It's your data - just owned by someone else

Opinion by Dan Raywood

At a recent CISO roundtable I attended, the question was asked 'what keeps you awake at night' and one answer made the attendees shudder - Dropbox.

At a recent CISO roundtable I attended, the question was asked ‘what keeps you awake at night' and one answer made the attendees shudder – Dropbox.

Aside from the recent security scare, an issue exists with Dropbox in that users own their own accounts and store corporate information in it, which may affect compliance and the security of intellectual property.

This is by no means a witch hunt against Dropbox; it is just that it has become the byword for consumer-grade online storage and collaboration tools, much in the same way that iPad has become the term for consumerisation of IT.

At this year's Infosecurity Europe exhibition in April, Julian Jeffery, head of policy and corporate reporting for Telefonica, said that security personnel could find ways to allow consumer cloud storage into the corporate network and make exceptions to the rules.

He said its approach was to encourage employees to present IT with the service they want to use and agree in what cases or with what data this can be allowed, ensuring high levels of productivity, coupled with the necessary security.

Ian Turner, vice president and country manager at Intralinks, told SC Magazine that he had not seen any IT department that would consider allowing Dropbox to be used. “They will take no responsibility for what goes wrong if they lose your data,” he said.

“For the consumer it is fine, but for a business model people want a service level agreement, as what if the service goes down? What if they lose your data? You want the right to negotiate a contract, but who is the data controller?

In a traditional enterprise model, you expect 24/7 support, multiple language support also. How do you support people outside the firewall? Organisations have grown up and the reason why people pay is because they are removing risk and IT creates a neutral zone for everyone to work in, you can put stuff in and grant access to look at it but not move it. This is often where collaboration falls down, as once I give it to you it can be copied and moved on.”

Turner claimed that it is not about collaboration, it is about protecting intellectual property and "what looks like an innocent set of documents could be important".

Grant Taylor, vice president of Europe at Cryptzone, agreed. He believes that people should not be using Dropbox for many business purposes, as CISOs and compliance managers would be horrified to know that confidential data was being moved out of the organisation's sphere of control.

“Free services by their very nature don't have the features to facilitate corporate control and management. If corporate information is moved to personal accounts in contradiction to corporate policies, you're dead in the water as far as the boss is concerned,” he said.

A survey by Computacenter of 150 IT decision makers found that 84 per cent of employees secretly access consumer cloud solutions in the workplace, as businesses fail to offer effective file sharing tools.

Paul Casey, cloud practice leader at Computacenter, said: “These cloud products are very convenient, easy to access, simple to use and perfect for remote working. Unfortunately, most IT departments don't offer similar file sharing tools that are secure and as a result are losing the battle to keep company data on the office network.

“The second an employee stores files and data using a solution such as Dropbox, IT managers lose all visibility of what is going on and potentially confidential information and intellectual property is open to security threats and breaches.”

Turner  said that if a member of staff buys access on their credit card and uses one of these services for work and then leaves, how do you ‘switch them off'?

The issue is not one of how secure cloud storage and file sharing services such as Dropbox are. Dropbox states that "your files are actually safer while stored in your Dropbox than on your computer in some cases", as it uses "the same secure methods as banks". This includes other Dropbox users being unable and prohibited from viewing content. It uses SSL and AES 256-bit encryption and claims that "Dropbox website and client software have been hardened against attacks from hackers".

In terms of the security of its storage, it said that it uses Amazon's Simple Storage Service (S3) for storage, "which has a robust security policy of its own".

A recent survey found that two-thirds of IT executives did not know where their data is, while three-quarters cannot track it. Attenda's director of security Matt Gordon-Smith told SC Magazine that Dropbox is a very useful tool for central group access and collaboration, but that the standard user does not have security at the front of their mind, which is why there are security concerns on the use of Dropbox and other such services and these need to be improved.

He said: “There are plenty of data loss prevention (DLP) solutions out there to detect and protect information being put into places it should not. For organisations without an IT infrastructure, it is a useful tool to help reign in those who install what they want on their desktop.”

Asked if there was such a possibility as a corporate account on Dropbox, Gordon-Smith said: “IT departments use tools, operating systems and mechanisms to access data and having a corporate environment built to allow that to happen will start allowing people to use their own accounts for individual collaboration.

“You need to start by acknowledging that people will use Dropbox, as a large percentage do not know where their data is. They need an approach where they start with identifying what critical data they have, where their assets are and then put down controls from the start and then track the data itself, as many never lock down everywhere that the data is.”

The problem is that, much like with consumerisation, when something becomes available it is usually in the consumer environment where it is used first and business is forced to find a way to deal with it.

David Gibson, VP of strategy for Varonis Systems, said that organisations need to find ways to coexist with these technologies; to take advantage of the efficiencies they bring and ensure that their data assets are adequately protected.

“Employees need a secure method to collaborate and share information; if IT doesn't provide one they will take matters into their own hands; many already have,” he said.

He pointed out that the ease of use is the most compelling thing about services such as Dropbox; as having stored the data in a folder, all of your files are available to you and to those with whom you collaborate and users don't have to put any thought at all into using them.

He said: “The fact that we don't need to put a lot of thought into using these services is also a big problem. The line between personal use and corporate use has blurred and employees are storing corporate data in cloud services without corporate approval or oversight.”

He suggested some key questions that organisations need to ask about cloud collaboration services:

  • Who are these cloud service providers and how do they protect their networks?
  • Are actual access events and permissions changes audited, and how can they be integrated with existing audit trails?
  • How is disaster recovery performed?
  • How can organisations inspect them to make sure they are behaving as they claim?
  • How can organisations make sure they even have a copy of all the data an employee has created, much less make sure employees aren't taking data when they leave?

“Organisations are at a turning point —one where they either let things go as they are now, where their employees use personal devices and free cloud services to store organisational assets wherever they choose, or select a separate, cloud-based file synchronisation service that will add additional management overhead, and new risks that are difficult to quantify,” he said.

Gibson suggested businesses look to implement a solution that employees can use that is managed by the business. In the same way that 'bring your own device' (BYOD) has been one solution for the consumerisation of IT, could 'bring your own collaboration' (BYOC) be one for this situation?

The problem is that anything internally managed and offered is probably not as good as what employees can buy and access themselves. Varonis' survey found that while 80 per cent of companies do not allow their employees to use collaboration services due to fears of data leakage, 70 per cent of companies would use these services if they were as robust as internal tools.

There is no guarantee that an internally-managed collaboration tool would offer any more security than what is currently offered, although it would offer much more manageability for IT.

I do use a cloud-based collaboration tool, but mainly to store photos and some documents not related to my day-to-day job. However I am a security journalist and realise the impact of such tools upon my corporate environment. Once again, it is about user education and encouraging users away from cloud-based storage and onto something that the business can control.

It is a tricky situation and one that dealt with properly, could benefit the organisation provided employees know the responsibility they have towards corporate data. Handled badly, and you have your own Big Data crisis and no management of corporate data in multiple clouds and tools.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events