9
Whitepaper | Accellion vs. Box Accellion vs. Box: 5 Key Reasons Enterprise IT Selects Accellion
Whitepaper | Accellion vs. Box
Accellion vs. Box: 5 Key Reasons Enterprise IT Selects Accellion
An Accellion Whitepaper – Accellion vs. Box
Whitepaper | Accellion vs. Box
Executive Summary Mobile file sharing has become a necessity for today’s enterprises. Nearly all workers are mobile, and most workers are carrying three mobile devices, including a smartphone and a tablet.1 To stay productive, workers need access to all their files on all their devices. They also need to be able share files selectively and securely with other employees, partners, customers, and other authorized users outside the enterprise. To protect confidential data, any file sharing and sync solution must be secure, monitored, and tightly controlled.
Accellion and Box both offer secure file sharing and sync solutions for enterprises. The two solutions differ in five key aspects:
Architecture: Surveys show that enterprises strongly prefer private cloud or hybrid-cloud solutions for storing and sharing confidential files. Accellion supports private clouds and hybrid clouds. Box offers only a public cloud solution. Public clouds deprive enterprises of full control over their data. For example, Box controls the encryption keys used to store enterprise data on its servers.
Integration with Enterprise Content Management (ECM) Platforms: Box requires enterprises to duplicate ECM content on the Box platform in order to access ECM connect through the Box service. Accellion enables mobile workers to access ECM content securely from mobile devices without investing in duplicated content, or undermining strict ECM security policies.
Secure Mobile Editing: Accellion enables mobile users to edit files in a secure environment. Box requires users to edit files in third-party editors, increasing the risk of exposing files to malware and unauthorized distribution.
Enterprise Integrations: Accellion provides integration with existing enterprise infrastructure, including anti-virus (AV) services, Data Loss Prevention (DLP) services, LDAP, multi-LDAP, and in-house applications. Box supports more limited enterprise integrations. For example, Accellion integrates with any standards-based DLP solution, but Box only integrates with one DLP solution, that happens to be another public cloud service.
Compliance: Accellion supports compliance with SOX, GLBA, HIPAA, and FDA requirements, and has received FIPS 140-2 certification required for use by U.S. federal government agencies. Accellion also complies with the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland (the “Safe Harbor Frameworks”). Accellion also meets the data sovereignty standards of European nations who mandate what region data must be stored in, based on file content or user access. Box has achieved compliance with HIPAA and HITECH obligations and is willing to sign HIPAA Business Associate Agreements (BAAs). The company has been issued an SSAE 16 Type II report and is Safe Harbor-certified. Box has not received FIPS 140-2 certification. Being a public cloud service hosted in the U.S., it cannot comply with data sovereignty and location regulations in the E.U. and in other regions outside the U.S.
Surveys clearly show that enterprises want a private cloud or a hybrid cloud file sharing solution that provides a single interface for accessing all content, including content stored in ECM systems like SharePoint.
1 As of Q1 2003, the average mobile worker is carrying 2.95 mobile devices, according to iPass. http://www.ipass.com/wp-
content/uploads/2013/03/ipass_mobile-workforce-report_q1_2013.pdf
An Accellion Whitepaper – Accellion vs. Box
Whitepaper | Accellion vs. Box
While Box does offer security features and data connectors, it retains all the inherent risks and compromises of public cloud offerings. Enterprises choosing Box end up with less-than-complete control and security, while assuming the operational overhead and expense of duplicating files and undermining their strict ECM security policies. The Accellion private cloud solution answers the enterprise market’s need for mobile, scalable, flexible file sharing solutions that extend and reinforce enterprise security policies and controls.
Secure File Sharing and Sync is a Necessity Mobile file sharing has become a necessity for today’s enterprises. Nearly all workers are mobile, and most workers are carrying three mobile devices, including a smartphone and a tablet.2 To stay productive, workers need access to all their files on all their devices. They also need to be able share files selectively and securely with other employees, partners, customers, and other authorized users outside the company.
To protect confidential data, file sharing must be secure, monitored, and tightly controlled. While making file sharing convenient and hassle-free for employees, enterprises must ensure that confidential data is never breached or leaked to unauthorized users. File sharing should comply with company security, HR policies, and any relevant industry regulations.
