Global CIO: The Dropbox Deception: Caveat Emptor - InformationWeek
IoT
IoT
Cloud // Cloud Storage
Commentary
5/18/2011
06:15 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Global CIO: The Dropbox Deception: Caveat Emptor

Anyone who entrusted sensitive data to Dropbox without code review, or at least skepticism regarding impressive security claims, wasn't behaving well, either.

I read a tweet several weeks ago which mentioned that Dropbox, the online file-sharing utility, was trying to kill an open source project. In the scuffle, various researchers realized that Dropbox, contrary to its earlier claims, actually had access to encrypted files on the service. Wired subsequently reported that an FTC complaint has been lodged against Dropbox, charging that it lied to users.

I'm assuming that most IT leaders don't have their feelings bruised. At least I hope they don't.

I'm a big proponent of using tools like Dropbox, SugarSync, and Box.net. Cloud-based file storage synchronization is one of the only ways, given the dirt-road-monopoly state of broadband in this country, that users can have reasonably quick access to their files when they're on the go. These services are also a way for users to easily work on their files when disconnected from the network, given that universal wireless doesn't quite exist yet.

In fact, I'm writing a draft of this column on an airplane using one of these services. When I get home, I'll be able to edit it on a somewhat larger keyboard, and instead of playing the USB stick shuffle, my updated column will be available just about as soon as I turn on the computer.

But despite being something of a fanboy, I personally don't trust service providers who tell me that, in a super-secret, unknown-to-me methodology, they're encrypting my files in a way that even they can't read them. That sounds too good to be true. In fact, any cryptographer will tell you that any methodology that's too secret to be revealed is also probably too weak to be used.

Back when I was a security practitioner, it was common knowledge that the way software companies hid a bad encryption algorithm was to claim that it was proprietary. So I wasn't surprised to learn that, despite claims that files on Dropbox were "inaccessible without your account password," files were in fact accessible by Dropbox admins. I've worked with military and public safety long enough to know that such access is generally smiled upon by law enforcement. And I've worked with system admins and application programmers long enough to be paranoid about back doors that they don't mention to the marketing folks.

In my personal life, I've used open source software to encrypt files with sensitive data like social security numbers and health information. It's pretty easy: I create an encrypted file container that then gets synchronized with Dropbox.

In my work life, our guidance over the last year to employees who use Dropbox is that, though it's a cool tool, don't store anything that's super-sensitive on it. While we have third-party enterprise encryption software available to us, I highly doubt that my organization will be applying it to Dropbox, simply because there's not a huge use case.

Dropbox and other cloud file-synchronization providers are great for sharing anything but the family jewels. If an organization has a use case for sharing the family jewels among a distributed workforce, it can probably strike a deal with the provider. Such a deal might include a third-party inspection of the software's source code to ensure that no back doors exist, but providers will resist. Such a deal could be struck only if the dollar value of the contract is extraordinarily high; these types of reviews are usually the province of Fortune 500 organizations.

Global CIO
Global CIOs: A Site Just For You
Visit InformationWeek's Global CIO -- our online community and information resource for CIOs operating in the global economy.

Here's my point: Even when Dropbox says it uses a non-proprietary and open standard, the U.S. government's Advanced Encryption Standard, the software itself remains an unknown quantity. And if you don't know, via third-party review, that the underlying software is what the provider claims it to be, you're not discharging your duty to your organization properly if you blindly accept that claim. When Ronald Reagan dealt with international relations, he was fond of quoting the Russian proverb "Trust, but verify." That goes double for security matters at your organization.

Cloud software is tantalizing--better, faster, cheaper, more secure. But the Dropbox Deception, as I'm sure it will now be called, is a clear reminder of the basic rule of enterprise software procurement: caveat emptor.

Jonathan Feldman is a contributing editor for InformationWeek and director of IT services for a rapidly growing city in North Carolina. Write to him at jf@feldman.org or at @_jfeldman.

In the new, all-digital issue of InformationWeek: Our 2011 Strategic Security Survey shows increased executive interest in security. Here's what you should do next. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Annual IT Salary Report 
Base pay for IT professionals has remained flat this year with a median annual salary of $88,000 for staff and $112,000 for management. However, 58% of staff and 62% of managers who responded to our survey say they're satisfied with their compensation. Download this report to find out which positions earn the highest compensation.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll