DropBox

[BGM]

Hi All,

Some folk at work have started using drop box to share files, not on a very large scale, and nothing especially sensitive (yet!). But, with a perfectly good SharePoint instance readily available (Office 365) and with drop boxes prior security issues this concerns me?

http://dereknewton.c...tatic-host-ids/

http://tirania.org/b...011/Apr-19.html

My role is not internal support, or security officer, but I can influence them by making the right noises.

The thing is, that in my view drop box is very much a consumer solution (I admit though to not using it extensively, and preferring SkyDrive) but is this still an accurate stance? I concede that the linked articles above are from way back in 2011, has it moved on leaps and bounds since then?

Depending on the responses here, I will probably raise this at the next company meeting.

Thoughts? :)

[Shaun N.]

I am internal IT support and we block dropbox from our domain (no browsing to it or installing the app), we do not allow users to connect to it at all. A very simple reason for this would be that we would fail the audit by allowing customer data to go in the "cloud" - We also use sharepoint and enforce users to use it as much as possible.

[BGM]

good point, thank you. mostly it is inter company documentation, guidelines, templates, that kind of thing...

but we don't have any customer data as such stored up there, as i say... yet! :p

[Shaun N.]

Using either a file server or sharepoint would be a much better way of configuring the business.

[Nick H. Supervisor]

If your company has Sharepoint then they should be using that to share documents. While we haven't blocked access to Dropbox, anyone caught using it to store office documents will find themselves in trouble. We can't keep track of the documents in the cloud which is a huge security issue as far as we're concerned.

EDIT: Or as Shaun said, use your company's file server. Anything that keeps the information in the company's hands and not a separate company's.

[Praetor]

there's now dropbox for business with added security; still if feeling unconfortable with data on a remote server, you can promote more the sharepoint site you have; although not as easy and intuitive to share stuff, it's in your control.

[sc302 Veteran]

I can't count how many times that I have stressed that we need a FTP server to share files with the outside at the very least. Would love a sharepoint server to be able to share with external contacts as well, the licensing cost is much greater though. Right now the only option is dropbox or skydrive or a like service like that. It falls on deaf ears at my place of work.

[+BudMan MVC]

dropbox is moving towards business model

https://www.dropbox.com/business

You can get reports of what is stored, shared - can integrate with your AD, and can do 2 factor, etc.. The the employees like it, then you really have 2 choices either completely block it, or try too and have no control over what is stored there as users use their own private accounts. Or embrace it and control it, etc.

As to sc302 ftp comment - ftp is pretty old school, and not secure - did you mean sftp? Companies are going to have to embrace cloud storage and - and if you want your employees to be productive. They are going to want to BYOD, and going to want access to the files no matter where they are at or what device they are on. Be it pc at work, home, laptop, tablet, phone, etc.. The issue is now come down to securing those devices that are out side the company control - so you need to secure the data that might be stored or accessed via such devices. So no your looking at min 2 factor auth, with encryption of the files no matter what file system it is on, etc. Its a rapidly changing world in IT, you either move along with it or your going to get left behind.

[_neutrino Veteran]

we block dropbox as well, if users want to store data in a manner in which they can access it elsewhere we put it on a shared directory and they can access it via their company computer at home using the VPN and no other way.

[BGM]

i think the killer point is they are using the consumer version, which makes me nervous. We have office 365 and i can't see us moving to the dropbox business model due to it's rather high costs considering that we already have a lot of the same functionality with skydrive pro connected to office 365

unless i am missing some key feature?

i still want to raise this at the next meeting but just don't have any hard reasoning why... dropbox just seems a bit.. amateur :s

[+BudMan MVC]

"dropbox just seems a bit.. amateur"

They just bought mailbox for $100M a bit over a month ago. End of last year they went over 100M users, they have been picking up companies left and right recently since dec of last year they have picked up audiogalaxy, snapjoy, tapengage and the recent mailbox, etc.

Are they smaller then say MS, and office 365 --- sure, but I don't think I would call a company founded by 2 MIT guys with over 100 Million users amateur?? ;)

You might want to do a bit of research before making such remarks ;)

[Shaun N.]

