This Page

has been moved to new address

Is it Safe to Store Proprietary Data in DropBox?

Sorry for inconvenience...

Redirection provided by Blogger to WordPress Migration Service
----------------------------------------------------- Blogger Template Style Name: Snapshot: Madder Designer: Dave Shea URL: mezzoblue.com / brightcreative.com Date: 27 Feb 2004 ------------------------------------------------------ */ /* -- basic html elements -- */ body {padding: 0; margin: 0; font: 75% Helvetica, Arial, sans-serif; color: #474B4E; background: #fff; text-align: center;} a {color: #DD6599; font-weight: bold; text-decoration: none;} a:visited {color: #D6A0B6;} a:hover {text-decoration: underline; color: #FD0570;} h1 {margin: 0; color: #7B8186; font-size: 1.5em; text-transform: lowercase;} h1 a {color: #7B8186;} h2, #comments h4 {font-size: 1em; margin: 2em 0 0 0; color: #7B8186; background: transparent url(http://www.blogblog.com/snapshot/bg-header1.gif) bottom right no-repeat; padding-bottom: 2px;} @media all { h3 { font-size: 1em; margin: 2em 0 0 0; background: transparent url(http://www.blogblog.com/snapshot/bg-header1.gif) bottom right no-repeat; padding-bottom: 2px; } } @media handheld { h3 { background:none; } } h4, h5 {font-size: 0.9em; text-transform: lowercase; letter-spacing: 2px;} h5 {color: #7B8186;} h6 {font-size: 0.8em; text-transform: uppercase; letter-spacing: 2px;} p {margin: 0 0 1em 0;} img, form {border: 0; margin: 0;} /* -- layout -- */ @media all { #content { width: 700px; margin: 0 auto; text-align: left; background: #fff url(http://www.blogblog.com/snapshot/bg-body.gif) 0 0 repeat-y;} } #header { background: #D8DADC url(http://www.blogblog.com/snapshot/bg-headerdiv.gif) 0 0 repeat-y; } #header div { background: transparent url(http://www.blogblog.com/snapshot/header-01.gif) bottom left no-repeat; } #main { line-height: 1.4; float: left; padding: 10px 12px; border-top: solid 1px #fff; width: 428px; /* Tantek hack - http://www.tantek.com/CSS/Examples/boxmodelhack.html */ voice-family: "\"}\""; voice-family: inherit; width: 404px; } } @media handheld { #content { width: 90%; } #header { background: #D8DADC; } #header div { background: none; } #main { float: none; width: 100%; } } /* IE5 hack */ #main {} @media all { #sidebar { margin-left: 428px; border-top: solid 1px #fff; padding: 4px 0 0 7px; background: #fff url(http://www.blogblog.com/snapshot/bg-sidebar.gif) 1px 0 no-repeat; } #footer { clear: both; background: #E9EAEB url(http://www.blogblog.com/snapshot/bg-footer.gif) bottom left no-repeat; border-top: solid 1px #fff; } } @media handheld { #sidebar { margin: 0 0 0 0; background: #fff; } #footer { background: #E9EAEB; } } /* -- header style -- */ #header h1 {padding: 12px 0 92px 4px; width: 557px; line-height: 1;} /* -- content area style -- */ #main {line-height: 1.4;} h3.post-title {font-size: 1.2em; margin-bottom: 0;} h3.post-title a {color: #C4663B;} .post {clear: both; margin-bottom: 4em;} .post-footer em {color: #B4BABE; font-style: normal; float: left;} .post-footer .comment-link {float: right;} #main img {border: solid 1px #E3E4E4; padding: 2px; background: #fff;} .deleted-comment {font-style:italic;color:gray;} /* -- sidebar style -- */ @media all { #sidebar #description { border: solid 1px #F3B89D; padding: 10px 17px; color: #C4663B; background: #FFD1BC url(http://www.blogblog.com/snapshot/bg-profile.gif); font-size: 1.2em; font-weight: bold; line-height: 0.9; margin: 0 0 0 -6px; } } @media handheld { #sidebar #description { background: #FFD1BC; } } #sidebar h2 {font-size: 1.3em; margin: 1.3em 0 0.5em 0;} #sidebar dl {margin: 0 0 10px 0;} #sidebar ul {list-style: none; margin: 0; padding: 0;} #sidebar li {padding-bottom: 5px; line-height: 0.9;} #profile-container {color: #7B8186;} #profile-container img {border: solid 1px #7C78B5; padding: 4px 4px 8px 4px; margin: 0 10px 1em 0; float: left;} .archive-list {margin-bottom: 2em;} #powered-by {margin: 10px auto 20px auto;} /* -- sidebar style -- */ #footer p {margin: 0; padding: 12px 8px; font-size: 0.9em;} #footer hr {display: none;} /* Feeds ----------------------------------------------- */ #blogfeeds { } #postfeeds { }

