Checking to see if you guys have a policy implemented on acceptable use and rules for using file sync software such as Dropbox, SugarSync, Google Drive, One Drive. Specifically:
Do you have a central, business owned account(s)? Or, are your staff using personally owned accounts?
Do you have rules around staff only use (i.e. not sharing folders with others outside of the organization), or are you using it more as a collaboration file access across staff, volunteers, vendors, etc?
Do you allow sync tools to be put on personal computers, or do you have only church owned computer installations?
If you have unknown access, or allow access to personal computers or shared folders outside of staff, how do you address concerns of viruses and malware being transferred through these specific technologies, directly into your organization?
I may come up with more questions, but this is a good start. We are looking at having more of a centralized, church owned solution, and are looking at what policies should go with this setup to protect the church network from external threats coming into the network (virtually undetected when considering the level of access these types of systems have the potential of opening up). We’ve used these systems for a while, but not centrally managed by IT. Just trying to close potential security holes, while utilizing technology for ministry purposes strategically.
We do have Office 365 accounts with 1TB of OneDrive storage per user
Unfortunately, staff do often use personal Google, Dropbox and whatever else, making data more vulnerable.
I really would like to enforce rules about cloud storage, since we really have all we need with OneDrive, and some group specific file storage on our ChMS, and a file server for local storage.
People put Google drive, Dropbox, and whatever else on their computers; I have no control over that.
I would expect that may churches struggle with this, especially with younger staff who have never worked for an organization where rules about data storage and other practices were the norm, and the staff just looks for internet based consumer tools.
The issue often less discussed is that critical information could be in the hands of one person, on their personal account, and if anything happens to them information is then not accessible.
I can answer a bit of this, but we haven’t fully explored all the idiosyncrasies with it.
Our “official” online storage for user documents is OneDrive. We also have some rogue Dropbox account floating around in the church’s name, that we’re trying to move away from, especially with OneDrive’s latest sync client.
Only our staff are given church network / email accounts, so that means they are the only ones who get OneDrive accounts as well. We don’t have anything specific about sharing folders or documents outside of the organization beyond our normal data integrity clauses that we’ve had for a while.
I don’t think we’ve ever even had anyone ever ask for that; however, with Office 365, each staff member can technically install Office at home, which we do allow, and Office does (once signed in with your O3665 account) automatically link you back to your OneDrive for Business account and SharePoint Sites. I’ve thought about this implication, but haven’t figured out a proper solution, and it hasn’t been a top priority for us.
Hopefully that helps. Tackling this stuff nowadays can be difficult as access is no longer restricted to a church-owned device, and adding such restrictions ends up being limiting, allowing you to not take full advantage of modern infrastructure.
I honestly had a new staff member go over my head to my boss and ask why we don’t use a Private VPN to connect to our email server (we use Exchange Online). That was a fun discussion.
I’m afraid that this topic might become more and more of a concern with the increase of malware and ransomware. It’s one of the tings that keeps me up at night to be quite honest with you.
We have some instances of shadow technology at my church and these things are hard ti head off at the pass. Our children’s ministry needed a way to allow volunteers to create, edit, and share the files for the curriculum. They chose, with no input from the IT department, to use Box for the file sharing and collaboration. They can manage the product and allocate rights as you would expect from an enterprise solution, but they don’t have any rules that govern what volunteers can and can not do with the service. They also don’t groom the user pool, so there are volunteers that have access to the files that no-longer volunteer, or for that matter even attend. My solution there is to come up with a policy to regulate the use of the service, but the account is out of my control. I am not sure how I monitor or enforce my policy against a product I can’t monitor.
You share my concerns about the ramifications of having synch tools on personal computers. If a home asset, most likely not protected by a virus solution, gets the plague, that plague could propagate to your internal network. Hopefully the virus solution on your work assets would catch the infection before it could stick to that device, but you never know.
Something we have been trying to noodle over is the impact of iCloud synchronization. Apple’s new OS will take files on your computer and push them to the cloud based on some algorithm of utilization. I’m sure that you can turn that feature off, but it seems like a big security hole. I want my users to be able to use iCloud for things like iMessage and such, but I don’t want Apple making decisions about whether or not to move my benevolence request forms to the cloud.
The short of this long answer is this. I don’t have an answer, but there needs to be one. I think that you should balance the need of the users with the implications of security and keep it locked down as tightly as possible without being draconian. (Easy right!)
Another important thing to do is to educate your staff on security. A lot of folks have no idea how their actions can compromise your network. Giving them some broad view pointers can go a long way to helping them help you keep safe.
A key statement in your answer is “no input from IT”; the need to consult with IT is one of the hardest concepts to get across to church staff; I have a much easier time at the private school I also work for.
One area easily overlooked to assist with file sharing is some ChMS allow file storage connected with a group, so that could solve the staff/volunteers sharing curriculum need. Since the file is group related, removing the volunteer from the group when they no longer server would also remove their access permissions.