As is often the case, a recent article caught my eye:
– “5 Dropbox Security Warnings For Businesses“. I
would actually argue though that this goes beyond just Dropbox.
The piece uses the recent “life hacking” of a journalist as a cautionary
tale and gives some handy tips for businesses including, monitor Dropbox use
and compare cloud service security. It’s definitely worth a read for any IT
manager.
It’s certainly not an overstatement to say that information and data are the
most important corporate assets in the information age and enterprises (and
consumers) should think long and hard about the right strategy of how and
where to store data before making a long-term decision. We know, however,
that IT has been forced to scramble in the wake of popular services like
Dropbox and the incredible exposure well-meaning employees are subjecting
corporate data to.
But, still, it might be a big mistake to give away the benefits of
IT-controlled data sharing without thinking about the consequences. It’s
important to think about, as the piece suggests, aspects like monitoring of
Dropbox use in the company, different security levels of cloud services, and
ways to detect inside and outside data theft. Maybe, as the author suggests,
companies could use Dropbox as a “public repository:”
“Until Dropbox adds those stronger security measures, and all employees
adopt them, businesses that use Dropbox should inform employees that
anything they upload to the service will be treated as “public” – that is, as
if it was published to a public Google Group, Yahoo mailing list, or the
like.
“”If there’s any information you’re worried about, you’re better off
encrypting those files before you upload them. But that adds another layer
of work for users, and users are lazy,” said the threat intelligence manager
for Trustwave SpiderLabs, who goes by “Space Rogue,” speaking by phone. “It
annoys me that companies rely on third-party services like [Dropbox], but
that’s the way that businesses are going.”
Other security experts agreed with that assessment. “Anything that is really
sensitive or extremely valuable or needs to be kept very secret, I wouldn’t
store on anybody else’s servers,” said Marco Arment, the creator of
Instapaper, on hisblog. “That, to me, seems ridiculous unless I held the
encryption keys–like with the online backup service that I use.””
Also – tracking data theft – most IT departments have sophisticated tools
that track data use within the company, so why not use the tools you have
for use outside the firewall?
“One of the biggest information-leakage threats facing businesses, besides
external attackers, is malicious insiders. Thus, when weighing if and when
employees can use Dropbox, ask whether your business would be able to detect
information exfiltration while it’s happening or after the fact. “As an old
IT guy, having my employees use something like Dropbox – where the files are
no longer accessible to the IT department – makes me very, very worried.
Because as an IT guy responsible for data, I want … to know that if
someone gets fired, I still have access to all of that information,” said
Trustwave’s Space Rogue.
“Accordingly, businesses should consider restricting employees to use only
centrally managed file-sharing services. “If I was looking to get a
third-party file-storing service like that, I’d want to ensure that I had
admin access to all of that data,” he said.
“The only catch, unfortunately, is that instead of being baked in, decent
cloud security can be a costly add-on. Dropbox, for example, now offers
Dropbox for Teams, which adds centralized administration, better security,
as well as Active Directory integration. But the cost of the service starts
at $800 per year, for just five users.”
So we say again, why not set up YOUR server as the nexus point, use the
controls you already have AND give your employees, a simple sharing tool?