Sure Dropbox is Potentially Insecure, but Does it Matter?

It’s summertime down in my neck of the woods and that’s a good time to go out on a limb with a statement that might get people a little fired up. Bear with me on this one though… Over on GigaOm Barb Darrow has a good write up about the findings of a survey commissioned by Nasuni into the use of Dropbox within large enterprises. As she wrote:

One out of five of 1,300 business users surveyed said they use the consumer file-sync-and-share system with work documents… And, half of those Dropbox users do this even though they know it’s against the rules. The most blatant offenders are near the top of the corporate heap — VPs and directors are most likely to use Dropbox despite the documented risks and despite corporate edicts. C-level and other execs are the people who brought their personal iPads and iPhones into the office in the first place and demanded they be supported.

dropboxtitle

dropboxusagedept

Now it has to be mentioned that this survey was sponsored by Nasuni, an enterprise storage vendor that has a vested interest in stirring the pot about shadow IT. Clearly companies providing a more ‘enterprise grade” service do well out of panicking all those overworked CIO types about rogue IT within their organization. But I wonder if it’s not worth taking a step back and looking at this from a pragmatic perspective.

First, why do people go around IT to use Dropbox? In the majority of cases these are good, solid, hardworking employees that don’t want to introduce risk to their organization but that do want to get stuff done. For whatever reason (inflexible legacy systems, stubborn IT departments, need to be agile) they’ve decided that for a particular project, they want to introduce Dropbox into their workflow to quickly and easily share some content.

Now clearly this might breach an IT policy here or there and potentially (but only potentially) may introduce a vector for data loss. But let’s look at the practicalities here – oftentimes the content being shared isn’t exactly ground breaking – while I’m sure there are cases where the recipe for ana amazing new miracle drug has been shared outside of the organization and gazillions of dollars in pharma revenue might have been risked (or not), the majority of example that I’ve seen are much more mundane than this – maybe a marketing plan here, a draft report there or (heaven forbid) a guest list to the department’s client Christmas party.

In another part of my life, I’m a firefighter and have spent a bunch of time looking at risk assessment and reduction. In firefighting situations we use a simple matrix to determine whether a course of action should be taken or not – essentially we look at the potential outcomes from that course of actions (on a continuum from minor to catastrophic). Along the other axis is the chance of that outcome occurring. A matrix might look like this:

matrix

If we apply this methodology to the “Dropbox in an enterprise setting” – let’s see what we come up with. Of those 20% of organizations where Dropbox is being used, and across the 100 million users that Dropbox boasts of, how many people are really sharing critical business information as opposed to more mundane content? I’d wager that the vast majority falls into the “mind numbingly boring to anyone outside of the org” category and hence the severity of harm from a data breach could be seen as negligible.

On the other hand, we need to look at the likelihood of harm. While of course conceptually we can imagine an entire plethora of ways in which it could happen, the fact is those 100 million users are, for the most part, using Dropbox an suffering no data loss – as a measure of likelihood of harm occurring then, data loss from Dropbox is reasonably low.

So let’s plot that axis and see where there is a real issue. It seems to me that the situation of real concern is where highly critical organization data is being shared, and individuals have poor security practices (simple passwords, using passwords on multiple sites etc). Outside of this situation, the severity and likelihood measures would indicate that, just maybe, we could relax about the use of Dropbox within the organization a little.

Now of course my infosec friends are paid to be eternally suspicious. These guys are (professionally at least) glass half empty – heir concerns are valid and they bring an important balance to the picture. But it’s just that, balance, at the same time we need to look long and hard at the benefits that “rogue IT” can bring and ask ourselves whether we shouldn’t in fact lighten up a little.

Of course all this would be solved by simply storing Dropbox content within a truecrypt folder – but my point still stands – shouldn’t we lighten up some?

3 Comments
  • Pingback: Why Your Company Wont Adopt Social Business Technology | BloomThink

  • I think the issue here is that Dropbox security is “good enough” but what is Cloud Storage could be GREAT. Would you put more data out in the cloud? I would. There is that old Jim Belushi movie (I am about to show my age) “Taking care of Business” where Charles Grodin loses his organizer (which contains every detail of his life) and Belushi makes his life miserable.
    I am not putting any Personal Identifiable Information (PII) into the cloud in case I lose my phone or laptop.
    Once I know that it is REALLY secure, I will put EVERYTHING up there, my passport, my drivers license, my credit cards, gym membership, medical cards etc.

  • I have been using Dropbox for my personal and business use for some time now and I have found it a secure and reliable cloud storage solution. I understand that the organizational policies are bit concerned over the mis-use of information and intellectual property theft and it can be eliminated by the introduction of a secure document management solution in a firm which integrates with Dropbox and employees can access files and documents without being concerned about the security. For example, I use GroupDocs document management solution as it seamlessly integrates with Dropbox and makes working with documents extremely easy. You can also check out the benefits of this new integration from the following blog:

    http://groupdocs.com/blog/groupdocs-document-management/archive/2012/08/15/announcing-dropbox-integration-with-groupdocs-apps-suite.html

  • Protect your sensitive files on your computer and cloud (dropbox etc) with Securasi. Easy and 100% secure and private. Control in user’s hands.

Leave a Reply