So Box came out and announced Box Governance this week. For those of you thinking that Box is just one of the surfeit of file sharing providers on the planet, think again. Box has been steadfast in stating that they are providing content management and this week’s announcement is further proof of that.
Box Governance provides three important capabilities: 1) Retention Management; 2) Content Security Policies (really should have something about “sensitive information” in the name); 3) Defensible eDiscovery. While having these capabilities available is in and of itself a major step forward, it’s also important to note that organizations that choose to deploy Box can now claim compliance with a number of government and industry regulations and standards (e.g.: PII, FINRA, SOX, SEC 17a-4). However, the most important thing about this announcement, in my opinion, is that it serves to remove additional barriers to including Box in the conversation when talking about Enterprise Content Management vendors (pay attention Gartner, Forrester, IDC, et al). Coupled with Box’s Enterprise Key Management (my post on the topic) announcement earlier this year, organizations relying on FUD (Fear, Uncertainty, Doubt) to exclude Box from consideration are losing rationale for doing so. Security and information governance are what separates true managed content from just another shared drive, and Box has them. Bleat all you want about cloud not being secure and cloud content repositories being unmanaged messes, it’s not working anymore.
Since BoxWorks last September (my thoughts) Box has made a number of feature additions, announcements, integrations, and alliances that are moving it closer to being able to deliver the right balance of System of Record and System of Engagement. At this point it’s still a little ugly and cumbersome for administrators to configure the backend to deliver the various governance, workflow, and security bits to work properly, but that’s what the team at Box Consulting is paid to help with. Those paid to worry about security, legal, regulatory, and audit have less to worry about now than a few months ago. From a content consumer/contributor perspective it’s all pretty slick and that’s what it’s all about.
It’s no coincidence that a white paper I wrote for Digital Clarity Group was released yesterday. The paper is about the next generation of ECM (#ECMnext) and how Enterprise File Sync and Share (EFSS) platforms will provide it. We’d (Box, DCG, me) love to get your thoughts on the paper. Feel free to reach out to any of us (you can reach me via email at email@example.com as I am no longer with DCG) to rant or rave. There’s no data collection, fees, marketing gates or other intrusive nonsense to get the paper, so download The Next Generation of Enterprise Content Management to your heart’s content.
Regardless of what you’ve been hearing, Enterprise Content Management (ECM) is not dead. For years ECM has been harangued as being overly cumbersome, overly expensive, overly difficult, and underwhelming when it came to delivering benefits. That’s all about to change…
The manner in which ECM is delivered is going to change. Taking a cue from what consumers have come to expect in terms of the technology they use for personal reasons, a subset of Enterprise File Sync and Share (EFSS) vendors, led by Box, are emerging as purveyors of ECMnext – the next generation of Enterprise Content Management platforms. The focus is on how and why people create, consume, and share content, supported by a foundation that provides the security and governance required in today’s digital business environment.
This whitepaper explores the short-comings of legacy ECM platforms, and how ECMnext vendors can step up and deliver what we’ve wanted out of ECM all along. While there’s still a ways to go for ECMnext platforms to be able to completely replace legacy ECM platforms, the basic building blocks are in place and the roadmaps are pointing in the right direction.
You can download the whitepaper directly from here.
If you need a little more evidence that ECM is changing, take a look at Box’s announcement about their governance functionality: Introducing Box Governance – Delivering Control and Compliance in the Cloud.
This is the second case study type thing I’m trying. It’ll likely be the last for a while as I have nothing left that I can publish without getting sued. Ah, the joys of being an independent consultant. Anyways …
This case study has to do with the project referenced in the two posts linked below. You may want to read them to get a better overall view of the project :
The document I’m sharing is part of a set of four docs that were delivered to the client. The purpose of each document is explained in the case study document.
