Cloud // Infrastructure as a Service
Commentary
9/16/2013
02:48 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Dropbox File Brouhaha: Use Case Is The Issue

Before you pull your files over a perceived security threat, ask yourself: How are you using the cloud file sharing service?

Some are shocked by the revelation last week that Dropbox is indeed opening files that are stored in its cloud-based file service. It's now clear that there was a good reason for this -- Dropbox was processing a word processing file in an automated manner in order to provide an additional feature to users. Those who are shocked simply haven't thought through what the use case is.

From the time that cloud technology hit the streets, responsible cloud proponents were cautioning that not every use case for cloud was an appropriate one. Should you put your city government emails in Google mail? In the past, the Los Angeles CIO said, "Yes." But should you put law enforcement emails into that same Gmail store? In the past, the LAPD chief said, "No." You can debate these particular instances endlessly, but the point is this: Not everyone is comfortable with every use case.

Those that think of Dropbox as a place to put docs simply don't understand the app, and therefore can't appropriately match their use case to the app. Dropbox is not simply a file repository. It's made to share files easily, it's made to be low cost via file de-duplication and AWS storage, and it's made to be convenient to manipulate files via a Web interface to do things such as restore old document versions.

[ Cybersecurity is no joke. But what do you think about this New Security Trend: Bring Your Own Attorney. ]

A document preview is something that doesn't make sense if you think of Dropbox as your father's G: drive, where you have to wait for IT to restore your files that you bollix up. But if you think of Dropbox as something greater than that, it makes perfect sense for Dropbox to use software to process files to offer features beyond what Dad had.

But it's also really important for decision makers outside of IT to understand how this process works in order to figure out whether this is a "good use case" or a "bad use case."

When Dropbox generates a preview of a .gif, it's doing almost the exact same thing to your file that the preview of a .doc file does. Your file must be read and processed by software in order to do anything useful with it, such as generate a preview. I say "almost" the same because a .gif doesn't contain active content -- it's a pretty simple file format that doesn't contain complex requests. On the other hand, a .doc file can contain active content. That's what the Honey Docs tool allowed the security researcher to do -- to embed active content into the file that would be triggered upon "processing."

Trouble was, Dropbox used existing software -- LibreOffice -- which allowed the active content to activate. That was not such a great decision by Dropbox; it fails the test of "least privilege, least feature," where complexity is the enemy of security.

Global CIO
Global CIOs: A Site Just For You
Visit InformationWeek's Global CIO -- our online community and information resource for CIOs operating in the global economy.

Aha! So Dropbox is evil, right? Not quite. If there was a security issue with active content in your files, the very worst case scenario is that it would affect you no matter whether it lived in Dropbox or on your desktop. You can't throw a monkey wrench into an off-premises machine and then blame the machine.

So, in general, Dropbox doing automated processing is probably fine with many use cases. But your specific use case will be your true test.

If you're saving Fort Knox alarm system plans, Dropbox probably isn't the place you want to store them. And, to be fair, I'm not sure that you'd want to store them using any cloud provider's app. Perhaps in those use cases, a good IT organization might use a belt-and-suspenders approach, where staff uses on-premises software to encrypt storage prior to it being synchronized to the cloud. Or maybe that wouldn't be secure enough either -- but the manager of Fort Knox would be the one to make that call after IT explains it. The point is that talking about use cases creates a good conversation: "Here are the risks. Are the portfolio of convenience and low cost worth the risks?" "Can we mitigate the risks for this use case?" And so on.

Finally, those who are anti-cloud will use this brouhaha to convince those who don't know any better that CLOUD = BAD, and PREMISES = GOOD. The argument will go something like, we control the installation and configuration of all software, so nothing bad will happen if we host internally. Except, despite internal IT controls, stuff happens with premises software a lot more often than IT organizations like to admit. For example, last year at this time, Sophos released a bad update that created chaos for lots of large organizations.

Unless we decide to write our own software and provide our own maintenance, we're always going to have the possibility of something bad happening that we're not 100% in control of.

