Dropbox and security in the cloud

[katchampion]

I am interested in security and encryption in cloud backup and I think the recent Dropbox security failure raises some challenging questions.

Dropbox claimed that not even company employees can gain access to the data in user accounts and says that it uses ‘modern encryption methods’ so that data is available only to users and that online access requires a user name and password. Apparently employees aren’t able to access user files, and when troubleshooting an account they only have access to file metadata (filenames, file sizes, etc., not the file contents).

However, Dropbox recently changed its terms of service to incorporate the fact that the company will comply with a valid legal order to turn over user data. If employees aren’t able to access user files then how can they unencrypt files to give to the government, if that becomes necessary? Employees forbidden by company policy rather than physically prevented from access from looking at file contents.

I would therefore like to ask forum users whether they think the recent DropBox security failure and also this change in terms and conditions raised awareness of cloud storage security amongst end users?

[mbottoms]

The interesting thing about end to end encryption and customer-held keys is that, even if a vendor does agree to comply with the order and hand over the data, the information is not useful without the encryption key. There is a lot of interesting recent (US) case history on the subject of whether the customer could be forced to hand over the encryption key, or if they are protected from that by the 5th amendment.

[katchampion]

Yes - that's a really interesting point and has huge implications, particularly from a legislative point of view. What is your opinion on whether fears about security pose a barrier to the uptake of cloud storage? Do you think encryption is a tick box that people don't really think about with attributes like dedupe considered more important?

[mbottoms]

That really depends on the business and their level of exposure. In the SMB market consumers are less likely to look at the nuts and bolts in detail, and are more concerned with cost. As long as they are assured that it will allow them to meet whatever security requirements are mandated in their field they'll look more at compression and dedupe, as those are the features that will have more impact on bottom line.

[QStoss]

If we take a step back here and thinking about this from our common sense corner we can see which is more secure...

1. Refusing to hand over encryption keys to the gov't in the event your company's data falls under a warrant in an investigation... The gov't has your cloud hosted data but not your keys... hmmm...

2. Keeping your data on disks, tapes etc. in a secret physical location... hmmmmmmm

I'm preeety sure the gov't would get at your physical media in your secret location just as quickly as they could persuade you to hand over your encryption keys for your cloud hosted data

So in the end, Cloud is just as secure as non-Cloud.

[MattZurkowsky]

If talking consumer end, it might have raised awareness together with other news (e.g. playstation/white house security attacks) however awareness is nothing without action. There are still a lot of people thinking: 'sure, it won't happen to me'.

In the commercial/enterprise space, it's a different picture if you look at the IT side. The focus is definitely even stronger on security, although even before it was the number 1 concern with any SaaS application. This is visible in customer conversations, RFP criteria etc.

And even then, if you look at the non-IT side in commercial/enterprise, a good bit of internal end-users, including people that should now better, use less than secure cloud services with excuses such as: "I'm very careful of what I put up. I don't put sensitive material up"

Regardless of the awareness/focus it still comes down to user friendliness combined with forward thinking design choices from the cloud service providers. Cloud businesses have to assist their customers by making software easy, intuitive and secure at the same time, so end users choose the secure way because it's the best and most useful experience for them, not just because it's ordained and enforced by the IT departement.

[TheBackupKnight]

At the company that I worked for till recently, our group used DropBox on the sly - corporate IT would have never allowed it. However, we used it nevertheless. We got singed by the use of the tool when a colleague of ours walked away with a lot of our data when he left the firm, joined competition and started to use our ideas, though repackaged, at his new workplace. We found out when we noticed that on one of the competitive bids that we were working on, our competition had submitted a proposal that looked a lot like our own. The powers that be had to then call this person and "counsel" him against such activities. But yeah, it wasn't pretty....and we had to stop using DropBox!

So, if you ever want to use DropBox at a business - do so at your own risk.

[PavanVyas]

Well, there can be other risks beyond what the others on this thread have already spoken about. Here's an interesting article - http://www.cnn.com/2012/07/18/tech/w...ity/index.html

Looks like DropBox is investigating a data breach.

[QStoss]

I think that the recent post by TheBackupKnight is badass. I'd love to hear the call recording of the "counseling" session!