Should you drop Dropbox?

Some experts say banning Dropbox and similar services is at best impossible and, at worst, can damage your business.

Across organisations, employees are introducing consumer-grade cloud storage tools on the sly - without the blessing of the IT department. Gartner analyst Mario de Boer addressed the issue in his report, ‘Enterprise File Synchronization and Sharing: Thinking Through the Security Issues’.

“Users want to be confident that the information they access (on whatever device they decide to use) is always current and up to date. Users accessing these multiple devices often want to share those files with others - both internal and external. Email is often not flexible enough for this purpose and external-facing collaboration platforms are rare,” de Boer wrote.

Speaking to Technology Decisions, IBRS analyst Kevin McIsaac says that the convenience that tools such as Dropbox provide means their introduction into the workplace is “inevitable”.

“Typically this genie is already out of the bottle. Everybody’s using it,” he says.

Jason Ha, national manager security practice at Dimension Data, feels the same, saying the use of consumer cloud storage tools in the workplace is “quite rampant”.

McIsaac has observed this phenomenon emerge alongside the rise of the tablet PC, particularly the iPad. For example, someone would want to view a Word document while on a flight, so they’d pop it on their Dropbox and be able to read it when they were in the air.

The risks

While these consumer cloud storage tools may provide productivity gains to users, they introduce a variety of risks and problems to the organisation.

“Consumer-grade file sync and share (FSS) solutions are a risk to most organisations’ sensitive data,” wrote de Boer.

Data leakage is one potential risk. For example, if one of your product engineers has highly confidential prototype plans on their personal cloud storage account and their password is compromised, an attacker could easily log into the web interface of that storage tool and pilfer those plans.

According to McIsaac, there’s “another huge problem” with employees using their own Dropbox accounts. “That Dropbox account is not owned by the corporation. So if the employee is terminated, you can’t get that Dropbox account back. Even if they set it up and the company’s paying for it, it’s actually individually owned.”

These tools also create problems around the management of data, by keeping data in pockets or islands separate from the rest of the organisation. This is particularly problematic in the case of enterprise search - for example, if an organisation has to undergo some legal discovery operation to find files that contain certain words or phrases.

“If they’re all inside of my file share or Exchange, that’s great. But the moment those things live in DropBox, how do I do those compliance functions?” McIsaac asks.

“Whether it be security, compliance, control or knowledge retention - [consumer cloud storage tools] have dropped a big hand grenade inside of your information management functions,” he says.

Dimension Data’s Ha offers some examples of the havoc that these consumer cloud tools have created in organisations. The company offers a service to its clients called a ‘cloud security assessment’. Ha explains: “It’s really designed to help clients gain visibility of the types of cloud services that are actually running in their environment.”

He says that in “probably 50%” of these assessments, they find that a large number of the client’s developers are uploading source code to one of several online code development/sharing websites, for a non-malicious, practical purpose.

But often with these code sharing websites, any code uploaded becomes the property of the site, creating intellectual property headaches, Ha says. “They basically own your source code - that’s the underlying agreement as part of the terms of use [of the website].”

These consumer cloud storage tools can also provide a vector for malware. “Recent developments in malware research have shown how FSS solutions can be used as an effective way to transport malware to enterprise networks. Users being infected while not in the enterprise’s network can sync infected files with internal systems,” de Boer wrote.

“As demonstrated at Black Hat 2013, FSS’s bidirectional communication between external and internal systems can even be used as a command and control channel between an infected internal endpoint and external machines.”

To ban …

Some organisations react to these risks by simply banning the use of these consumer cloud storage tools. According to Ha, having a “no cloud storage” position of that sort is “becoming rarer”, but does still occur.

Such a ban could take the form of a company policy against their use.

“I’m always a big fan of using policy if I’ve got strong culture,” says IBRS’s McIsaac. “If your organisation has strong culture - like, say, you’re a legal firm - you might get away with it from a policy perspective. But the people are still going to hate your guts. Because you’re not providing the service - you’re providing a third-rate service if you don’t give them that kind of functionality.”

Dimension Data’s Ha says that if you have a hardline position against cloud storage tools, “The only way that you can enforce that position is if you actually have very good visibility capabilities, and then a way of shutting the services down.”

For visibility, you need “a full audit of all the services that are running in the organisation, so you can constantly identify when cloud services start getting used”. And to shut the services down, “you can use some of the existing capabilities in the organisation - like web content filtering solutions or firewalls to block access”.

With these tools combined, “You can go through a stage of enforcement where you can actually start locking down the services and then continuously monitor to see if people are using the services or not, then shut it down as you go,” Ha says.

In most organisations a secure web gateway (SWG) controls the acceptable internet use policies, according to de Boer.