Outbound file traffic is not the only file sharing risk that enterprises need to manage. IT security teams must also ensure that mobile file sharing does not become a conduit for malware into the enterprise. Enterprises today have a variety of choices for implementing file sharing solutions. This paper compares file sharing solutions from Accellion and Box.
Vendor Overview: Accellion and Box Founded in 1999, Accellion provides mobile solutions to enterprise organizations to enable increased business productivity while ensuring security and compliance. As the pioneer and leading provider of private cloud solutions for secure file sharing, Accellion offers enterprise organizations the scalability, flexibility, control and security to enable a mobile workforce with the tools they need to create, access and share information securely, wherever work takes them. More than 12 million users and 2,000 of the world’s leading corporations and government agencies use Accellion solutions to increase business productivity, protect intellectual property, ensure compliance, and reduce IT costs.
Founded in 2005, Box began as a consumer file sharing service like Dropbox. More recently, the company has begun marketing its services to businesses and has added some of the features often requested by enterprise IT organizations. For example, Box now offers enterprise customers file-based access controls and audit logs. It has migrated its services to an SSAE 16 Type II-compliant data center. The company also encrypts data at rest and in transit.
Box, however, remains a public cloud service provider. Enterprise customers must trust their confidential data to Box, its staff, and its infrastructure. While Box has added security features such as audit logs, some of its operational shortcomings, such as not having the capability to edit files shared through the mobile platform, will likely tempt users to remove files from the system, undermining the security and audit features that Box is now promoting. Other shortcomings will continue to make file access and editing more cumbersome and complex for Box users.
To understand the distinctions between Accellion and Box, let’s examine five key differences between the two solutions.
2 As of Q1 2003, the average mobile worker is carrying 2.95 mobile devices, according to iPass. http://www.ipass.com/wp-content/uploads/2013/03/ipass_mobile-
workforce-report_q1_2013.pdf
An Accellion Whitepaper – Accellion vs. Box
Whitepaper | Accellion vs. Box
Key Differences Between Accellion and Box #1: Architecture Accellion and Box differ significantly in their software architectures. Before examining those differences in detail, it’s worth considering the architectural preferences of enterprise IT organizations for secure file sharing.
In light of ongoing concerns about data security and compliance, enterprises strongly prefer private cloud architectures for file sharing. While enterprise organizations might use public cloud services for some purposes, such as running computing operations on non-confidential data, when it comes to selecting an architecture for storing and managing business files, most enterprise IT organizations simply do not trust public clouds.
A study by the Enterprise Strategy Group (ESG) that found that 96% of enterprises were interested in using their internal on-premise infrastructure for online file sharing. Nearly that same number believes that they can do a better job securing and protecting their data than third-party service providers can. Only 1% of enterprises surveyed were not interested in private cloud or hybrid cloud solutions for file sharing.3
A similar study by the analyst group Research Now found that 63% of enterprises prefer private cloud solutions for file sharing. Large enterprises (those with 10,000 or more employees) strongly preferred private cloud solutions that were hosted on premise.4
Why the strong preference for private clouds? Consider the many pitfalls of trusting a public cloud solution for file sharing. Even aside from the service outages and security outages that have affected public cloud solution providers such as Dropbox, public cloud file sharing solutions pose significant challenges for enterprises, including:
• Vendor lock-in: Recognizing the difficulty of migrating terabytes or more of data, enterprises could feel trapped into sticking with a public cloud provider even if they find the performance and security of the solution unsatisfactory.
• Illicit access by employees: Vendor employees could gain access to files, even if the vendor’s security policies prohibit them doing so.
• Exposed files: Confidential files could remain on the service provider’s servers, even after the service contract has concluded. The enterprise may lose control over its most confidential data.
• Co-mingled files: The service provider could accidentally mix files from two or more enterprises, jeopardizing data confidentiality and data integrity, and raising the risk of infection by malware.
• Ownership of encryption keys: In many public cloud deployments, the service provider, rather than the enterprise, owns the encryption keys used for protecting confidential data. Enterprises should have have ready access to the keys used for encrypting their own data. Ultimate control over the security of the files rests with the owner of the encryption keys.
