The Dropbox Dilemma

Files not secure in DropboxI recently read an interesting article in CloudAve titled, “Sure Dropbox is Potentially Insecure, but does it Matter?” The article highlights the trend of corporate users bypassing IT Security and exchanging files with co-workers and external third parties. They researched the types of corporate staff that use Dropbox and other file sharing services to exchange information.

The article goes on to state that they believe the majority of the files are not confidential and if shared with outsiders don’t pose a serious threat to the company!

Look at these statistics from a report by Nasuni on Dropbox usage.  Based on this information, I would say a lot of executives and people generating intellectual property (IP) are using Dropbox.

Dropbox usage by title          Dropbox usage by department

In my opinion I think it’s somewhat naive to think that people only put mundane files like Christmas Party attendee lists and general distribution memo’s in cloud-share repositories. In our work we have seen many examples of documents marked “Confidential” being exchanged through Dropbox type services. We have also seen things such as Microsoft Outlook PST files being stored in cloud repositories. In one case a PST file contained over two-years of emails from a senior company executive!

Organizations should be very concerned about these types of services and proactively implement strict policies to protect against a potentially damaging data breach. Attempting to restrict sites like Dropbox will only encourage people to find other creative ways of getting their jobs done. We see examples of this every day as we work with our clients to help them secure their classified files.

We use Dropbox to exchange certain information among our internal staff. Depending on the files, we use simple encryption tools to get the files from point to point and to protect them from any prying eyes at Dropbox. However when we need to exchange the file with someone outside the company we increase the level of protection.

An example would be our corporate taxes. Many accounting firms subscribe to secure file exchange services such as Yousendit. This adds another level of protection for the file while it is in transit, but here is the problem. Once the file reaches its destination the recipient has unrestricted access. What happens if our accountant stores the file on his server (which he does) and the drive on the server starts to fail? He calls his IT vendor and they replace the drive. Now do I leave it to my accountant or the IT vendor to properly destroy my tax returns? What happens if he emails the file to someone and is not paying attention to the address line and a third party is included on the distribution list? Your highly confidential information is now exposed!

I personally am not comfortable in today’s environment to relinquish the fate of my business to third parties! The only way to protect against this type of situation is with persistent file-level security. This level of security travels with the file and requires it to contact its policy server to be opened. It also restricts what you can do with the information within the file once you have access.  If that person does not have permission or they are in a location where the file should not be opened, they will not be able to access the file. This is currently the only way to ensure the confidentiality of your files.

How do you protect against this type of exposure?

Watch for announcements from at the RSA Conference in San Francisco February 25 – March 1 for new options to protect files in Dropbox and other cloud-based repositories.


Photo credit Monkey Review

Book a meeting