“SWGs are the infrastructure components best equipped to (selectively) block access to FSS solutions. However, it can be a challenge to figure out which FSS solutions to block. Gartner clients that have monitored network traffic to FSS solutions often report between 10 and 15 different FSS solutions being used by employees,” de Boer wrote.

Mobile device users are also a challenge for blocking via SWGs. “Devices that are not centrally managed (and forced to use a SWG) or that are not used via the organisation’s network cannot have access blocked.”

… or not to ban

But according to IBRS’s McIsaac, introducing a technological solution to ban the use of cloud storage tools like Dropbox is itself problematic.

“If you put in technology, then you’ve got to have a bunch of people who spend their days dealing with that. And for everything [you] do to try and stop it, somebody finds a way around it. It creates all sorts of additional complexities around your information management,” McIsaac says.

And whether you go a pure policy route or use a technology solution to back it up, “you’re not popular and you generally end up making the environment even worse”, he adds.

Instead of banning these tools, McIsaac says you’re better off introducing a company-endorsed cloud storage tool to employees - one with suitable security and management features.

“You’re not going to stop people doing this - you’ve got to provide them with a better alternative. The benefits that people get from a Dropbox-like experience are so compelling to those folks that they’re going to do it anyway, no matter what you do. They’ll find a way - you can’t stop them. What you can do is you can provide an alternative that is good enough or as good as that experience, and then put in place drivers so that it’s easier for them to use your corporate solution than to use Dropbox,” McIsaac says.

“If people are really demanding this stuff, you’ve got to have a solution. It’s not enough to try and stick your head in the sand and pretend that that functionality is of no value,” he adds.

Gartner has very similar advice, with de Boer suggesting that you “Proactively provide users with a sync capability that is similar to Dropbox in its ease of use, rather than simply blocking access to a similar tool that’s evidently a necessity.”

Dimension Data’s Ha, however, is agnostic on the decision to ban or not to ban. “Being a provider of services, and an advisor of services, the policy decision comes down to the client. We can make some suggestions but we don’t judge if that’s what they want to do. We would just say: that’s fine, if that’s your policy position, we respect that, but this is what we suggest you would do then.”

A matter of control

If you decide to provide an enterprise-grade, company-sanctioned cloud storage tool to your employees, you may want to consider exactly what security features or controls you require from such a tool.

For example, you might decide you have no problems with somebody accessing the company’s cloud storage when they’re on a PC with an encrypted hard disk, but deny them access if they want to use it from a hotel browser, McIsaac suggests.

And if you are concerned about industrial espionage, you may decide to block employees from accessing your cloud storage when they travel to other countries - particularly given recent news of threats such as Darkhotel. “You might say: when [an employee is] inside Australia, no problem. When they’re in China, no, they can’t get to it,” McIsaac says.

However, these particular controls “are very esoteric”, McIsaac adds. While controls like these are necessary for some organisations, the controls that are usually of interest are “really trivial”.

These more common controls can include: cutting off access to and remotely deleting any data from a mobile device if it’s stolen; allowing or denying access based on the exact device being used, the network it’s being used from, or the time of day; or a ‘poison pill’ so data is deleted from a device after a specific date.

“Really, really simple policy controls. And then it comes down to what makes the most sense for your organisation,” he says.

Dimension Data’s Ha adds that the necessity of specific security features “all really comes down to the policy perspective”.

“Encryption is generally a bit of a kneejerk reaction - these days, anyway - where some organisations will say: if we’re going to use [a cloud storage tool] we need to encrypt.”

Instead of assuming that encryption is a necessity for every organisation using cloud storage, Ha suggests that you ask: “Do you really need to encrypt the data? What’s the nature of the data? Because it is encrypted in transit - because it’s usually an SSL form of connection - and for the high security cloud services, it’s usually encrypted at rest as well on the cloud service provider. So what risk are you really managing against?”

Dimension Data asks its clients about privileged access and data loss. “Are you more concerned about how people are actually using the service, who’s accessing the service, what information are they putting up and down, and are there different types of information that you don’t actually want to go up and down?”

“So that becomes more of monitoring the usage of the service, as opposed to worrying about the heavy-duty encryption side of the service. Some of the visibility tools will give you that capability to actually help you understand how the services are being used and the type of information being exchanged on the services,” Ha says.

Whichever controls you decide are important, you need to keep an eye on functionality and the user experience.

“For most users usability trumps security and control. Solutions that fail to meet usability expectations will not be adopted, and users will fall back to consumer solutions,” Gartner’s de Boer wrote. Similarly, “Too much control that impedes user experience will [also] drive users back to consumer-grade solutions.

“It is critical that any enterprise solution offers functionality that exceeds or is at least comparable to the solutions, that users can access free of charge as a consumer.”

Image credit: ©fergregory/Dollar Photo Club