• Service outages: If the service provider suffers a service outage, enterprises lose access to the files they use to run their business. Even if files remain available, security features could accidentally be disabled, as when Dropbox accidentally turned off password protection for all its customers’ files for 4 hours.5
• Vendor viability: If a public cloud service provider goes out of business, enterprises could have difficulty retrieving their data in a timely fashion if they can get access to it at all.
3 http://www.esg-global.com/research-reports/online-file-sharing-and-collaboration-deployment-model-trends/ 4 http://www.prnewswire.com/news-releases/survey-finds-63-of-enterprises-prefer-private-cloud-storage-solutions-over-saas-alternatives-252621961.html 5 http://www.eweek.com/c/a/Security/Dropbox-Accidentally-Turned-Off-Passwords-on-File-Storage-Service-655206/
An Accellion Whitepaper – Accellion vs. Box
Whitepaper | Accellion vs. Box
The Accellion Cloud Architecture
The Accellion solution is available in a virtual environment, which can be deployed on-premise, in a private hosted cloud, or in a hybrid configuration combining on-premise and hosted services. In an on-premise deployment, the enterprise keeps servers, storage, application services, meta-data, and authentication (including encryption keys) within its network perimeter. It has full control over its files and the implementation of the file sharing solution.
Accellion’s three-tier architecture was designed to offer enterprises the greatest possible flexibility for performance and security optimization. The Web, application, and storage tiers can be separated and deployed anywhere on the network. For example, the web tier can be deployed in a DMZ, while the application and storage tiers can be deployed behind an internal firewall for additional control and security. Each tier can be scaled separately to meet the precise storage and performance requirements of a specific organization. The architecture also supports redundant servers and load-balancing at any tier.
The Box Cloud Architecture
Box offers only a public cloud file sharing solution that does not provide customers with full control over their data. Box, not the customer, controls the encryption keys, and Box performs the daily tasks of controlling and configuring the file sharing solution. The wording in Box’s SLA’s give control of the data to Box itself, rather than its customers retaining ownership of their information.
Additionally, Box only has datacenters in the US, which is a compliance issue for any international organization that needs to comply with regulations about storing data in the region where the user is based.
#2: Integration with ECM Platforms Enterprise Content Management (ECM) platforms have become nearly essential for managing data in large enterprises. SharePoint is already in use in 78% of the Fortune 500. Competitors Documentum and OpenText boast their own impressive adoption rates. These platforms provide secure, hierarchical storage for files. They also provide powerful search tools and, more recently, microblogging and other social features so that co-workers can collaborate more effectively.
Since so many files are stored in ECM systems, it makes sense to integrate these systems with whatever file sharing solution an enterprise is going to deploy. Without integration, it is difficult for mobile workers, especially workers in remote locations, to access files stored in an ECM system. ECM systems themselves provide little support for mobile access. Connecting securely over a VPN is a slow, cumbersome process for mobile users. To provide mobile access, many IT organizations end up deploying redundant ECM servers or file shares specifically for mobile users. Alas, duplicating content undermines the security and policy controls that attracted many enterprises to ECM systems in the first place. Duplication also plays havoc with file versioning and data consistency. Mobile users might be editing a file from a duplicate server, while on-premise ECM users assume that the file they see in the platform is the latest, authoritative copy.
Accellion ECM Integration
Accellion enables users to access files on mobile devices directly from ECM platforms such as SharePoint, Documentum, and Windows File Shares without requiring duplication of files or a VPN. Accellion ECM connectors, such as its SharePoint Connector, make files stored in an ECM platform available for authorized users without requiring a VPN. Accellion’s ECM connectors enable enterprises to take full advantage of the secure, centralized file storage, access control policies, and other valuable
An Accellion Whitepaper – Accellion vs. Box
Whitepaper | Accellion vs. Box
features of ECM systems, while also ensuring that mobile workers have ready access to the files they need, wherever.
Because Accellion integrates directly with ECM systems, enterprises are spared the expense and operational overhead of provisioning and managing duplicate storage systems. Additionally, Accellion’s native integrations fully respect all of the established security and library services within the ECM infrastructure.
Box ECM Integration
Box advertises integration with ECM platforms through its ECM connectors. However, these connectors do not provide real-time access to ECM systems inside customers’ firewalls; that is, they do not connect the Box user interface to master copies of files in ECM systems. Rather, the connectors are really conduits for file duplication and sync operations. Because Box does not integrate with on-premise ECM systems, customers are required to replicate their ECM data on Box’s public multi-tenant cloud.