Friday, August 10, 2012

Is it Safe to Store Proprietary Data in DropBox?

Over the last 5 years, the volume of information that is shared and/or stored in the public cloud due to the increased use of social media platforms such as Facebook, Twitter, and LinkedIn has soared.  According to a report called "The Growth of Social Media", compiled by Search Engine Journal:         

Facebook has in excess of 640 million registered users with over 7 billion pieces of content shared weekly. Twitter has in excess of 299 million registered users with over 95 million tweets per day. LinkedIn has in excess of 100 million registered users.

The risks associated with these popular social media platforms are well documented.  Fortunately, businesses worldwide are quickly evolving their understanding of the risks of what information should and should not be communicated or shared by employees via the various social media platforms. However, these same businesses may be at an even greater risk of exposing proprietary and confidential information by their employees through the use of public cloud storage platforms such as Dropbox.

At the Carmel Valley eDiscovery Retreat (CVeDR) held July 22-25, 2012 in Monterey, California, I had the pleasure of moderating several panel discussions on cloud computing featuring industry experts in eDiscovery, Internet security and the legal risks associated with storing data in a public cloud.  The consensus from the panels was that storing any data in the public cloud poised both a security and a legal risk.  

The recommendations from these experts regarding what data businesses should put in the public cloud varied from "don't put any data in the public cloud" to "don't put any proprietary or confidential data in the public cloud."  However, regardless of what the experts say, the operational efficiencies and financial incentives of cloud computing are just too great for businesses to ignore.  But, that doesn't mean that business owners should ignore the facts.

The Experts are Cautious

The consensus among the CVeDR cloud panel experts was that there was probably more data stored in Dropbox than most businesses realized and that it was a potential source of risk. Several of the lawyers on the CVeDR panels indicated that a business could potentially lose its claims to properly protecting trade secrets and other proprietary information by merely storing data in storage technologies like Dropbox.  The security experts on the CVeDR panel contended that there were still some very worrisome security issues with storage technologies like Dropbox.

What DropBox Says

According to its website, Dropbox contends that they use modern encryption methods to both transfer and store your data such as Secure Sockets Layer (SSL) and AES-256 bit encryption.  In addition Dropbox contends that the Dropbox website and client software have been hardened against attacks from hackers, that public folders are not browsable or searchable and public files are only viewable by people who have a link to the file(s).

What Can Happen

However, Dropbox actually uses Amazon's Simple Storage Service (S3) for storage and therefore they really don't even have direct control over the security of the files that you store.   The potential problems with Cloud Service Providers (CSPs) such as Aamazon S3 was very evident this summer as a severe storm that rumbled across the Eastern U.S, leaving nine people dead and millions without power, also disrupted an Amazon Web Services data center, affecting service for social media sites like Pinterest, Instagram and Netflix, which host their services at Amazon's data centers.
In another alarming security development for AWS, on Monday August 6, 2012,  Amazon changed its customer privacy policies closing security gaps that were exploited in the identity hacking of Wired reporter Mat Honan on Friday. As posted on the Wired.com website in an article by Nathan Olivarez-Giles titled, "Amazon Quietly Closes Security Hole After Journalist’s Devastating Hack", previously, Amazon allowed people to call in and change the email address associated with an Amazon account or add a credit card number to an Amazon account as long as the caller could identify him or herself by name, email address and mailing address — three bits of personal information that are easily found online.