The client in the case study builds electricity infrastructure; they are heavily regulated. They took the decision a while back to use SharePoint as their ECM pillar (though they don’t really know what ECM is). They also don’t have an Information Management strategy, nor any type of dedicated information governance structure. Though they rely heavily on information, and generate tons of intellectual property, they don’t do much about treating information as an asset. As far as they are concerned, information is IT’s problem and the business is just a client.
I was working as a subcontractor with ARC Business Solutions on this project. One of the key contributors to the project and the document was Chris Riley. You can follow Chris on Twitter at https://twitter.com/HoardingInfo. We knew early on in the project that the client was in ECM trouble and needed help. Though not part of the project mandate we wrote the docs up anyway (No. We didn’t bill the client extra.).
Without further ado … click the link and check it out: Managing Information at client name.
Feedback is appreciated.
The image in this post is my first attempt at visually representing the Principles of Holistic Information Governance. Click on it for the original PHIGs post and a larger version of the image.
Chris Riley, along with Shadrach White, is a co-author of Enterprise Content Management with Microsoft SharePoint.
Earlier this year I completed an assessment of Alfresco for a university client. The university licensed Alfresco several years ago and did not have much success. They hired me to find out why, and what to do about it. The options they wanted to look at were to continue on with Alfresco or switch to SharePoint. An option they weren’t willing to consider was a cloud based option. I gave them one anyways, based on Box. Unfortunately I was asked to remove that option from the final report. Oh well.
While the platform in question was Alfresco, I can’t stress enough that the failure had nothing to do with the platform. Under the circumstance nothing would have succeeded. You can read a bit about it in an earlier post here.
I’m trying something a little different; because of my altruistic nature I am making the final report available as a downloadable PDF. I figure there’s stuff in it that many could use, and perhaps critique that would be helpful.
I want to thank Laurence Hart for his contribution to the report and the overall project. Thanks, Laurence. You can follow Laurence on twitter at https://twitter.com/piewords and check out his blog at http://wordofpie.com/.
Anyways, just follow the link and you ought to get to the report (no fees, no signup, no tracking). Feel free to provide feedback.
University ECM Assessment – I’m using Box to share this content. Please let me know if you have any issues.
Image: “Paris Tuileries Garden Facepalm statue” by Alex E. Proimos – http://www.flickr.com/photos/proimos/4199675334/. Licensed under CC BY 2.0 via Wikimedia Commons
Last month Box announced their Enterprise Key Management thing. Today they announced their acquisition of Subspace, and are part of ACE (really important app standard). I sometimes marvel at the progress that the industry that pays my bills is making, and then this kind of shit shows up in my mailbox (the Canada Post version, not the Outlook one) …
In case you were wondering, mobile access is not supported and it’s recommended that you use IE or Safari.
On February 10, 2015 Box announced the beta release of Enterprise Key Management (EKM). Put simply, EKM addresses cloud security concerns by giving customers control over the encryption keys used to access content stored on Box. It’s add-on functionality, at an additional cost, that’s going to remove one of the barriers to cloud adoption. This is a very, very good thing.
For those customers that have been dithering about whether or not to move content to the cloud because of security concerns, EKM ought to alleviate those concerns. Of course, those customers will have to be willing to commit to Amazon Web Services (AWS) if they want to avail themselves of EKM. However, it’s a beta folks and I’d bet that Box is actively working on other options.
