Dropbox Security Issues: IT Has Only Itself to Blame

Monday, August 06, 2012

Ben Kepes

4c1c5119b03285e3f64bd83a8f9dfeec

So Dropbox, the file sharing, backup and sync service that has been setting the world on fire, seems to have had some serious problems of late.

It seems a large number of users have received spam e-mails and, in response, Dropbox has bought in a SWAT team of security experts to see what is going on.

For Dropbox to publicly admit that they were investigating the issue internally would seem to be a tacit admission that it is indeed an internal Dropbox issue rather than anything external.

This isn’t the first time that Dropbox has had a security glitch – outages and the like are sometimes unavoidable but user information and data should be completely sacrosanct. In a follow up, Dropbox did give an interim report saying that:

"As of today, we’ve found no intrusions into our internal systems and no unauthorized activity in Dropbox accounts..."

I’ve been using Dropbox since its very early days and watching the company from very close quarters. I have to say that its rapid uptake isn’t surprising – from a functional perspective it’s an amazing product. I’ve almost forgotten what it was like in the days before Dropbox put an end to manually syncing files and the like.

It’s incredibly effective product has been the reason that Dropbox has bucked the usual reluctance of organizations to use lightweight consumer tools – some of the largest organizations in the world have Dropbox being used within them (though generally, it has to be said, without a mandate from corporate IT).

But amazing functionality doesn’t mean that the product is robust or secure, and the issues that Dropbox seems to be facing over time indicate a corporate culture that has, at least in part, stemmed from an immature approach towards building a product and building a company.

It’s a subject I’ve opined on previously when it comes to Dropbox and one which would appear is shared by others. When discussing the Dropbox security glitch on Twitter, I had a very interesting reply:

"We had to switch to Box the first time an employee walked away with a treasure trove of IP. I use Box for biz, Dropbox all else..."

This sort of comment is very damning. When a CIO makes comments that indicate a reluctance to put anything corporate on Dropbox, one has to listen. When that CIO is a big user of cloud apps in his personal life, and therefore not simply part of the “cloud is a risk” brigade, something important is going on.

I received notes from a number of enterprise workers who all told me of receiving directives from corporate IT in the days after the Dropbox issue, either ordering or recommending that Dropbox use be discontinued. Many of these people were given suggestions by IT of alternative cloud services to use – this is not an example of IT vetoing cloud, it’s a case of IT making a decision about a vendor that is questionable.

Of course, as is always the case, some decided that this possible breach marks the death knell for the cloud. But we need to have some perspective here – there are plenty of cloud backup and sync products out there – ones that work on the public cloud (Syncplicity, Microsoft SkyDrive, SugarSync etc) and some that enable “Dropbox-like” functionality on existing hardware (eg Oxygen Cloud).

This is not a situation of needing to veto cloud altogether, it is yet another reminder that users need to do due diligence to ensure that a product is fit for purpose – and storage of sensitive enterprise documents has very different security requirements than storing holiday pictures.

Sadly Dropbox doesn’t seem to be getting this message, at least if the tone of some comments I received are indicative;

It’s also a reminder of the perils of “bottom up” adoption of technology within the enterprise. And a call for IT to be more proactive when dealing with business users. Business users overwhelmingly claim that they’re using these tools as a counter to corporate IT being so slow to respond to their needs.

Most business users I speak to would love to have a product available that meets with IT approval – it’s not like they’re trying to introduce risks – but IT often times continues to be a blocker of innovation.

Yes Dropbox has issues, and yes those issues would appear to be indicative of something broader – but that doesn’t call into question the entire concept of cloud.

Having said that, corporate IT essentially caused the enterprise adoption of ill-fitting consumer tools by not meeting the needs of their users. Solve that conundrum, and problems like these recent ones would go away.

Cross-posted from Diversity

Possibly Related Articles:
18066
Cloud Security
Service Provider
SPAM Cloud Security Storage Outsourcing Managed Services Network Security Investigation Data Center Dropbox
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.