So it's not "good cloud, bad cloud." It's "good use case, bad use case." But, above all, it's about having an informed conversation about the risks and the benefits of any tool or service, no matter where it lives.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
IMjustinkern
50%
50%
IMjustinkern,
User Rank: Strategist
9/17/2013 | 3:02:10 PM
re: Dropbox File Brouhaha: Use Case Is The Issue
Solid stuff, Jonathan ... getting a handle on specific use cases and your own data behind the scenes remains the best path to security.
Laurianne
50%
50%
Laurianne,
User Rank: Author
9/17/2013 | 4:37:53 PM
re: Dropbox File Brouhaha: Use Case Is The Issue
Cloud=bad does not have any nuance to it, as Jonathan points out. Thankfully the security researcher who brought this issue into the public eye never tried to frame his discussion that way. Also thankfully, Dropbox responded quickly to user concerns.
vintsurf
50%
50%
vintsurf,
User Rank: Apprentice
9/18/2013 | 1:09:50 PM
re: Dropbox File Brouhaha: Use Case Is The Issue
Exactly. The explanation of the automated process made sense and it turns out that this applied to any service that offers this browser specific feature. It may be possible that many people (especially users of the desktop client) did not realize what the "effects of rendering low-quality previews" truly meant. Just another piece of info they can use to assess risk.
Other services were tested and no responses were received from the files, so that seemed interesting. A theoretical attack surface was mitigated due to the discussion as well. The follow-up post mentioned encryption options if privacy is a consideration for any service that may offer this feature.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Author
9/18/2013 | 3:29:47 PM
re: Dropbox File Brouhaha: Use Case Is The Issue
What if you encrypted the Word docs before uploading them to DropBox? Then they could not be previewed, right?
vintsurf
50%
50%
vintsurf,
User Rank: Apprentice
9/18/2013 | 3:34:58 PM
re: Dropbox File Brouhaha: Use Case Is The Issue
Correct, they could not be previewed. A key would be needed to decrypt the file and it would not be best practice to store the key in the same location as the encrypted files.
jfeldman
50%
50%
jfeldman,
User Rank: Strategist
9/18/2013 | 10:05:35 PM
re: Dropbox File Brouhaha: Use Case Is The Issue
Haha, except that Word encryption is notoriously flawed (or at least it was in the past). ;-)

For what it's worth, I agree with Laurie - definitely appreciated that you were balanced about the disclosure. Still, you should have seen the press releases that I got from vendors - "this proves, once and for allG«™" Even when you ARE balanced, there's someone out there that isn't.
vintsurf
50%
50%
vintsurf,
User Rank: Apprentice
9/19/2013 | 1:05:27 AM
re: Dropbox File Brouhaha: Use Case Is The Issue
I recommended Boxcryptor or Truecrypt for encryption options. These would be encrypting the file rather than password protecting. I agree with you that file specific passwords may not be the best approach.

Thank you for mentioning the balance regarding the disclosure. It certainly can be difficult to sort through the FUD at times like these.

Stop by a meeting sometime if you're available!
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Author
9/19/2013 | 12:34:22 AM
re: Dropbox File Brouhaha: Use Case Is The Issue
I wonder whether those who sued Google for "reading" their Gmail will now target Dropbox for "reading" text documents?
mask my content
50%
50%
mask my content,
User Rank: Apprentice
9/19/2013 | 9:04:30 AM
re: Dropbox File Brouhaha: Use Case Is The Issue
Dropbox checks docs because of the so called deduplication process. It means if you upload anything to their servers, they check it, whether it is up already. If it is, they provide a shortcut to the already uploaded file and delete yours. (eg. this works very well wit videos and music files). it is a common market practice among public cloud providers like Dropbox, Google Drive and so on, even many of those do it, who claimed to be secure (like Wuala). As far as I know dedup. is unavailable by client side encrypted tools, so you can skip all this trouble by using eg. Tresorit. Boxryptor is good to encrypt your dropbox, truecrypt is not really for could it's service focuses on local encryption.
vintsurf
50%
50%
vintsurf,
User Rank: Apprentice
9/19/2013 | 12:41:49 PM
re: Dropbox File Brouhaha: Use Case Is The Issue
Dedpulication should only compare file checksums via md5 hash rather than open the file. I certainly learned more about this topic due to the responses.
agullandeh1
50%
50%
agullandeh1,
User Rank: Apprentice
9/19/2013 | 9:06:28 AM
re: Dropbox File Brouhaha: Use Case Is The Issue
When moving to the cloud I weighed up Dropbox to similar providers and found their security not meeting my requirements and in the end signed up with SpiderOak who have a zero knowledge privacy policy. Their web UI is a little clunky however
lyecies@yahoo.com
50%
50%
lyecies@yahoo.com,
User Rank: Apprentice
9/19/2013 | 9:14:36 PM
re: Dropbox File Brouhaha: Use Case Is The Issue
Great piece - too much absolutism on this topic rather thinking through the real issues.
Multicloud Infrastructure & Application Management
Multicloud Infrastructure & Application Management
Enterprise cloud adoption has evolved to the point where hybrid public/private cloud designs and use of multiple providers is common. Who among us has mastered provisioning resources in different clouds; allocating the right resources to each application; assigning applications to the "best" cloud provider based on performance or reliability requirements.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - September 10, 2014
A high-scale relational database? NoSQL database? Hadoop? Event-processing technology? When it comes to big data, one size doesn't fit all. Here's how to decide.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.