With this announcement there’s a bunch of organizations that, all of a sudden, have no excuses left. That’s not to say that organizations should put everything into the cloud; they shouldn’t. There’s tons of content that organizations deal with on a day-to-day basis that makes absolutely no sense to move to Box. Take a look at transactional data that’s generated by utilities, communications providers, and financial companies; there’s nothing to be gained, yet, by moving all those transactions into Box. However, those same organizations, along with most others, deal with tons of content that is perfectly suitable due to its purpose in business processes. Think about loan/mortgage applications, cell phone contracts, and applications for utility services; all of these could easily be moved to the cloud. And now (well, when EKM gets to general release) it can be done with just that little bit extra assurance of security. Which brings me to another point, which I’ve made before …
Organizations are going to have a mixed bag of content repositories for the foreseeable future. Once EKM goes to general availability I’d love to have a bar chat about which is more secure; Box, on-premises, or the hosted private data centre. Based on what I know about some orgs I’ve worked with, I’d rather they put their content in Box, with or without EKM. I digress …
My point is that hybrid is a reality and that everyone involved in managing content (vendors, customers, regulators, legislators) is going to have to figure out how best to deal with access, security, collaboration, and everything else that goes into managing content as an asset. Part of that is understanding that not all content is created equal and can be treated the same. For me the end game has to be putting the users at the center and not forcing them into Cirque de Soleil-like contortions to gain access to the content they need to execute the task at hand. If Box’s track record is anything to go by, I’m optimistic that they haven’t lost sight of ease of use with the EKM beta.
The title of Aaron Levie’s (Box CEO) post announcing EKM is Breaking the Last Barrier to Cloud Adoption with Box Enterprise Key Management (and I thought I liked long titles). Uhm, no. Hell, EKM won’t even break down the last legitimate barrier. There is still a lot of Fear, Uncertainty, and Doubt (FUD) to overcome in getting organizations to move to the cloud (not a legitimate barrier). Organizations worry about data sovereignty, sometimes legitimately. Some contexts just don’t lend themselves to a smooth cloud experience (from twitter this am, via Laurence Hart “Some agencies require govt clearance to have access to encryption keys and/or be US citizen. Box can’t do that for workforce” – he’s not wrong. Laurence expands on the quote in this post.).
If I were Box I’d handle the above like this:
- FUD – time, tide, and attrition are your friend – patience, Grasshopper.
- Legitimate data sovereignty issues – influence and wait for legislation; partner up to build/lease/coopt some friggin’ data centres.
- Illegitimate data sovereignty issues – see FUD
- The point that Laurence brought up – don’t sweat it. You can’t play there now anyways.
Box’s announcement about Enterprise Key Management is significant, and it’s a really good thing. However, it’s not the last hurdle and I’d bet money they know that. But it does take away one excuse that that ditherers and FUDders have been hanging on to.
And for those of you who are about to bring up AWS outages – IT’S A BETA!!!
When Gartner came out with their Magic Quadrant for Enterprise File Sync and Share (EFSS) back in July 2014 I laughed a little because I find the idea of an EFSS market, well, laughable. Yes, I know they put in a whole bunch of stuff about what could or should be part of the market, but boiled down it seemed to me that EFSS per Gartner is little more than the old Microsoft Briefcase. I.e.: a feature of a larger solution. Let’s face it; EFSS is little more than email and consumer grade cloud storage. One of the names that’s been bandied about to replace EFSS is ECC – Enterprise Content Collaboration. I don’t like it very much, either.
If I were Box, EMC, Alfresco and most of the other vendors on the MQ I’d be more than a little irked. Most of the vendors have invested heavily, organically or via acquisitions (sometimes both), to come up with some pretty cool and innovative solutions (not products) that allow people on both sides of the firewall to work together. These solutions allow organizations to impose various levels of automation, governance, and security to critical content. Being categorized as a File Sync and Share provider is frankly insulting. I find it insulting to the vendors as well as the customers.
Some of the vendors have been more successful than others, but I don’t think it’s germane at this point to come up with a list of winners and losers as the market (whatever its true name ought to be) is still fairly nascent. At most we’ll be able to make some guesses as to who will survive intact for the next few years and who won’t. Depending on the original exit strategy, being acquired is a perfectly valid form of survival. Will success of the wrongly-labelled EFSS players be measured against the same metrics that are currently being used for the incumbent (some would say legacy) Enterprise Content Management (ECM) players? Why would I even bring this up?
The Gartner Magic Quadrant for Enterprise File Synchronization and Sharing is available from Gartner as well as from some of the mentioned vendors including Syncplicity, Box, Alfresco, and Citrix.