Said in a way I wouldn't have said but he is correct, however that still doesn't make Dropbox a viable alternative for my companies needs. Audit (not that they know what they are even checking for) would not be impressed with us using such a service when we have the ability to use fileservers and sharepoint and even as sc302 said FTP - we still use this for supplier orders etc so is still a viable, cheap option.

[sc302 Veteran]

dropbox is moving towards business model

https://www.dropbox.com/business

You can get reports of what is stored, shared - can integrate with your AD, and can do 2 factor, etc.. The the employees like it, then you really have 2 choices either completely block it, or try too and have no control over what is stored there as users use their own private accounts. Or embrace it and control it, etc.

As to sc302 ftp comment - ftp is pretty old school, and not secure - did you mean sftp? Companies are going to have to embrace cloud storage and - and if you want your employees to be productive. They are going to want to BYOD, and going to want access to the files no matter where they are at or what device they are on. Be it pc at work, home, laptop, tablet, phone, etc.. The issue is now come down to securing those devices that are out side the company control - so you need to secure the data that might be stored or accessed via such devices. So no your looking at min 2 factor auth, with encryption of the files no matter what file system it is on, etc. Its a rapidly changing world in IT, you either move along with it or your going to get left behind.

Of course I mean sftp....wouldn't have it any other way with a ftp for corp. Cloud storage just transfers the endpoint from something that I can wrap my hands around to the cloud of which I have 0 control over. Some things can go to the cloud, a lot that is here can't. FDA is a bitch.

[briangw]

there's now dropbox for business with added security; still if feeling unconfortable with data on a remote server, you can promote more the sharepoint site you have; although not as easy and intuitive to share stuff, it's in your control.

SharePoint 2013 introduces SkyDrive Pro that can be configured "on-premise" or in the cloud and it actually is more intuitive than you think, especially when compared to SharePoint 2007 or 2010.

[BGM]

You might want to do a bit of research before making such remarks ;)

ahh, classic BudMan :)

i have done some of my own [limited] research, and based on the number of security issue news articles, i'll stand by that statement. I just don't think it's suitable for a company to utilise, but it's probably fine for home users etc.

Anyway, at the end of the day it's just my opinion, and i am ONLY talking about the 'free' version.

[+BudMan MVC]

If all your talking about is the "FREE" version, then I would agree not something a company should use as their production sharing of files. There are no controls in place for FREE version from the company point of view of the "company" files.

As to the security issues you pointed too - the first one is quite dated. And well before they created a business version, the article was updated in 2011 and stated

Update (10/31/2011): Dropbox has release version 1.2.48 that utilizes an encrypted local database and reportedly puts in place security enhancements to prevent theft of the machine credentials.

The stable version is currently 2.08, so how many changes have there been since that article was written? Your other article again very dated! And is more about the ability for dropbox to access your files if required by government, etc.

How does office365/skydrive compare? keep in mind you need to compare apples to apples - if your using paid version of office365, sharepoint, etc. you can not compare that to a free version of some other cloud storage with different goals and feature set, purpose of use, etc.

Are you talking about just sharing files, storage of files, access of files from other OSes/ Devices - or the whole office365 suite of features?

Dropbox might be a fit for many companies, maybe not - maybe not yours, etc. etc. Lots of variables to take into account, etc. Security is a major concern for sure - if you going to store sensitive data offsite, then you better be 100% sure! But I would not call the company amateurish in any sense of the word.

[primexx]

there's been a few big security lapses, all of which have long been fixed and changes made to prevent future repetition, and a couple of big media storms about "security" issues that are actually nothing. that's not really a problem with Dropox now. What may be a big problem though is that there's no user-controlled encryption key, so the US government can make Dropbox disclose your data if they wanted to, and probably gag Dropbox from telling you too. This is a huge problem with a lot of cloud services, not just Dropbox.

[Dashel]

Per your concerns, SkyDrive/Dropbox are consumer products and SkyDrivePro/DropBox are for business (Skydrive additionally is generally more secure and HIPAA compliant I believe). If you are paying for Skydrive Pro, there is little reason to use Dropbox.

Even if you were, I'd go Cubby over Dropbox personally.

It really comes down to educating the users unless you want to get all institutional though.

[+BudMan MVC]

"Skydrive additionally is generally more secure and HIPAA compliant I believe)"

I don't believe any of them are HIPAA compliant - and where would you get that idea that skydrive is? I can find really nothing on the security of skydrive at all to be honest.

