Cloud // Platform as a Service
10:02 AM
Connect Directly
Repost This

5 Dropbox Security Warnings For Businesses

Recent Dropbox hack showed the risks of storing unencrypted, sensitive information on cloud services. Understand these security points.

What security secrets might an attacker unearth about your business on Dropbox?

The recent "life hack" of journalist Mat Honan has demonstrated the degree to which many technology-savvy consumers have tied together numerous online services, including Gmail, Twitter, Amazon, and Apple iCloud. Due to rampant password reuse, however, attackers have been able to take passwords used on one site, and reuse them to log into a person's account on another site. In the case of Dropbox, that means that any corporate secrets stored there could be easily accessed.

An example of such an exploit came to light this month, owing to a Dropbox employee having stored an unencrypted document on the service that contained Dropbox users' email addresses. An attacker logged into the Dropbox employee's account, using a password that the employee had reused on another--compromised--site, obtained a copy of the document, then used the email addresses to unleash a flood of spam at Dropbox users.

[ What will it take for cloud service providers to get serious about social engineering attack vectors? See Apple, Amazon Security Fails: Time For Change. ]

Given the threat of such attacks, any business with employees that use Dropbox should keep the following five information security essentials in mind:

1. Monitor Dropbox Use

Too many businesses today are turning a blind eye to employees' use of file-sharing services. Accordingly, the first step to getting a handle on the related security concerns is to begin paying attention. "Based on our conversations with business users and IT staff, there is a fair bit more 'Dropbox' and 'Box'-like use out there than many enterprise IT would like or know about," said IDC analyst Richard Villars via email.

What's the risk? "The more we transfer everything onto the Web, onto the cloud, the less we're going to have control over it," warned Apple co-founder Steve Wozniak at a recent event in Washington, reported Agence France-Presse.

2. Compare Cloud Service Security

But many current cloud users don't do their security homework. According to a recent survey of 4,000 business and IT managers recently conducted by Ponemon Institute, which was commissioned by security firm Thales, many business users distrust cloud security, but use the cloud anyway.

"Nearly two-thirds of those that move sensitive data to the cloud regard their service providers as being primarily responsible for protecting that data, even though a similar number have little or no knowledge about what measures their providers have put in place to protect data," according to a report written by Larry Ponemon, chairman of Ponemon Institute. Accordingly, businesses must evaluate whether the cloud services being used by their employees are safe for doing business, and if they're not, which add-ons--or entirely different services--should be used instead.

3. Beware Lackluster Security Cloud Service Practices

Are cloud providers serious about security? Consider that in the Dropbox password breach that came to light this month, the company only reset the passwords of users who were known to have been affected--because their usernames or other credentials had been seen in uploads hackers made to password-cracking forums. But security experts believe that attackers typically excise any passwords they've already cracked from such uploads, as well as edit out duplicates, and they've criticized such services for not resetting all users' passwords.

"LinkedIn made the same mistake a few months ago--they only reset the passwords for the accounts they believed to be affected," said Rob Sobers, technical manager at Varonis Systems, in a blog post. "What did they base this on? The list of hashes that were published by the hackers? Is it beyond the realm of possibility that the attackers might not have published the whole list? They're hackers!"

On the upside, however, in the wake of Dropbox's password breach, the company said that it would be introducing two-factor authentication, alerts whenever it detected odd user behavior, as well as audit logs of user access.

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/15/2013 | 8:22:26 PM
re: 5 Dropbox Security Warnings For Businesses
Another option is It also encrypts encrypts your content before it is synced to the cloud by Dropbox.

Unlike some of the other tools mentioned in these comments, Safebox doesn't require you to setup an account (disclaimer, I am on the Safebox development team).
John @ FileCatalyst
John @ FileCatalyst,
User Rank: Apprentice
11/20/2012 | 7:29:18 PM
re: 5 Dropbox Security Warnings For Businesses
The B2B file transfer solutions are usually branded under "Managed File Transfer".
There is a number of forums and groups that discuss these issues in depth. Take a look at the LinkedIn Managed File Transfer Group located here

There are many vendors that provide software solutions in this space, FileCatalyst is one of these vendors.
Jason Miller
Jason Miller,
User Rank: Apprentice
8/15/2012 | 4:21:09 PM
re: 5 Dropbox Security Warnings For Businesses
There are other options to use with Dropbox or any cloud service, like secreteSync to add an extra level of encryption, the above points are important- there are options to help protect what is placed in the storage.
User Rank: Apprentice
8/14/2012 | 6:25:57 PM
re: 5 Dropbox Security Warnings For Businesses
To be a proper business cloud service, security must be the fundamental building block in designing the product. Suggesting that you get that in the Dropbox for Teams product by simply adding a 3rd Party product like Okta for Active Directory integration, which adds further to the $800 cost, does not hold true. It provides authentication, but none of the important group policy functions used by IT departments.

User Rank: Apprentice
8/14/2012 | 4:44:55 PM
re: 5 Dropbox Security Warnings For Businesses
Especially for part 4 (and of course for other reasons), it is important to make sure the files uploaded to Dropbox or other cloud storage services are client-side encrypted. Because even if the files will once be available to the public, the public won't be able to decrypt and use the files.
Our free tool cloudfogger ( ) provides that for al major cloud storage services.

Claudius from Cloudfogger
Google in the Enterprise Survey
Google in the Enterprise Survey
There's no doubt Google has made headway into businesses: Just 28 percent discourage or ban use of its productivity ­products, and 69 percent cite Google Apps' good or excellent ­mobility. But progress could still stall: 59 percent of nonusers ­distrust the security of Google's cloud. Its data privacy is an open question, and 37 percent worry about integration.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.