Note: For what it’s worth OpenText should have been included in the MQ, based on Tempo Box, which I used when I was working there. As for what’s coming up from OpenText, I’m looking forward to seeing what OpenText Core is all about.
If you look at the MQ, some of the players are ECM incumbents (Microsoft, IBM, EMC, Alfresco), which is another reason why I find the EFSS market and associated MQ a bit of a giggle. In all but a few scenarios the ECM incumbents are competing not only against the new entrants and upstarts, but they are competing against themselves. For all practical purposes, some of the new players can provide solutions every bit as capable of meeting functional requirements as the incumbents, but with much better experiences. Sure, they’ll have to collaborate and form alliances with other vendors, but how is that really any different than what’s going on today? Where ECM currently has an advantage over the new players is in ultra-regulated environments for certain business processes. That, however, will change as the tools improve, as legislation changes, and as purchasing organizations see the FUD (Fear / Uncertainty / Doubt) for what it really is.
I recently completed an ECM assessment for a Canadian university; they asked me to assess why Alfresco wasn’t as successful as they’d anticipated (it wasn’t Alfresco’s fault – please read You Are the Problem for some details). They asked that I recommend that they either press on with Alfresco or dump it and go with SharePoint. When I brought up the option of using a cloud solution they were adamant that this was something they did not want to do. The reason they gave was based entirely on FUD, lack of understanding of current day realities, and lack of understanding of what their users (internal and external) want and need. So I included an appendix putting forward a solution based on one of the MQ’s upper right vendors. That vendor is perfectly capable of meeting the university’s requirements on all fronts.
As a consultant it’s my job to not only deliver what my clients pay me to deliver, it’s also my job to educate them and to present alternatives that they may not necessarily be thinking about. In the case of the university, a cloud based solution based on a platform provided by one of the vendors in the MQ is perfectly viable, despite my client’s prejudices.
When it comes to Box and others in the (to be renamed) EFSS market, we’re not far from the point where they can punt the incumbent ECM vendors to the curb. They’ve got some solid foundations in place and a pretty decent roadmap for the future. How the various players build on their foundations is going to depend on what they see as their core strengths and where they see the most potential. Box is taking a platform approach, Dropbox is pinning its future on Microsoft, and Huddle is focussed on collaboration. The others all have game plans that include features and functions and deployment options. I’m fairly certain that all the players are going to find their fit, but it’s not going to be EFSS. EFSS is purely table stakes, as others have said. I think we’re going to see fragmentation in the market sooner rather than later. I think we’re going to see more and more occasions where someone does what I did and puts one of the (for now) EFSS players up as an alternative to ECM incumbents. What I’m really looking forward to seeing is when/if the ECM incumbents actually change their game, not just add features, to keep up with the times. I suspect it’ll happen later rather than sooner.
A lot of people and companies, me included, have been going on about Information Governance (IG) for a while now. In a previous post I wrote about ECM not living up to its promises and being supplanted by Information Governance. What does this have to do with the space that isn’t EFSS? I’m glad you asked …
I attended BoxWorks in September 2014 (my thoughts, if you’re interested) and I’ve also been pretty interested in the whole not-EFSS space for a while; I’ve concluded that Box and some others are going to supplant the legacy ECM vendors even as ECM transitions to being a collection of functions required to deliver IG. Between the vendors that provide the core platform and 3rd parties that provide additional functionality, I’m fairly certain that most of what’s defined as IG activities and technologies could be provided. Take a look at the two graphics below; the first represents the facets of IG and the 2nd represents the various technologies that make up IG.
Think about the various players in the un-EFSS market. How many of the facets (activities) in the above graphic could be handled by those players or their partners? Don’t worry about whether or not you agree or don’t that all the facets belong under IG; choose the ones that matter to your organization.
Of the technology categories in the above graphic, how many could warrant inclusion, to at least some degree, of not-EFSS players and their 3rd party partners?
