'Secure' Cloud File Sync Is The Wrong Move

Just about every week, either in my role as an IT leader or as a columnist for InformationWeek, I get an email pitch about how Product XYZ is "more secure" than the consumer-based cloud file sync apps such as Dropbox and SugarSync. In one example, the vendor referred to a recent, human-related Dropbox security breach, opining: "The fact is that commercial cloud services are not secure data repositories. Period."

Broad brush statements like that one drive me crazy. Of course, any time data leaves your span of control, it's less secure. But for business to actually get transacted, sometimes we need to achieve a balance between security and functionality.

I spent a bunch of my career in the security world, so I understand that security folks sometimes freak out. The consequences of the wrong actions can be brutal, but the bottom line is that we can't just lock up the data. Our job is to classify use cases and help our business colleagues understand the risk-benefit ratio.

Why do your users choose Dropbox? Because, unlike a lot of cumbersome tools supplied by central IT, it just works. It's usable. It doesn't require a consultation with an IT help desk person.

One vendor pitched me recently on its product, which allegedly "works the same as Dropbox except it has really high security standards." Whatever that means. Just about any vendor is vulnerable to human-based breaches. Any time you put your data out there you're risking a breach. Don't get me wrong--the purpose-built "secure" products are probably more secure than the standard cloud sync app, but if they're out of your span of control, there's some level of risk.

Most of these "secure" vendors are missing the critical point about why cloud file sync is attractive. The business benefits don't come from the file sync app itself. They come from the ecosystem.

Global CIOs: A Site Just For You Visit InformationWeek's Global CIO -- our online community and information resource for CIOs operating in the global economy.

What do I mean? Most of these "super lockdown" vendors pitch that their products work on BlackBerry, iPhone, Android. But the real value comes from the ease of use that comes from app integration into the cloud sync product. Vendors such as Dropbox, SugarSync, Box.net, and Google influence their developer communities to build support into their specific apps. In this way, you have direct support for notepad apps, Microsoft Office equivalents, photo apps, and the like.

You might get annoyed that these vendors don't just support secure WebDav (a standard for Web file sharing), but the fact is that doing file sync is fiendishly difficult. WebDav doesn't offer the same total solution for sync that the cloud file apps do.

So the ecosystem really matters because, to do cloud file sync right (where you're not getting frustrated by conflicting versions of files and other ugly things), vendors of productivity apps need a simple way to sync. The APIs and forums and community support that the cloud file sync vendors offer to third-party app developers really matter.

The ecosystem matters because adopting some strange, squirrelly vertical cloud file sync tool that nobody's ever heard of simply isn't going to work. It may make the security trolls at your organization feel better, but for them, I suggest buying a security blanket.

Assuming that the niche "secure" cloud file sync app works as well as the incumbent tool, not only will nobody want to use it, but nobody is going to be able to use it. The pervasive productivity apps don't support the niche products. For example, the latest Docs to Go supports Google Docs, Box.net, Dropbox, iDisk, and Sugar Sync. That's it. Not a highly secure niche solution among them.

Oh, you can use our secure tool within iOS or Android and then open it in another app, say the niche vendors' sales and PR folks. Really? And when you modify the doc, how does it sync back into the cloud? Hello, cumbersome!

There's no doubt that cloud-based file sync has created a huge security issue. But expecting to solve it with inadequate products isn't the way to go. Instead of IT acting like the no police and outlawing the tools that actually serve their user bases, IT can work with business leaders in several ways.

>> Establish and document acceptable use cases for cloud file sync. Not every use case is appropriate, obviously.

>> Integrate cloud file sync use case and other guidelines into your security awareness training.

>> Define the risks and then work with security personnel to establish what the mitigation strategy will be, such as data leak protection, adequate backups, and two-factor authentication.

It's much more difficult to have these conversations than to simply lock up everything and offer inadequate tools. But it's the right thing to do.

At this year's InformationWeek 500 Conference, C-level execs will gather to discuss how they're rewriting the old IT rulebook and accelerating business execution. At the St. Regis Monarch Beach, Dana Point, Calif., Sept. 9-11.