Broken Trust Part 2: Applying the Approach to Dropbox

Monday, October 03, 2011

Enno Rey

0f57a863af3b7e5bf59a94319a408ff7

After having introduced the basic elements of our concept of trust, control and confidence in this post, today I’ll try to strengthen your (and maybe even my own as well) understanding of these ideas by applying them to another candidate, that is Dropbox.

Hence this post is mainly about performing a certain analysis method to some object; conclusions as for the question if Dropbox is suited to be used in enterprise environments processing sensitive data are out of scope and are left entirely to you, the valued reader.

Two more preliminary remarks might be helpful to further understand the direction and intent of this post:

a) I don’t have any practical experience with Dropbox. I don’t use it personally and at ERNW using it for company-related data would require a risk acceptance, which – probably not too surprisingly – no company member has ever filed (and which would have a quite high likelihood of being turned down by the CEO anyway). In other words: I can’t imagine any occasion we’d use cloud based storage services for any of our data. It’s just that – given our idea of “highly skilled, thoughtful and responsible humans working here” – we don’t use terms like “xy is strictly forbidden” very often…

So feel free to jump in by PM or comment to this post if this stated lack of practical experience has lead to wrong conclusions or factual errors.

b) This post is not about blocking Dropbox in corporate networks by technical means (which – afaik – is relatively easy compared to, say, blocking Skype, as DB seems to operate mainly from a well-defined /24 network range). Doing so (technically blocking DB on corp firewalls) would not solve the underlying problem of potentially misplaced trust (or ignorance) and might just lead to yet-another-risk-acceptance popping up on the ISOs’ desks (I know, I know:  some of you would be happy if at least a risk acceptance existed for DB within your organization…). And, of course, the corp_fw way would not address the aggregate problem of running Dropbox on mobile devices (at least assumed that no cloud based proxy services are in use for those, which is currently the case in most networks I know).

However this post is about asking a certain set of questions and clarifying some company’s or service’s attributes to induce a reasonable discussion about the exact company’s/service’s suitability for processing sensitive assets.

To us, such an approach is aligned with our understanding of an ISO as a trusted business advisor (as opposed to the “paranoid pitbull” or “unfortunately unheard master of governing guidelines” mission understanding of ancient times).

Now let’s have a look at the object of today’s trust exercise, that is Dropbox. Founded in 2007 and fueled by US$ 7.2 million venture capital (as of this Forbes article) the California-based company provides cloud-based file storage services with a simple GUI and some nice collaboration capabilities for groups of users sharing files. The description in the CrunchBase profile goes: “Always have your stuff, wherever you are”. A technical overview can be found in this paper recently presented at USENIX Security.

As you might recall from the first post of this series, there I laid out some trust contributing factors, which I took from the ISECOM “Mastering Trust” methodology that is taught in their Trust Analyst course (pls note that my interpretation of these may be wrong as I never attended that course. sorry, Pete).

These are:

  • Size – “Who exactly are you going to trust?”
  • Symmetry – “Do they trust us?”
  • Transparency – “How much do we know about $TRUSTEE?”
  • Consistency – “What happened in the past?”
  • Integrity – “[How] Do we notice if $TRUSTEE changes?”
  • Value of Reward – “What do we gain by trusting?” (that’s the one that Ponzi schemes are based on)
  • Components – “Which resources does $TRUSTEE rely on?”
  • Porosity – “How separated is $TRUSTEE from its environment?”
Applying all these to Dropbox might yield the following answers:

a) Size

While this might seem a simple one given Dropbox is a not-too-big company presumably held by their founders and some investors/venture capital providers (plus maybe employees holding stocks or options or sth) it should be noted that, more or less obviously, there’s more entities in the overall picture => see below at section “Components”.

b) Symmetry

Usually this one is hard to apply to B2C scenarios, so I’ll skip it here.

c) Transparency

Honestly, as I’m not a user of their service I don’t have a ultimate attitude here. However from a trust analyst point of view I just note there’s a number of people out there who think that DB failed severely in this regard.