The two graphics above were produced by the Information Governance Initiative, in their inaugural Annual Report. Their inclusion here does not mean that I necessarily agree with what’s in the graphics or in the report, though I do recommend reading it (get it here, free subscription required).
There are going to be some EFSS vendors (e.g.: https://www.sync.com/ – not included in the Gartner MQ) that are going to be pure play EFSS vendors, and that’s cool for them and customers that want that level of functionality. However, for most of those mentioned in the MQ the EFSS part of what they do is truly table stakes, to borrow a phrase. If I take a look at Box, Alfresco, Microsoft, EMC, OpenText (I am including them even though Gartner forgot to), etc., what they’re really providing is part infrastructure and part platform. Labelling them as EFSS makes about as much sense as calling SAP accounting software and lumping them in with Quicken.
It’s the infrastructure and platform pieces that set Box, Alfresco, Microsoft, EMC, OpenText, et al apart from the true EFSS players. With the pure EFSS players what you get is what you get, that’s it. With the EFSS+ players (I just made that up) what you get is foundational. What you do with that foundation is up to you and the potential will increase as the players mature. As much as organizations have built their information governance and management strategies around legacy ECM platforms, they’ll be able to do the same with EFSS+ platforms.
in this podcast Connie Moore and I discuss the EFSS market, as well as ECM. Brought to you by Digital Clarity Group. http://www.digitalclaritygroup.com/dcg-podcasts-efss/
I originally posted this back in November 2011. A lot has changed since then, but there’s also a lot that hasn’t. One of the biggest things that’s changed is that Enterprise File Sync and Share (EFSS) has gained a ton of legitimacy over the last little while.
I’m reposting this for a couple of reasons: 1) There’s much in the post that is still relevant; 2) I’ll be posting something in early January that’s related and want to use this post as a kind of introduction.
I debated whether or not I should edit the original post but decided against it. I’ve simply added some comments where I felt they were necessary to clarify things, likely as much for me as for you.
I’m not an expert on cloud computing, I’m just some guy that likes to be able to access the content I need to do my work, from wherever I happen to be, using whatever device I feel like using at the moment. Take this post, for example; it was written on a laptop and a tablet, in a dining room and a swimming pool (not really in the pool since my tablet isn’t waterproof though that would be mega-cool).
I agree with Billy Cripe’s thoughts that Agile can (ought to) be applied in the development of cloud based ECM solutions. However, as Billy correctly states, “Managing content is not the goal of most businesses.” Most businesses exist to make money by providing products and/or services that consumers want. Businesses rely on information in order to get their stuff done, whatever their stuff is. In order to fully exploit information, the tools (i.e.: information stores) that the businesses rely on need to be connected to each other (so do the people – the tools need to facilitate this). Content / information management tools (cloud or not) need to be part of bigger picture business solutions. We need to build solutions that deliver “I need to share this” in the context of why it needs to be shared (answer why you need to share and you’ll likely figure out who and what).
Re-reading this now it seems as of the above is meant to imply that the topic is legacy ECM systems. That may have been true originally, but it’s not now. I’m really looking at this in terms of anywhere that content can be stored.
No sane person can argue the value and validity of the cloud. Except me. I’m not daft enough to think that cloud computing doesn’t have value or is not a valid approach to take. However, I do think that we’re not going to realize the full potential of the cloud (and by extension, content) if we simply limit its scope to content management. Yeah, I know that there are other things that are done in the cloud, such as CRM, payroll, and accounting.
We’ve gotten to the point where there really is no need to keep much on premises anymore.
When I refer to “cloud” I am referring to more than just the data centre, if that’s not obvious.
