The dangers of Google Drive and Dropbox in the enterprise

Search behemoth Google recently entered into the consumer cloud storage battlegrounds with the launch of Google Drive, a service that allows users to automatically sync files between devices, via the cloud.

Following the launch, the web was awash with price and feature comparisons between Google Drive, Dropbox, SkyDrive, and other consumer cloud storage services.

Consumers are right to be excited: such cloud-based storage tools have the capacity to improve several operations, including backup, access-anywhere primary storage, collaboration and more.

But these benefits are exactly what might cause Drive and its cloud storage cohorts to be a danger in the corporate IT environment.

According to Steve Hodgkinson, Research Director at Ovum, employees are aware of the benefits of consumer-grade cloud storage and will introduce them into the workplace, under the radar, if such cloud storage tools are not provided by their IT department. He considers it an inevitability.

“If the corporate IT department is flatfooted, and not providing something like that, then staff will use consumer-grade services,” he says.

In the workplace, these tools can help ease collaboration between departments, facilitate remote working, and help individuals move their work between devices.

“The iPad is one of the biggest drivers. As soon as people have an iPad, they need to work out how to get content onto it. And one of the best ways to get content onto it is through the likes of Dropbox, or one of the publicly available data storage in the cloud solutions,” Hodgkinson says.

And if you think it’s not happening in your organisation - Hodgkinson says “it probably is”.

Risks of the consumer cloud

While these services may offer productivity benefits in the workplace, they do carry risks, given that they are consumer-grade services, with consumer oriented terms and conditions.

“They’re not being used under business-like, corporate terms and conditions of use, regarding respect for the privacy of data, or the use to which that data might be put,” Hodgkinson says.

“For example, if you use Google Drive without paying for business-like use under business terms and conditions, then Google reserves the right to virtually do anything they want with that data,” he says.

This is mainly to allow Google to root around your data, find some information on you, and present some ads that are relevant to your life. It’s one way Google makes money while providing a service that’s free to the user.

That’s not to say that Google is out to actively exploit or enact evil upon you or your organisation. Indeed, as Hodgkinson points out, Google’s continued success depends on its reputation, so it has a vested interest in being perceived as a good guy.

“It’s not necessarily because they’re going to bad things with it. Their reputation depends on them not doing stupid things with it.

“But we’ve seen Google do stupid things in the past. It’s just a risk because of the nature of the contract,” he says.

Such open-ended terms and conditions might also be necessary if, for example, the service wants to add the ability to translate documents from one language to another. In such a case, the service would need to have permission to process your data.

“Contractually, they need to have that flexibility to offer those services,” Hodgkinson says.

This scenario is fine if a consumer decides to forgo their own personal privacy in return for a free service. But, by and large, organisations like to keep their secrets secret and they don’t like it when their employees make such decisions on their behalf, exposing confidential information to service providers like Google or Dropbox.

Beyond these contractual concerns, corporate IT departments tend to have specific requirements regarding uptime and security. And according to Hodgkinson, many of these consumer-oriented cloud storage companies are not yet “what any corporate IT department would regard as serious enterprise-grade companies.”

“They’re, in the main, smallish start-up style organisations, which have already made some fairly serious operational errors. Dropbox last year for a while had a glitch where all of its Dropbox accounts could have been accessed by any user for a period of hours,” he says.

All of these worries come into effect when Van Patten from Accounting copies the entirety of your organisation’s financial records into a folder on one of these cloud storage services. He may have just implicitly allowed outside organisations to poke through your business. Or, in the case of a cloud service with less than stellar security, exposed it to malicious attackers.

Working together

While these services do pose a threat to an organisation if used incorrectly, blocking the use of them outright is not the answer. Instead, IT should regard employee use of consumer cloud services as an expression of a business requirement.

“The first thing is to accept that if users are ‘voting with their feet’ to use these services, then that’s an expression of an unmet business need that the IT department should pay close attention to. It’s also an expression of a desire to innovate and use the latest solutions,” Hodgkinson says.

Thus, if the IT department simply blocks the use of these services without carefully explaining the security reasons behind the move, it may be seen as stifling innovation, and damage IT’s reputation within the business.

In that case, “the IT department is just setting itself up to be seen as a luddite, to be seen as backward looking, slow, risk averse, conservative and not meeting the needs of users,” Hodgkinson says.

Inter-departmental relations can be a massive stumbling block in organisations. When conversations should be about how to improve business outcomes, they instead turn to discussions of who is stonewalling whom. IT departments would be well advised to avoid perpetuating such conflict.

Despite these worries, it is possible to support employee innovation while satisfying IT’s concerns about risk.

Any blocking or banning of such tools needs to be accompanied by a careful explanation of why they are a threat to the organisation, along with “another solution that the IT department offers which is enterprise grade, which is safe, trusted and meets the business need that’s been expressed,” Hodgkinson says.

The cycle of innovation

Ovum considers the above discussion as part of a broader picture, in which developments in consumer technology influence corporate IT, via tech-savvy employees who introduce them into the workplace.

“We see these things as part of a cycle of innovation, which I’ve labelled ‘proliferative innovation’: a proliferation of services in the consumer realm which are highly innovative and which become relevant in the corporate context,” he says.

So, he says, the introduction of consumer cloud storage services into the enterprise isn’t itself the problem.

“It’s actually just one of many symptoms of the fact that proliferative innovation is occurring, and that IT departments need to have a strategic approach to this, rather than treat each little thing like this as an individual bushfire and just try to stomp it out,” he says.