And there’s a (still pending?) complaint for injunctive relief filed to the FTC stating that Dropbox “continues to make deceptive statements to consumers regarding the extent to which it protects and encrypts their data.”

So overall this one (transparency) seems at least debatable; see also discussion on factor “Integrity” below.

d) Consistency: well, probably most of you know that three months ago DB suffered a breach which exposed all online storage lockers to anyone entering any password for ~ 4 hours.

Strictly taking the “consistency road” this does not contribute to their trustworthiness, from my humble evaluation.

e) Integrity

This post from the Hunton & Williams privacy blog provides an overview how Dropbox’ security statements (on its website) changed over time. I tend to assume the majority of users is/was not aware of those changes. 

In general it seems that one of their main communication channels is their blog. Which – given that most of you probably read a blogpost right now – might certainly be a valid channel… for B2C scenarios in modern times at least. Not sure if this is the right channel for the security properties of corporate information assets though.

f) Components

This is a particularly interesting one. As obvious as this may be, most users are probably not aware that DB does not operate the servers providing the service themselves. To the best of my knowledge the (Dropbox) service heavily relies on Amazon S3 and EC2 instances, in a certain setup that Mulazzani et.al., in their paper, comment on as follows: “However, the fact that encryption and storage is done at the same place seems questionable to us, as Amazon is most likely able to access decryption keys”.

g) Porosity

We can’t provide an evaluation here as we do not dispose of any information as for clear demarcation lines on the financial (e.g. who might potentially influence DB’s decisions due to simple ownership of shares) or organization/infrastructure (which 3rd parties actually provide which type of supporting service, e.g. do they share their office space with other parties in a business/office incubator etc.) sides of things.

So, once again, taking a structured approach when evaluating some party’s trustworthiness (to counter the fact that trust – by it’s very (Diego Gambetta’s) definition that we used in the initial post – is sth subjective) leads to – hopefully – interesting insight and results.

Still, in this particular case, there’s another potential use of this way of looking at things: when dealing with (business’ desire to use) Dropbox in your organization, you might convert this points into a simple (one slide) checklist containing questions like:

  • Do you know who owns the company Dropbox?
  • Do you know where their servers are located?
  • Do you know if they own the servers providing the service themselves or who else does this on their behalf? And where the servers of that “other party” are located? Which legislation applies there?
  • Do you know that they just suffered a breach temporarily allowing anyone in the world to access any one of its 25 million customers’ online storage lockers, simply by typing in any password?
  • Do you know who owns the keys necessary to decrypt data stored under your account?
[in case you like to promote your concerns the FUD way - which we do not like or recommend - you might add: "If you were a well-funded attacker, maybe from an emerging market, would Dropbox be an interesting target for you?"...]

If some people within your organization are still going to use DB for corporate data then, well, that’s an “educated decision by business” [no, no, the quotes are not put here to hint there might be a contradictio in adjecto].

Stay tuned for more stuff to come in this series & have a good week...

BTW: we’ll probably have a talk about Dropbox at next year’s Troopers which takes place on 03/21 and 03/22 2012 in Heidelberg.

Cross-posted from Insinuator

Possibly Related Articles:
15740
Network->General
Information Security
Methodologies OSSTMM ISECOM Trust Network Security Dropbox control
Post Rating I Like this!
1789975b05c7c71e14278df690cabf26
Pete Herzog Enno, thanks again for showing people another practical way to use the trust metrics. As always, you've done a great job. What you're doing here though is really just scratching the surface of the trust metrics potential. Maybe you'll find a moment to sit in on part of the Mastering Trust class at Troopers 2012 :)
1317706095
0bf28731c890f78031df29d4be2d85e5
Joe Cicero In regards to "b) Symmetry" it can be ONE WAY (you need to trust them) or (they need to trust you) or TWO WAY (you both need to trust each other). Wouldn't your example be "one way"? You need to trust DropBox but they don't need to trust you.
1317738396
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.