Content Wherever I Am
One of the cool things about content in the cloud is that my content is wherever I am. (Okay, so it’s not really my content, it’s my organization’s content.) That’s not the point, though. The point is that I can work with content wherever I happen to be, using whatever device I choose. This does assume that the chosen content repository is able to be synched appropriately. Wouldn’t it be cool, though, that if in addition to being able to work with the content and share it with collaborators (the work variety, not the WWII Nazi variety) the content could also be appropriately tagged, filed, and placed under retention at the point that I plunk it into the repository? I.e.: Cloud repositories need to become extensions of ECM and ERM systems, probably through federation.
So the whole thing about federation is a little off. This really should be thought of as centralized policy administration and enforcement.
Correctly Connecting Corporate Content
Content is spread throughout an organization; cloudification just increases the spread. When I say content, I mean anything that is stored on digital media that serves any legitimate business activity. (For obvious reasons I am excluding physical content.) A key to widespread cloud acceptance is to be to able access / leverage content in order to execute a business activity, regardless of where the various pieces of content reside. An agent in a social services organization should not have to know or care that a citizen’s information is spread over a number of repositories that could be on-premises, in a private cloud, and in a public cloud. The agent is there to service the needs of the citizen, not to figure out some (likely) convoluted architecture just to try and find stuff.
CMIS is a step in the right direction, but where CMIS falls short is that it doesn’t address non-CMS (think ECM) repositories. What we need is something that allows connecting everything that we need, when we need it. Device and location should not be factors. In fact, the only thing that a user should worry about is whether or not they have the right content to do the job. Governance, classification, and security ought to be just taken care of.
If the scope opens up to include non-ECM tools, how much of a factor is CMIS? Look at what’s happening in the broader EFSS space with open standards and open API’s.
Speaking of Governance…
Until the governance issues get sorted, I doubt very much that we’ll see widespread adoption of public cloud services. Smaller organizations, organizations with lax regulatory / privacy regulations, and organizations that can bully providers into rock-solid SLA’s may be able to go full public cloud, but I doubt they will. I think the reality is that organizations will end up having hybrid environments of cloud and on-premises.
When I say governance I am not only referring to the poo that legislators, regulators and litigators throw in our way. Governance needs to address issues such as:
- what can / should be stored in the cloud
- service level agreements
- disaster recovery / business continuity
- classification / categorization
- retention & disposition (thanks to @JamesLappin & @AlanPelzSharpe for bringing this up)
Governance of cloud content has to deal with all of the things that we need to deal with for on-premises stored content, with the added complication that we also have to deal with where the damn box is and if some foreign government can get at it whenever they bloody well feel like it. Canada’s Anti-terrorism Act and the United States’ PATRIOT Act are not going to be very helpful in encouraging organizations to move to the cloud in a big way.
With so many employees using consumer devices and consumer services it’s better to accept the potential peek from the government than it is to continue to deny things and have content out in the wild.
- Hybrid (cloud / on-premises) will be in the majority
- Governance (internally & externally imposed) has to be figured out
- Integration / interoperability are critical
- Privacy concerns and government snooping are major inhibitors (@ron_miller wrote a pretty good piece about this)
- If we’re not careful we’ll just move the mess from our hard drives to someone else’s
- Some Systems of Record will end up in the cloud, if they’re not already there
- Services are where it’s at
I couldn’t decide which song I wanted to use for this post, so you’re getting three:
A couple definitions for those that think it should be “on-premise”
I finished reading this article from CMS Wire (I don’t mean I actually read the whole article) and it got me thinking …
Between that article, others I’ve read, and some of the projects I’ve been working on this year, this whole ECM thing is a total crock. The vendors, the consultants, the analysts, and the professional bodies are conspiring against the customers and themselves to prevent success (what defines success on a quarter by quarter basis beggars belief).
“We just bought an ECM and we’re not sure what to do with it.” is something one of my clients said to me earlier this year. Actually, a variant of that statement is something I’ve been hearing ever since I got involved with ECM. So clients don’t really know what they’re doing. Right? Sort of.