This duplicate file storage can quickly become expensive. It also poses significant security and compliance risks. It undermines the consistent enforcement of the existing ECM platform’s access permissions regarding who can create, edit, and share new versions of documents.
Ultimately, Box is a content storage solution. To use it, customers have to store their data in Box. As a result, end users will likely end up copying files from ECMs, subverting ECM security policies, and increasing the risks of files being duplicated or edited out of sync.
#3: Secure Mobile Editing Mobile devices are becoming the platform of choice for a growing number of everyday tasks, such as checking email, surfing the Web, and editing files.6 A secure file sharing solution should support editing features that enable mobile workers to edit and annotate files without jeopardizing data security controls and policies.
Accellion Mobile Editing
Accellion enables users to edit files securely on mobile devices. Because the editing occurs within a secure container, files are protected from data leakage. Users can work seamlessly, opening files, editing or annotating them, and then uploading them with comments into a shared workspace. If the device is lost or stolen, Accellion can remote wipe the device, ensuring that all sensitive data is removed.
Box Mobile Edits
Box enables mobile users to access files, but only by having users open the file in another third-party editor such as QuickOffice. Once opened in another editor, a copy of the file is stored in this third-party app, creating potential security leaks of sensitive data, as the files are no longer under the control of the Box service. Outside of any secure container, the files become vulnerable to infection by any malware on the device.
#4: Enterprise Integrations A mobile fire sharing solution should integrate with IT infrastructure such as LDAP/AD directories, security services, and custom in-house applications. Integration enables enterprises to leverage their current IT investments and infrastructure, simplifying work, and avoiding the expense and operational overhead of redundant systems.
6 For example, 65% of email is first opened on a mobile device. http://venturebeat.com/2014/01/22/65-of-all-email-gets-opened-first-on-a-mobile-device-and-thats-great-
news-for-marketers/
An Accellion Whitepaper – Accellion vs. Box
Whitepaper | Accellion vs. Box
Accellion Enterprise Integrations
Accellion provides integration with existing enterprise infrastructure, including anti-virus (AV) services, Data Loss Prevention (DLP) services, LDAP, multi-LDAP, and in-house applications. Accellion deployments are customized to meet customer requirements for file sharing, security, logistics, and operations.
Accellion supports the industry standard ICAP protocol and integrates with any ICAP-compliant DLP solution, including solutions from Code Green Networks, Fidelis, Palisades, RSA, Symantec, and Websense.
Box Enterprise Integrations
In contrast, Box offers a public cloud service with limited enterprise system and infrastructure integrations. Box claims to support popular technologies such as DLP and industry standards such as LDAP, but it is limited. There are many DLP vendors in the market (for example, McAfee, Symantec, and WebSense), but Box only integrates with one DLP solution. Box supports LDAP, but not multiple LDAP directories, a very common requirement in larger organizations. Furthermore, to integrate with Box an organization’s LDAP must be exposed outside the firewall, which is a significant security risk.
#5: Compliance Industry regulations and state and federal laws reach further than ever before, compelling organizations of all sizes to protect data and monitor its distribution. Any file sharing solution must help its customers comply with industry regulations such as Gramm-Leach-Bliley (GLBA) and HIPAA. They also need to comply with state laws like the Massachusetts Data Privacy Law, which requires any organization that stores personal information about even a single resident of the commonwealth to implement administrative, technical, and physical safeguards for protecting that data in a manner consistent with the safeguards mandated by other state and federal legislation.7 It can be safely said that any large enterprise must comply with a variety of data security and data privacy laws.
Accellion Compliance
Accellion features rigorous data security controls and a rich IT administrative interface that provides comprehensive file tracking, reporting tools, and audit trails for compliance with SOX, GLBA, HIPAA, and FDA requirements.
Accellion has received FIPS 140-2 certification, confirming that its security meets the high standards required for government agencies.
Accellion complies with the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland (the “Safe Harbor Frameworks”). Accellion has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement.
Accellion also meets the data sovereignty standards of European nations who mandate what region data must be stored in based on a files content or user access.
