and corporate requirements.
Second, the review gives administrators an opportunity to streamline the user experience with respect to security controls. For example, it may be appropriate to restrict file sharing with people outside the organization. If most of the content stored in the file-sharing service can be shared with users outside the organization, you may want to allow sharing by default.
Registering devices is the process of collecting metadata about devices and establishing centralized control over the cloud-based file sharing processes within those devices. Administrators should collect information about user devices, regardless of whether an endpoint is a laptop, a smartphone or a tablet, or if it is company or personally owned.
As with user-oriented security controls, device management procedures should enforce corporate policies. These device controls can include the following:
- Requiring local encryption
- Enabling remote wiping of files
- Implementing document-retention controls
- Password-locking the device
- Defining maximum storage used by file-sharing apps
The mobile device app used with the file-sharing system should be made available to users at the time of registration. Once users register their devices, they can share the files made accessible by the file-sharing system.
Configure file shares and SaaS integration. A key step in the establishment of a file-sharing system is the configuration of files and directories to share. The initial set of shared files and directories should be identified during the planning stages, but adding and removing shares will likely be an ongoing process.
During this stage, remember any software as a service (SaaS) options that integrate with the file-sharing system. For example, you may have users who will need access to documents in Google Apps or SalesFforce.com. Also configure ancillary services such as faxing or document-signing services that can integrate with the file-sharing system.
Define audit reporting and review procedures
The final step common to cloud-based file sharing services and on-premises and hybrid file sharing is defining audit reporting and review procedures. Presumably, the audit requirements have been reviewed and procedures have been defined. The goal is to put those procedures in place using features of the file-sharing system.
Audit processes can include alerts to notify admins of significant events, such as a device locking after a number of failed login attempts. Procedures also include generating reports as specified in policies, including reports that track logins, methods of access and administrative operations.