Nathan Olivarez-Giles reports in this article that on Tuesday August 7, 2012,  that Amazon handed down to its customer service department a policy change that no longer allows people to call in and change account settings, such as credit cards or email addresses associated with its user accounts.

Amazon officials weren’t available for comment on the security changes, but during phone calls to Amazon customer service on Tuesday, representatives told us that the changes were sent out this morning and put in place for “your security.”

The security gap was used by hackers, one of whom identified himself as a 19-year-old going by the name “Phobia,” to gain access to Honan’s Amazon account on Friday. Once Phobia and another hacker gained access to Honan’s Amazon account, they were able to view the last four digits of a credit card linked to the account.

The hackers then used those four digits to trick Apple customer service into thinking it was dealing with Honan. Apple customer service then gave the hackers a temporary password into Honan’s Apple ID, which the hackers used to wipe his iPhone, iPad and MacBook, and gain access to a number of email accounts as well as his Twitter account.

We discovered Amazon’s policy change on Tuesday after we failed to replicate the exploits used on Honan this weekend. Amazon declined comment on the security hole on Monday, and has since failed to return repeated phone calls from Wired about the vulnerability.

In regards to these cloud storage vendors being able to keep data secure. Dropbox confirmed Tuesday, July 31, 2012 that its users had been experiencing a spam onslaught, and reported that the issue was tracked to employee. "Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We've contacted these users and have helped them protect their accounts," said Aditya Agarwal, VP of engineering at Dropbox, Tuesday in a blog post.

However, many of the spam attacks were ultimately traced to a password-reuse problem that existed within Dropbox itself. "A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses," said Agarwal. "We believe this improper access is what led to the spam. We're sorry about this, and have put additional controls in place to help make sure it doesn't happen again." Those controls will include a page that lets users review the login history related to their account, mechanisms for identifying suspicious activity, as well as two-factor authentication.

There is no doubt that weather related issues have knocked out corporate data centers and passwords have been compromised behind the firewalls of even the largest corporations in the world.   However, when this happens, the corporate stakeholders at least have someone to hold accountable.  When these types of things happen with a cloud storage provider such as DropBox, the DropBox Service Level Agreement (SLA) protects DropBox from any direct responsibility or damages.

Recommendation

Moving data to the public cloud is already happening at an accelerating rate.  And, the operational efficiencies and financial benefits are just too great for this trend to slow down.  Therefore, even though it is a fair question to ask if it is safe to move your data to a public cloud, a more realistic question might be, "What do I need to know and what do I need to do to ensure that my data will be safe once I move it to the public cloud?"

With input and guidance from the CVeDR cloud panel experts, my recommendations are as follows:

1.     Don't move any business data to the public cloud that is confidential, proprietary or is the essence of valuable corporate Intellectual Property (IP).
2.     Have your legal department read the providers Service Level Agreement (SLA).
3.     Develop and/or follow corporate data retention policies in regards to the data you store in the public cloud.
4.     Develop and/or follow corporate password and other security policies in regards to the data you store in the public cloud.
5.     Talk to the cloud storage provider about eDiscovery and develop a joint plan for how it is going to be accomplished and how much it is going to cost.

Storing data in the public cloud is inexpensive and very efficient.  Just be aware that there are risks that need to be mitigated and addressed.

Labels: , ,

posted by Charles Skamser @ 9:11 AM

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

<< Home