Dropbox Security Issues–IT has itself to Blame

So Dropbox, the file sharing, backup and sync service that has been setting the world on fire, seems to have had some serious problems of late. It seems a large number of users have received spam e-mails and, in response, Dropbox has bought in a SWAT team of security experts to see what is going on. For Dropbox to publicly admit that they were investigating the issue internally would seem to be a tacit admission that it is indeed an internal Dropbox issue rather than anything external.

This isn’t the first time that Dropbox has had a security glitch – outages and the like are sometimes unavoidable but user information and data should be completely sacrosanct. In a follow up, Dropbox did give an interim report saying that;

As of today, we’ve found no intrusions into our internal systems and no unauthorized activity in Dropbox accounts

I’ve been using Dropbox since its very early days and watching the company from very close quarters. I have to say that its rapid uptake isn’t surprising – from a functional perspective it’s an amazing product. I’ve almost forgotten what it was like in the days before Dropbox put an end to manually syncing files and the like. It’s incredibly effective product has been the reason that Dropbox has bucked the usual reluctance of organizations to use lightweight consumer tools – some of the largest organizations in the world have Dropbox being used within them (though generally, it has to be said, without a mandate from corporate IT).

But amazing functionality doesn’t mean that the product is robust or secure, and the issues that Dropbox seems to be facing over time indicate a corporate culture that has, at least in part, stemmed from an immature approach towards building a product and building a company. It’s a subject I’ve opined on previously when it comes to Dropbox and one which would appear is shared by others. When discussing the Dropbox security glitch on Twitter, I had a very interesting reply;

We had to switch to Box the first time an employee walked away with a treasure trove of IP. I use Box for biz, Dropbox all else

This sort of comment is very damning. When a CIO makes comments that indicate a reluctance to put anything corporate on Dropbox, one has to listen. When that CIO is a big user of cloud apps in his personal life, and therefore not simply part of the “cloud is a risk” brigade, something important is going on. I received notes from a number of enterprise workers who all told me of receiving directives from corporate IT in the days after the Dropbox issue, either ordering or recommending that Dropbox use be discontinued. Many of these people were given suggestions by IT of alternative cloud services to use – this is not an example of IT vetoing cloud, it’s a case of IT making a decision about a vendor that is questionable.

Of course, as is always the case, some decided that this possible breach marks the death knell for the cloud. But we need to have some perspective here – there are plenty of cloud backup and sync products out there – ones that work on the public cloud (Syncplicity, Microsoft SkyDrive, SugarSync etc) and some that enable “Dropbox-like” functionality on existing hardware (eg Oxygen Cloud). This is not a situation of needing to veto cloud altogether, it is yet another reminder that users need to do due diligence to ensure that a product is fit for purpose – and storage of sensitive enterprise documents has very different security requirements than storing holiday pictures.

Sadly Dropbox doesn’t seem to be getting this message, at least if the tone of some comments I received are indicative;

 

It’s also a reminder of the perils of “bottom up” adoption of technology within the enterprise. And a call for IT to be more proactive when dealing with business users. Business users overwhelmingly claim that they’re using these tools as a counter to corporate IT being so slow to respond to their needs. Most business users I speak to would love to have a product available that meets with IT approval – it’s not like they’re trying to introduce risks – but IT often times continues to be a blocker of innovation.

Yes Dropbox has issues, and yes those issues would appear to be indicative of something broader – but that doesn’t call into question the entire concept of cloud. Having said that, corporate IT essentially caused the enterprise adoption of ill-fitting consumer tools by not meeting the needs of their users. Solve that conundrum, and problems like these recent ones would go away.

Enhanced by Zemanta

9 Comments
  • Not sure if by “meeting the needs of their users” you mean that IT should be building their own Dropbox competitor. That seems a questionable use of resources to me. If, on the other hand, you mean a) pressuring Dropbox to provide enterprise-safe functionality, or b) actively helping users use alternatives such as Box, then I completely agree.

    • Jeff – credible private alternatives already exist so (B) for sure

      • Do they really though? No doubt on paper they have the features to satisfy the C** , but in reality there are very few services (not products) that will be effective in eliminating employees walking off with important information.

        • Multiple encryption, remote wipe… yeah, there are solutions IMHO

          • No there aren’t. There are lots of “Dropbox-like” services that advertise encryption, but dig a bit deeper and you’ll find it is only encryption of the files in transit. Similarly, most allow data to be moved to any mobile device without restriction.

            A corporate dropbox requires:
            1. Data at rest encryption, with the key controlled by the data owner
            2. Data in transit encryption
            3. Strong authentication
            4. Controls over which end-devices can be used.
            5. End-device encryption
            6. Control over the sharing of data
            7. Remote data wipe.
            8. (For European companies) Adherence to data protection regulations
            9. SAS70/ISO standards certifying compliance with security controls

  • I, and my coworkers, have always used dropbox as more of a leisure cloud app than business. We have never stored any important business or personal documents in our dropbox accounts. Nothing to do with the company really, just our own personal reasons. But security issues likes these do raise a flag.

  • Hi Ben,

    I see two issues here:

    1.) Sync files to the laptop of an employee who leaves the company, and they go with him – but how is this different from the same employee connecting a USB drive and doing the same?

    2.) A potential spam issue which at this point is just FUD.

    I still don’t see how or why Syncplicity, Microsoft SkyDrive, SugarSync etc. are any different or better than DropBox. How about a benefit/risk matrix?

    • Jon – fair comment. I guess my perception comes from having dealt with all of those companies and seeing the degree of seriousness with which they look at their businesses. There is no functional issue I can point to that increases risk, it’s a gut feeling based on spending time with all of these players and watching them develop over the past few years.

  • Pingback: The Official Rackspace Blog - Keeping Safe In The Cloud

  • Any corporate worries could be avoided by locking down profiles. It is shocking how often the basics aren’t covered!

  • Pingback: Dropbox Security Issues–IT has itself to Blame | WikiCloud

  • Pingback: Keeping Safe In The Cloud | WikiCloud

Leave a Reply