There are two different types of organizational data that end up in Dropbox—corporate-created data and employee-created corporate data. The two use cases happen for very different reasons—should we expect a single corporate file syncing solution to be able successfully accommodate both?
Employee-created corporate data
Users have always been creating data that organizations have don’t control over. For example, when I’m on calls I sometimes like to take notes on a legal pad instead of typing. I can take that legal pad home with me in me, and obviously it isn’t encrypted. The only way that my company could prevent this would be if there was somebody standing at the door, searching everybody as they left. That sounds pretty ridiculous. With mobile devices and laptops, it’s just as ridiculous to expect that employee created data won’t end up in Dropbox. (By the way, by Dropbox, I really mean any free file-syncing service. Like it or not, Dropbox has become a genericized trademark. Also, any time I mention employee or user data, I’m referring to data that’s created in the course of work for a company, not personal data that might happen to be on devices.)
Of course, we also acknowledge that Dropbox and mobile devices can potentially make this data less secure, but that’s the price that we pay in order to be able to work from any device, at any time, and ultimately be more productive.
The bottom line is that employee-created data will never be in control, and that we shouldn’t be blaming Dropbox for that.
With the increasing use of mobile devices and laptops come the need for new means to access corporate data. While it’s easy to argue that most of the data that’s needed when an employee is mobile is data that they created anyway, we can’t expect this to always be the case. Naturally, employees will want access to corporate data as well.
While it’s easy to make employee-created data widly accessable(since it was never really controlled in the first place), it’s harder to do the same with corporate data. That data is generally locked up in file servers, Sharepoint folders, or Byzantine enterprise document management systems. Attempts to make these systems available to mobile users often fall short of consumer solutions,when it comes to usability—these systems might require VPNs that don’t work with mobile devices, and may not have the great performance or capacity of an employee’s personal Dropbox account.
What’s the result? Employees take corporate data out of the system, using Dropbox, email, or even USB drives—the easiest way would be to just mirror an entire folder on Dropbox. And remember, most employees don’t know that they’re doing anything wrong, or at least they aren’t doing it maliciously. They just want to be able to get their jobs done. And why shouldn’t they be able to work with corporate-created data in the same way they work with their personal data—on mobile devices, from anywhere, 24 hours a day.
Even though corporate data in Dropbox makes us cringe at the potential insecurity, we should be happy that employees want to be so productive.
The two challenges of file syncing
So we see that there are two different problems to solve: creating better access to corporate-created data, and encouraging users to be more responsible with their own content.
Secure corporate-created data
This is the easy step, and the more important one, too. If there are no convenient ways to access corporate data, then the options are either lost productivity or data escaping to Dropbox.
Fortunately, there are many vendors the offer solutions for this exact problem right now. Virtual appliances and file-server add-ons that push data out to mobile applications, desktop clients, and web interfaces give employees a fighting chance to be both mobile and compliant with corporate policy. The mobile data management clients are also beneficial because they allow corporate data to be securely placed on un-managed devices (that will be the subject of tomorrow’s blog post).
In this area, any effort is appreciated, but there are risks if solutions are limited to individual applications (for example, a mobile data app that only plugs into Sharepoint or doesn’t support a particular client). Colin Steele began an article last week with the prediction that the consumerization of IT will force vendors into a new era of interoperability. We can only hope so, because every incompatible scenario is another reason for an employee to use Dropbox.
Secure employee-created data
While we know that employee-created data will always be out in the wild, we can admit that Dropbox, mobile devices, and laptops can make it less secure.
Getting employees to switch over wholesale to a corporate solution is pretty difficult, however. Since they’re used to managing their data however they like, their pain tolerance for any annoyance from a corporate solution will be pretty low. But since administrators know that the data involved is data that they wouldn’t have control of in the first place, the whole project can be approached in a more relaxed and friendly manner—as a helpful suggestion, rather than a stern admonishment.
The success of this effort depends a lot on how robust a solution is, and how corporate controls are implemented. The end users don’t need or want enterprise document management features, they just need a folder that syncs, and any other features run the risk of getting in the way.
Is it even worth a shot?
With both situations, all IT can do is deploy solutions and know that while we they’ll catch all of the users, every increase in the usability of a solution means a decrease in users resorting to Dropbox. And it’s also fortunate that the more pressing corporate-created data issue is the issue that is easier to solve.
Finally, is it even reasonable to think that a solution designed for corporate-created data could be easy enough to use that employees would use it for data that they create on their own? Conversely, could a consumer-grade syncing solution could ever become secure enough for corporate-created data? Or is it most likely that there will always have to be separate solutions for each scenario? Right now, though, there are many vendors in the space, so some answer will have to shake out eventually.