January 21, 2013
It’s summertime down in my neck of the woods and that’s a good time to go out on a limb with a statement that might get people a little fired up. Bear with me on this one though… Over on GigaOm Barb Darrow has a good write up about the findings of a survey commissioned by Nasuni into the use of Dropbox within large enterprises. As she wrote:
One out of five of 1,300 business users surveyed said they use the consumer file-sync-and-share system with work documents… And, half of those Dropbox users do this even though they know it’s against the rules. The most blatant offenders are near the top of the corporate heap — VPs and directors are most likely to use Dropbox despite the documented risks and despite corporate edicts. C-level and other execs are the people who brought their personal iPads and iPhones into the office in the first place and demanded they be supported.
Now it has to be mentioned that this survey was sponsored by Nasuni, an enterprise storage vendor that has a vested interest in stirring the pot about shadow IT. Clearly companies providing a more ‘enterprise grade” service do well out of panicking all those overworked CIO types about rogue IT within their organization. But I wonder if it’s not worth taking a step back and looking at this from a pragmatic perspective.
First, why do people go around IT to use Dropbox? In the majority of cases these are good, solid, hardworking employees that don’t want to introduce risk to their organization but that do want to get stuff done. For whatever reason (inflexible legacy systems, stubborn IT departments, need to be agile) they’ve decided that for a particular project, they want to introduce Dropbox into their workflow to quickly and easily share some content.
Now clearly this might breach an IT policy here or there and potentially (but only potentially) may introduce a vector for data loss. But let’s look at the practicalities here – oftentimes the content being shared isn’t exactly ground breaking – while I’m sure there are cases where the recipe for ana amazing new miracle drug has been shared outside of the organization and gazillions of dollars in pharma revenue might have been risked (or not), the majority of example that I’ve seen are much more mundane than this – maybe a marketing plan here, a draft report there or (heaven forbid) a guest list to the department’s client Christmas party.
In another part of my life, I’m a firefighter and have spent a bunch of time looking at risk assessment and reduction. In firefighting situations we use a simple matrix to determine whether a course of action should be taken or not – essentially we look at the potential outcomes from that course of actions (on a continuum from minor to catastrophic). Along the other axis is the chance of that outcome occurring. A matrix might look like this:
If we apply this methodology to the “Dropbox in an enterprise setting” – let’s see what we come up with. Of those 20% of organizations where Dropbox is being used, and across the 100 million users that Dropbox boasts of, how many people are really sharing critical business information as opposed to more mundane content? I’d wager that the vast majority falls into the “mind numbingly boring to anyone outside of the org” category and hence the severity of harm from a data breach could be seen as negligible.
On the other hand, we need to look at the likelihood of harm. While of course conceptually we can imagine an entire plethora of ways in which it could happen, the fact is those 100 million users are, for the most part, using Dropbox an suffering no data loss – as a measure of likelihood of harm occurring then, data loss from Dropbox is reasonably low.
So let’s plot that axis and see where there is a real issue. It seems to me that the situation of real concern is where highly critical organization data is being shared, and individuals have poor security practices (simple passwords, using passwords on multiple sites etc). Outside of this situation, the severity and likelihood measures would indicate that, just maybe, we could relax about the use of Dropbox within the organization a little.
Now of course my infosec friends are paid to be eternally suspicious. These guys are (professionally at least) glass half empty – heir concerns are valid and they bring an important balance to the picture. But it’s just that, balance, at the same time we need to look long and hard at the benefits that “rogue IT” can bring and ask ourselves whether we shouldn’t in fact lighten up a little.
Of course all this would be solved by simply storing Dropbox content within a truecrypt folder – but my point still stands – shouldn’t we lighten up some?