Global CIO: The Dropbox Deception: Caveat Emptor
Anyone who entrusted sensitive data to Dropbox without code review, or at least skepticism regarding impressive security claims, wasn't behaving well, either.
By Jonathan Feldman InformationWeek
I read a tweet several weeks ago which mentioned that Dropbox, the online file-sharing utility, was trying to kill an open source project. In the scuffle, various researchers realized that Dropbox, contrary to its earlier claims, actually had access to encrypted files on the service. Wired subsequently reported that an FTC complaint has been lodged against Dropbox, charging that it lied to users.
I'm assuming that most IT leaders don't have their feelings bruised. At least I hope they don't.
I'm a big proponent of using tools like Dropbox, SugarSync, and Box.net. Cloud-based file storage synchronization is one of the only ways, given the dirt-road-monopoly state of broadband in this country, that users can have reasonably quick access to their files when they're on the go. These services are also a way for users to easily work on their files when disconnected from the network, given that universal wireless doesn't quite exist yet.
In fact, I'm writing a draft of this column on an airplane using one of these services. When I get home, I'll be able to edit it on a somewhat larger keyboard, and instead of playing the USB stick shuffle, my updated column will be available just about as soon as I turn on the computer.
But despite being something of a fanboy, I personally don't trust service providers who tell me that, in a super-secret, unknown-to-me methodology, they're encrypting my files in a way that even they can't read them. That sounds too good to be true. In fact, any cryptographer will tell you that any methodology that's too secret to be revealed is also probably too weak to be used.
Back when I was a security practitioner, it was common knowledge that the way software companies hid a bad encryption algorithm was to claim that it was proprietary. So I wasn't surprised to learn that, despite claims that files on Dropbox were "inaccessible without your account password," files were in fact accessible by Dropbox admins. I've worked with military and public safety long enough to know that such access is generally smiled upon by law enforcement. And I've worked with system admins and application programmers long enough to be paranoid about back doors that they don't mention to the marketing folks.
In my personal life, I've used open source software to encrypt files with sensitive data like social security numbers and health information. It's pretty easy: I create an encrypted file container that then gets synchronized with Dropbox.
In my work life, our guidance over the last year to employees who use Dropbox is that, though it's a cool tool, don't store anything that's super-sensitive on it. While we have third-party enterprise encryption software available to us, I highly doubt that my organization will be applying it to Dropbox, simply because there's not a huge use case.
Dropbox and other cloud file-synchronization providers are great for sharing anything but the family jewels. If an organization has a use case for sharing the family jewels among a distributed workforce, it can probably strike a deal with the provider. Such a deal might include a third-party inspection of the software's source code to ensure that no back doors exist, but providers will resist. Such a deal could be struck only if the dollar value of the contract is extraordinarily high; these types of reviews are usually the province of Fortune 500 organizations.
Here's my point: Even when Dropbox says it uses a non-proprietary and open standard, the U.S. government's Advanced Encryption Standard, the software itself remains an unknown quantity. And if you don't know, via third-party review, that the underlying software is what the provider claims it to be, you're not discharging your duty to your organization properly if you blindly accept that claim. When Ronald Reagan dealt with international relations, he was fond of quoting the Russian proverb "Trust, but verify."
That goes double for security matters at your organization.
Cloud software is tantalizing--better, faster, cheaper, more secure. But the Dropbox Deception, as I'm sure it will now be called, is a clear reminder of the basic rule of enterprise software procurement: caveat emptor.
Jonathan Feldman is a contributing editor for InformationWeek and director of IT services for a rapidly growing city in North Carolina.
Write to him at firstname.lastname@example.org or at @_jfeldman.