Dropbox Security Breach: You’re Only as Secure as Your Cloud Vendor

Personal Cloud And Sensitive Data Don't Mix

On Friday July 20, news of a new Dropbox security breach started to spread, and let’s just say . . . we’re not surprised.  In fact, we’ve been saying for a while now that both businesses and consumers need to seriously consider how and for what data they use personal cloud services like Dropbox.  The June 2011 security breach, in which Dropbox unintentionally left user accounts wide open, was viewed by some as a one-time thing. Now we know it’s not, and it’s time for folks to take their heads out of the sand.

TappIn’s President and co-founder, Chris Hopen, has long seen the writing on the wall about services like Dropbox and SugarSync. He most recently discussed this in an interview with TechTarget in March, during which he expanded on the challenges posed by these services:

“Insecure or insecurely used remote access technologies – mechanisms that most security teams assume pose little risk – in reality offer an abundance of options for attackers to infiltrate enterprises . . . The biggest concern is that attackers will exploit that remote access connection as a jumping-off point, a hop along the way, to get deeper into an organization.”

Of course, others have seen this coming as well. A May 2012 study by the Fraunhofer Institute for Secure Information Technology in Germany found that the security of many cloud storage solutions is often inadequate.  In fact, none of the tested providers, including Dropbox, CloudMe, and TeamDrive, fulfilled all of the security requirements set forth by the Institute.  Weaknesses in user guidelines were commonplace, and many of the providers even lacked proper encryption.

According to Michael Waidner, director of the Institute, “Some of the services may be suitable for private users.  However, with regard to sensitive corporate data, users should think carefully about whether the security measures really are sufficient.”

IBM also recognized the potential for data security disaster stemming from the unfettered use of Dropbox for storage and access of their sensitive enterprise data.  In May, they banned employees organization-wide from using Dropbox for any purpose related to IBM.

The reality is that Dropbox and its ilk were services built for consumer use, and via the explosive growth of BYOD, have made their way into the enterprise, with or without the consent of IT.  In fairness, IT departments have already been overwhelmed by the onslaught of consumer mobile technology, but the time has come to recognize that these personal cloud services were built with consumer ease, not enterprise security, in mind.

As Network World recently put it, by allowing employees to continue bringing these services to work to access sensitive enterprise data, it’s tantamount to standing by as the inmates wrest control of the asylum.  If you didn’t see it before, this latest vulnerability should tell you – it’s time to regain control.