What security risks are there with employees using Dropbox?
Are there any particular security concerns to keep in mind with company-wide use of Dropbox file sharing / versioning / backing up, and are there specific options or settings that would be recommended to limit the risk?
Solution 1:
It depends on your business and your level of paranoia. It's much safer, albeit more expensive, to issue laptops with a VPN connection.
Real quick...
Some Risks:
- Former employees potentially have access to business data after employment has been terminated. You as the business MUST be in control of the accounts if you don't want some disgruntled employee to have access to things after getting fired...
- These services would bypass any automated document retention mechanisms you have in place which adds another area for you to manually cover for document retention
Recommendations:
- Make sure you can generate your own encryption key(s) for storing the data and that the key(s) are not shared with the service provider
- Make sure your data is encrypted BEFORE it gets sent to the service's repository
- If you are going to let individuals have their own account then have a single point of contact for your company. Coordinate all accounts through this person (or a couple of people as proxies). Or make sure that the provider supports business accounts that you can somehow group employees under.
Solution 2:
I would tread very carefully here. Dropbox enables an extension to another computer's hard drive.
That extension is worse than a USB key in the sense that infections on one PC can get onto all the other PCs using that share much more easily than with a USB key. Virus/trojan/bot writers don't target dropbox (yet) but if they decide to, then you've got a virtual unlocked door from a company controlled PC on a secure network to an unsecure computer on an unsecure network. As is, using normal operations, one can't just go through that door and look at other things on the computer - only items within the dropbox can be seen, and new items can only be created in that area, but that's assuming that the dropbox application itself can't be compromised.
Further, Dropbox claims a great deal of security, but what is actually provable to you? It's possible someone can sneak in that window remotely from a completely different PC and attempt to put infected documents and programs onto the work PC.
There is obviously a protocol dropbox itself uses to communicate with its clients - is it encrypted? Is it immune to buffer overflows? Man in the middle attacks? Sniffing? Replay attacks? Is it possible to, using the standard protocol, place files inside or even outside the standard dropbox area? If the protocol has a buffer overflow, is it possible to compromise it in a way to allow full access to the machine? Network shares on the machine?
I don't think the risk is very high, but the damage done can be extensive, so it's something that has to be carefully thought out.
-Adam
Solution 3:
Paranoia????
Dude.. Step away from the network.. SLOWLY.. With your hands away from the Keyboard.. DO IT NOW!!!
File share cloud based "consumer" solutions like Dropbox, are not meant for Business or Corporations. Microsoft said it best with Skydrive when they came out and said, that these types of products are not, and should not be used for Business purposes.
There are thousands of reasons why not that outweigh the reasons why one should.
Biggest LEGAL reason outside of the security risks (And the Terms of Use which specify that 3rd parties can have access to confidential files hence nothing confidential should ever be stored on such a service that is consumer based.. EVER..) is the fact with a service such as Dropbox, well. Let me ask this.. Where are those files stored? Where are those servers located? You can rest assured, with the lowest bidder, call in something called Data Export Rules and Laws... Should you have a single tiny file the "United States Government may deem as a risk or potential risk to U.S. security" (Could be something as small as electrical layout to a public gathering place, school, gym, passwords or a username to something like a Cisco account where you can download export restricted software, etc) up to classified documents, you are in violation of that law. You go to jail, you do not pass go.. I believe now, that is handled by FTC and Homeland Security..
The DB terms of use specify (basically) that if its installed on a business PC, (Dropbox assumes that person because the person installing in on the business PC guarantees they are by clicking through the TOU) that the "authorized" individual is doing so FOR THE ENTIRE COMPANY.. Period... (First section ion Dropbox.com/terms)
What stops me from using this outside of my server and work environment is simply ethics... You have a consumer product like Skydrive that in big letters says "No Business.. Don't! because they do not want to risk customer's data on a business level because they KNOW it is a risk! And then Flippin Dropbox who uses legal words in their contracts such as the word "stuff", who patty cakes the entire "security thing" and acts like its no big deal (would you want to lose profit and shares that valuable? Probably not...)....
It is a big deal.. The more security groups beg you and I to follow simple practices, the more big comps like dropbox come out and for money.. for profit, act like its no big deal...
What if your business stored a tiny piece of a single credit card number and a name and expiration date? Now say the PC the dropbox client was installed upon was uhmm "gotten into.." through a Dropbox security breech... Following me? Visa/Amex etc.. the ginormous bank companies WITH government support (because Payment Card Industry (PCI) Standards says so.. that's who...) WILL fine you.. get this... you may want to sit down.. a staggering $500,000.00 PER INCIDENT... It is enough to put a small or medium business out of the business they are in....
the ONLY way to get around it, is to locally encrypt that data using a PCI certified encryption product, BEFORE it goes to dropbox, purchasing licensing for all your remote devices, downloading the file you need, and de-encrypting it before you can use it.. (Nope don't sound like it aint no funs at all...) (Or encrypting data on your servers network, and clients at the gateway...)
With all that, for less than $20 a user (about $11 for the basic one) you can get an Office365 E series plan, that IS HIPAA, SOX, ISO, and PCI certified.. (Dropbox, hidden in there pages clearly states "at this time", they are not.... )
So ask yourself, albeit in your mind small... Is it actually worth the risk? and DO you want to do business with a company who I think, steps lightly or makes light, the risks associated with using their product....
Is it worth the risk to your career if you are in technology and you do get breeched and you DID allow dropbox? DO you think you are employable after your name is beside a breech and you make the news? As a CTO, I can promise you, not on my life would I even hear the excuse behind it.. I would never even interview anyone in technology who by their own actions or decisions, caused a breech of data on any sized network.. Yes we all make mistakes, which is why your job in IT is to eliminate any risk, big or small as best you can.. Not open up the worm hole and scream for Alice...) It is a disaster for PR.. for a business, (if a competitor found out and leaked who you are.. (gasp) what you did.. and an increased liability to hire someone because they allowed a file sharing service who publically acknowledged and stated they were not PCI, SOX, ISO, HIPAA, or PCI certified
Well.. That's for you to decide... Is it worth a career? Is it worth the loss of your company or customer data?
For me.. It is not... Consumers use consumer products, not businesses... Period.