Clients have been listening to those of us who make our livings by “doing ECM” for far too long. Vendors sell licenses and get compensated on how things went over a fiscal quarter, plus the annual support and maintenance fees. The fact that less than half of the licenses purchased have actually been deployed means bugger all. Consultants (I’m one, BTW) come in and develop all sorts of strategies to help manage or govern information (they’re not the same thing) without any stake in what goes on after the engagement is over. Analysts, many of whom are paid by vendors and service providers, come up with all sorts of nifty schemes for scoring offerings and invent new sectors. Professional associations put on marvelous conferences where you get to listen to prognostications from vendors, consultants, and analysts that further … the agendas of vendors, consultants, analysts, and professional associations.
I don’t for a minute mean to imply that there is any malice intended in any of this; there likely isn’t. The problem is that we’re in a vicious cycle that we created. We’re all afraid to step back and admit that we ballsed it up, big time. ECM was a good idea at the time. Times have changed, sunshine. ECM is dead (assumes that it was actually alive in the first place) and has been replaced by Information Governance (IG) (which is not a synonym for records management, as a certain professional organization would have you believe). The promise of IG is … I don’t know what the promise is; there’s a bunch of marketing departments out there that will let you know. As far as I can tell IG is ECM with some Big Data, ediscovery, and analytics stuff thrown in (yeah, I’m simplifying); as my dad used to say, “Same shit, different day.”
Despite the changes over the last few years, the stuff I want to see is still the exception; getting value out of information and solving business problems. In a recent client engagement the client told me that they wanted to move HR documents into SharePoint. Why? Because, SP is our ECM pillar. What’ll you do with the docs once they’re in SP? What do you mean?
The above snippet is an example of ECM gone wrong. Move your stuff into a managed repository as a replacement for shared drives. Holy Crap!!! The vendors dig this stuff. The consultants love figuring out a migration strategy. The analysts love another data point. The professional associations love another case study. The client loves … well they love nothing because they’re not getting any real value other than ticking a checkbox.
Who the hell manages information for the sake of managing information? Don’t you want something that leverages information to create value? What if someone just said that there’s a bunch of stuff they need to do that relies on information and that they need to secure that information? What if they could do that without running out and financing some account exec’s BMW or Caribbean vacation?
I’m not suggesting that organizations not buy ECM related software and services. I’m just suggesting that before they do they actually figure out what the end game is and what they’re missing to achieve it. The longer I stay in this game the more I’m certain that achieving ECM-ness is really a matter of processes and will, rather than spending tons on software licenses.
If an organization doesn’t have the processes and will to get their information under control and leverage it, spending butt-loads on software will get them nowhere. If they do have the processes and will, they’ll be able to make stuff happen without the big spend (they’ll likely have to spend some coin, but not what you’d think – integration is wonderful).
Which brings me to …
Cloud. Oh yes! Cloud services are here to stay and we need to figure out how to make them work within all the rules and constraints that apply to us. Jamming our fingers in our ears and ignoring things is not going to work. Going forward, cloud services and mobile devices are part of the mix. We better dump the outdated ECM model and wise up to the fact that the model has changed (for the better, IMO). Cloud services and consumer devices are going to be the norm, but they are not going to be the only thing. There will, for the foreseeable future, also be on premises components. The key is going to be to stop thinking about the enterprise. Really, it is. Any organization is an agglomeration of businesses, each with their own needs in terms of information, governance, processes, tools, etc. Why then go for an enterprise play? Solve stuff one business at a time, one opportunity at a time. Connect the dots as you move along.
Industry research has shown over and over that organizations run multiple content repositories from multiple vendors. They run them for different purposes driven by different factors. What makes any vendor, cloud or otherwise, think that this is going to change? I actually think the vendors secretly agree, but it makes for crappy marketing to say it out loud.
Organizations are hybrids of various businesses. Why can’t this industry understand, then, that managing content requires a hybrid approach? I don’t think this is going to change anytime soon.
