In the enterprise businesses are seeking to block channels of transferring files, and in many cases the need to manage these is valid and vital to specific business operations. In some cases such activities are based upon the unknown unknown fears that lie, and others upon identified disclosure risks of sensitive data / research and development in-flight materials.
A more common discussion is to block file sharing services directly – such as DropBox. The challenge here is how … some choose policies and others push to technical blocks within the enterprise. The more aggressive will even run regular end-point policy blocks to disable the applications on the work station, and policies blocking URL / IP browsing to the service providers addresses. This is one of the only way to really block, and does not prevent a sneaker network from occurring bypassing all of these mitigation efforts.
If though the business has achieved a high success rate of blocks and change of user behavior to some other approved file passing process, then all is good. In some cases “good” may be back to the “old way” or some newly designed implementation of an excellent corporate tool.
The risk is not filling in the need here of the end users, and that results in the need remaining and the market & user connecting with alternate solutions. This, of course, sustains the risk / threats that were raised to block the first “mole” into perhaps a less preferred channel.
I recently came across such an occurrence with the introduction of Pipe that uses Facebook Connect – allowing point to point file transfer of up to 1 gig of files. The ability to transfer files without a new user account; leveraging the existing user base, and capitalizing on the already permitted service of facebook internally (on corporate devices; ipads; tablets; iphones; etc…) is brilliant from a market entry point and user ease of use offering. From a business standpoint, this escalates the businesses need to develop a social media and mobile device strategy – not tactical solutions (b/c the market is shifting) and not policy (b/c the words will not stop the traffic from flowing alone).
- How are you assessing the risks of these emerging platforms; technologies?
- Are you understanding the business processes of your business and where such tools and needs exist within the user base?
- What monitoring and metrics exist to keep aware of these activities to improve the technology services to meet the business demands?
- How is data management securing the sensitive and important data within the organization?
- How is your security program / audit group (PCI QSA too) viewing the presence of these applications within the research; financial reporting; and card data environment?
Here is a nice article elaborating on Pipe and it’s offering, at the Verge.
James DeLuccia IV