I can find nothing that states that your files are encrypted with anything sitting on the skydrive servers.. Where with dropbox for example its clearly stated

https://www.dropbox.com/business/security

Encryption at rest

Your files are stored using 256-bit Advanced Encryption Standard (AES) encryption.

Dropbox's storage is SSAE16/SOC1, SOC2, ISAE 3402 and ISO 27001 certified on Amazon S3 and may

provide data mirroring across other secure data centers. Dropbox complies with the U.S.- E.U. and U.S.- Swiss Safe Harbor frameworks regarding personal data.

Where is such information about skydrive?? even the FREE dropbox states files are stored encrypted

https://www.dropbox.com/help/27/en

And links to http://aws.amazon.com/articles/1697?_encoding=UTF8&jiveRedirect=1//aws.amazon.co...;jiveRedirect=1 talking about the security of amazon S3 where your files are stored, etc.

I would love to see even such basic info about skydrive - which I am having a hard time finding.. Do you have any links that states that files are encrypted while stored?

[BGM]

it's ok, we are all technical users, except the boss man ;)

I half suspect this is all due to him using a Mac tbh, that.. or just more exposure to DropBox, perhaps both.

also, go cubby? :s

[xendrome]

ahh, classic BudMan :)

i have done some of my own [limited] research, and based on the number of security issue news articles, i'll stand by that statement. I just don't think it's suitable for a company to utilise, but it's probably fine for home users etc.

Anyway, at the end of the day it's just my opinion, and i am ONLY talking about the 'free' version.

It's no different then any other method of accessing a file and trying to prevent it from leaking out. If someone has access to the file, they can always find a way to duplicate/copy the contents to another file and share it with anyone via their own means. This is where usage/HR policy comes in and must be audited and enforced.

[Praetor]

SharePoint 2013 introduces SkyDrive Pro that can be configured "on-premise" or in the cloud and it actually is more intuitive than you think, especially when compared to SharePoint 2007 or 2010.

heh thanks for sharing, haven't seen Sharepoint 2013, though.

Also what stops users from copying company data into Google Drive / Dropbox / other similar service? heck they even can use their mobile phones and copy data into them and share it! this is more about educating users to take an advantage from secure, company approved services, making them stop using insecure or unreliable services.

as an example: a client of mine implemented this policy where no worker could use youtube or facebook, because of fear of loss of productivity; it backlashed because most of the workers started to use their private mobile phones to visit those sites / services and even creating mobile hotspots so others could access too! only when the clients IT staff understood that people were gonna access those sites anyway, they convinced the management to use that in advantage, giving folks some "facebook time break" and convincing people to use facebook to promote the company.

[BGM]

i guess nothing stops them, except flat out blocking it.

this thread is really about a cloud strategy for a company, not completely preventing it.

[Dashel]

Neowin ran the story a couple weeks ago, as the assumption has been that SharePoint/SkydrivePro is compliant (on and off premise). Dropbox (the consumer side) made it clear they had no intention of doing this, but their purchases may change that for business users. Same with Cubby, it's second lock should satisfy most regulations that don't require an auditor as I understand it.

https://www.neowin.net/news/microsoft-updates-business-associate-agreement-keeps-it-cool-with-hipaa

Microsoft Office 365 is the only major cloud business productivity solution to programmatically offer a BAA built with the industry, and for the industry, to HIPAA-regulated customers, allowing healthcare organizations to be confident in the security and privacy of their patient data while empowering their staff to communicate and collaborate virtually anytime and almost anywhere.

SharePoint is so slick, I don't know why more people don't use it.

[+BudMan MVC]

"Neowin ran the story a couple weeks ago"

Thanks for that - missed that info.. But as I thought..

https://www.microsof...36&langid=en-us

The Trust Center does not apply to these Office 365-branded Microsoft online services:

Office 365 ProPlus enables access to certain cloud features, like roaming settings and consumer cloud services like SkyDrive, to which the Trust Center does not apply.

And talk about burying it deep, they sound all yeah we are HIPAA, aren't we the greatest -- when it comes down to it, there is a LONG list of stuff that does not comply and read the above link of stuff that does not fall under their "trust center"

When you allow the ability for user to share something, I don't think its possible to be HIPAA.. Since you have no control of who they share what with, etc.