Claims processing, mortgage approvals, patient diagnoses, learning material production, repair manuals, safety procedures, employee onboarding … tell me how to make these things better, cheaper, easier, and more efficient, without compromising confidentiality and privacy. Tell me how I can execute these things wherever I or my colleagues happen to be. Tell me how your stuff is gonna work with stuff I already have to make this happen. Don’t tell me that I need to buy 3,000 seats of something and you’ll build me something.
Bottom line … make the customer the center of your universe. Focus on what the customer sees as value. The proportion of organizations that operate purely on fear and risk is pretty small compared to organizations that need to focus on value. Focus on selling me something and I won’t sign anything until the last day of the fiscal quarter; I used to work for a couple of vendors, I know how the game works.
Here’s a couple things you ought to read:
- Joe Shepley wrote this piece in late November; heed his words and you will actually accomplish something.
- Chris Riley wrote this earlier this week; he’s as fed up as I am. Maybe a little more.
To wrap things up:
- ECM isn’t
- Policies, people, and procedure are way more important than tools
- Offence (value) before defence (risk)
- Cloud and on-premises are like wine and cheese; better together but don’t always smell so good and sometimes give you a headache
- Information is like wine; better when shared. But share according to who’s got a palate refined enough to appreciate it.
You’re out of your mind if you think blocking access to file sharing services is filling a security gap. You’re out of your mind if you think making people jump through hoops like Citrix and VPNs to get at content is secure. You’re out of your mind if you think putting stuff in the cloud is dangerous.
When I mentioned to a client of mine that some of their users were using consumer file sharing services there were noddings of heads, murmurs of assent, and an “OMG how does he know?” Less than five hours after I mentioned it in a meeting, an exec from one of the stakeholder groups got a call from security stating that her team was violating policy by using Dropbox. This client had deployed an Enterprise Content Management platform. One of the key drivers for the platform is sharing of content among collaborators. One of the key inhibitors is Citrix. So, what do the users do? They email documents to each other. They store stuff on local drives. They get laptops with intellectual property and personal information stolen, and can’t wipe the laptops or recover the content. They use cloud services to store sensitive information. And security struts around proudly thinking they’ve done something. They have; they’ve created a security hole bigger than the one they tried to plug. Hell, even the frickin’ President was storing company confidential documents in his personal Dropbox account.
So I mention to the client that they may want to use an Enterprise File Syncing and Sharing (EFSS – I really don’t like this term) service like, I dunno, BOX! (Yeah, I like Box. So what?) Their Director of IT Infrastructure tells me that the execs are scared of any service that stores data in the U.S. because of the PATRIOT act. Really? Do they not know that Canada has an equally odious piece of legislation? Do they not realize that if the U.S. government wants to get at stuff in Canadian data centres they will? And dig this … Box is working on something that would let the customer (that’s you, btw) maintain control of, and access to, encryption keys. No more sneak attacks by those pesky gubbmint people. Hey, they can still come to you and ask, but at least you’ll know, no? Can you imagine!?!
Every time I have these types of conversations with people I usually end up wanting to lay a choke hold on someone. Whether it’s for spreading FUD (Fear, Uncertainty, Doubt) or for believing it … I’m not sure which irritates me more.
Blocking access to file sharing services doesn’t work. People will find other ways to connect (e.g.: phones make great wi-fi access points) or email documents around. Instead of blocking access to consumer services, IT and security ought to: 1) find out why staff is using the services in the first place; 2) identify and provision SECURE enterprise grade services; 3) develop appropriate policies for using EFSS services, including remedial action for violating the policies. If staff are using consumer services to share business content it’s a pretty safe bet something is wrong with the corporately provided tools. Fix them.
Part of the fix may actually be to provision EFSS to staff. Think about it before you have a freakin’ hissy fit. EFSS providers make money by providing a secure way for people to share content and collaborate. How do you make money? What’s your core strength? Hell, you can’t even stop your staff from sharing content unsecurely (is that even a word?).