7 http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf
An Accellion Whitepaper – Accellion vs. Box
Whitepaper | Accellion vs. Box
Box Compliance
Box has achieved compliance with HIPAA and HITECH obligations and is willing to sign HIPAA Business Associate Agreements (BAAs). The company has been issued an SSAE 16 Type II report and is Safe Harbor-certified.
Box has not received FIPS 140-2 certification.
Box hosts its service in its own data centers. If a global company wants to comply with regional laws for local data storage, Box may not be able to comply.
Comparison Summary The table below summarizes these key differences.
Accellion Box
Cloud architecture Private, Hybrid, Public Public only
Native integration with SharePoint and other ECM platforms
Yes No
Secure editing of files Yes No
Enterprise Integrations Extensive Limited
Compliance with FIPS 140-2 and data-location regulations
Yes No
Conclusion The evidence from market surveys is unmistakable. For file sharing, enterprises want to stay in control. They want a private cloud or a hybrid cloud file sharing solution, and they want that solution to work with all their files, including the vast quantity of files currently stored in ECM platforms such as SharePoint.
While Box offers more security features and data connectors than other public cloud services like Dropbox, it retains all the inherent risks and compromises of public cloud offerings. Enterprises choosing Box end up with less-than-complete control and security, while assuming the operational overhead and expense of duplicating files and undermining their strict ECM security policies. In areas such as DLP and LDAP, they face constrained choices.
The Accellion private cloud solution answers the enterprise need for mobile, scalable, flexible file sharing solutions that extend and reinforce enterprise security policies and controls.
An Accellion Whitepaper – Accellion vs. Box
Whitepaper | Accellion vs. Box
About kiteworks by Accellion Accellion’s kiteworks solution offers secure mobile file sharing that meets all the requirements listed above. With kiteworks, users can securely view, create, edit, and share enterprise content on popular smartphones and tablets while providing IT administrators with the controls they need to manage user privileges and access rights to ensure data security and regulatory compliance.
The kiteworks solution has a mobile-first interface that support file sharing and collaboration on any device, as well as secure file servers and administration dashboards for storing and controlling authorized access to files. Optional integration modules extend the Accellion solution to interoperate with ECM systems such as Microsoft SharePoint and Documentum, as well as DLP systems such as those from Symantec and RSA. The solution also integrates with standard authentication and access control infrastructure such as LDAP servers and SAML-based single-sign-on solutions.
Accellion’s secure mobile file sharing solution supports two-factor authentication, application whitelisting, integration with ECM and DLP systems,
With kiteworks, IT teams benefit from application whitelisting, user access controls, geographical data segregation, centralized administrative control, and a three-tier architecture, all of which improve the security of the data being shared and stored. It enables mobile workers to safely share files, sync files, and collaborate, without risking the data leaks and security breaches common with consumer cloud solutions like Dropbox.
More than 2,000 enterprise organizations, including Procter & Gamble; Indiana University Health; Kaiser Permanente; Foley & Mansfield; Hogan Lovells; Bridgestone; Harvard University; Guinness World Records; US Securities and Exchange Commission; Jones Day; and NASA, use Accellion’s solutions for secure mobile file sharing.
For more information about Accellion, please visit www.accellion.com or call +1 650 485 4300.
About Accellion Accellion, Inc. is an award-winning private company that provides mobile solutions to enterprise organizations that enable increased business productivity while ensuring security and compliance. As the leading provider of private cloud solutions for secure file sharing, Accellion offers enterprise organizations the scalability, flexibility, control and security to enable a mobile workforce with the tools they need to create, access and share information securely, wherever work takes them. More than 12 million users and 2,000 of the world’s leading corporations and government agencies including Procter & Gamble; Indiana University Health; Kaiser Permanente; Lovells; Bridgestone; Harvard University; Guinness World Records; US Securities and Exchange Commission; and NASA use Accellion solutions to increase business productivity, protect intellectual property, ensure compliance and reduce IT costs.
Email: [email protected] Phone: +1 650 485 4300 Accellion, Inc. 1804 Embarcadero Road Palo Alto, CA 94303
kiteworks - Security Overview
BYOD File Sharing – Go Private Cloud to Mitigate Data Risks
GigaOm Pro: The Rewards and Risks of Enterprise Mobility
Related Resources
ACC-WP-0414-BOX © Accellion Inc. All rights reserved
For additional information: www.accellion.com/resources/whitepapers
