Enterprise file synchronization and sharing, or EFSS, technologies enable users to synchronize their files across…
all their devices, including organization-issued and personally owned laptops, smartphones and tablets, and to securely share their files with other users. A secure sync-and-share service is increasingly essential to organizations that need to ensure corporate files are kept as secure as possible. EFSS products are an enterprise-grade, centrally managed technology that offer a wide range of security features, including strong encryption of files, user authentication, secure file destruction (e.g., cryptographic wiping), data loss prevention (DLP) and file-access auditing.
Although EFSS products have the ability to provide robust security, they can only do so if they are deployed properly and managed effectively. Here are some tips for a successful EFSS implementation that can provide secure sync-and-share capabilities.
Secure sync services require encryption
First, use strong encryption to protect all files. At a minimum, the EFSS should be configured to use strong encryption algorithms and keys, such as the Advanced Encryption Standard (AES) with 256-bit keys, to encrypt all files centrally stored on the EFSS server to safeguard them if the server is breached.
It’s also important to encrypt all files in transit between client devices and the EFSS server, which protects them from eavesdropping on unsecured networks. This is most often done using Transport Layer Security (TLS) with a strong encryption algorithm and key length such as AES with 256-bit keys. If the EFSS product offers a client component for user devices, it may be able to encrypt the files when stored on the user devices as well, providing protection for lost or stolen user devices. Note that use of encryption technologies necessitates following all recommended best practices for cryptography management, particularly the secure management of cryptographic keys.
Setting up authentication comes next
Whenever possible, use existing enterprise authentication methods for internal users. If users have to remember yet another set of authentication credentials and provide them every time they want to use their own files, they may abandon the EFSS product and turn to consumer services that are more user-friendly, but unknowingly to the users can put the files at a much greater risk of compromise. Using Active Directory, LDAP or another existing enterprise authentication tool, significantly reduces the burden on the user. Remember, however, that if users are going to share files with external parties, there will need to be an authentication mechanism for them to use as well.
Then configure …
After taking encryption and authentication into consideration, configure the EFSS tool to be as easy to use as possible. For example, integrating the tool chosen with existing enterprise services enables users to synchronize and share files directly from their regular applications. Most EFSS products also offer application program interfaces that allow integration to be extended to other applications, which makes using EFSS even more seamless for users.
Another important but easily overlooked configuration setting is to allow the EFSS product to synchronize files of any reasonable size. Setting the maximum file size can be tricky because some users may want to share enormous files, even terabytes in size, and this may not be feasible for performance or cost reasons, and not even possible with some EFSS offerings. Failure to permit this will cause users to seek an alternate solution and abandon the EFSS. Investigate the costs and technical limitations associated with unusually large files, and set the maximum file size to the largest value that provides more benefit than cost to the organization.
… and monitor
To ensure secure sync-and-file processes in the enterprise, the next step must be to strictly limit, audit and monitor all administrator access to the EFSS. Because an EFSS technology collects many sensitive files in a single location, EFSS administrators may have the ability to access the contents of these files. That poses a significant insider threat. Each person performing EFSS administration should be individually authenticated to support accountability, preferably with multifactor authentication. Also, EFSS administration should only be permitted from authorized administrative devices, reducing the risk of stolen credentials being reused from an attacker’s system.
There are several management requirements that must be followed for an effective, secure sync-and-file deployment, but enterprises that meet those requirements will find EFSS provides an additional layer of much-needed and easy-to-use security for corporate data.