Are there any particular security concerns to keep in mind with company-wide use of Dropbox file sharing / versioning / backing up, and are there specific options or settings that would be recommended to limit the risk?
Are there any particular security concerns to keep in mind with company-wide use of Dropbox file sharing / versioning / backing up, and are there specific options or settings that would be recommended to limit the risk?
It depends on your business and your level of paranoia. It's much safer, albeit more expensive, to issue laptops with a VPN connection.
Real quick...
Some Risks:
Recommendations:
I would tread very carefully here. Dropbox enables an extension to another computer's hard drive.
That extension is worse than a USB key in the sense that infections on one PC can get onto all the other PCs using that share much more easily than with a USB key. Virus/trojan/bot writers don't target dropbox (yet) but if they decide to, then you've got a virtual unlocked door from a company controlled PC on a secure network to an unsecure computer on an unsecure network. As is, using normal operations, one can't just go through that door and look at other things on the computer - only items within the dropbox can be seen, and new items can only be created in that area, but that's assuming that the dropbox application itself can't be compromised.
Further, Dropbox claims a great deal of security, but what is actually provable to you? It's possible someone can sneak in that window remotely from a completely different PC and attempt to put infected documents and programs onto the work PC.
There is obviously a protocol dropbox itself uses to communicate with its clients - is it encrypted? Is it immune to buffer overflows? Man in the middle attacks? Sniffing? Replay attacks? Is it possible to, using the standard protocol, place files inside or even outside the standard dropbox area? If the protocol has a buffer overflow, is it possible to compromise it in a way to allow full access to the machine? Network shares on the machine?
I don't think the risk is very high, but the damage done can be extensive, so it's something that has to be carefully thought out.
-Adam
Paranoia????
Dude.. Step away from the network.. SLOWLY.. With your hands away from the Keyboard.. DO IT NOW!!!
File share cloud based "consumer" solutions like Dropbox, are not meant for Business or Corporations. Microsoft said it best with Skydrive when they came out and said, that these types of products are not, and should not be used for Business purposes.
There are thousands of reasons why not that outweigh the reasons why one should.
Biggest LEGAL reason outside of the security risks (And the Terms of Use which specify that 3rd parties can have access to confidential files hence nothing confidential should ever be stored on such a service that is consumer based.. EVER..) is the fact with a service such as Dropbox, well. Let me ask this.. Where are those files stored? Where are those servers located? You can rest assured, with the lowest bidder, call in something called Data Export Rules and Laws... Should you have a single tiny file the "United States Government may deem as a risk or potential risk to U.S. security" (Could be something as small as electrical layout to a public gathering place, school, gym, passwords or a username to something like a Cisco account where you can download export restricted software, etc) up to classified documents, you are in violation of that law. You go to jail, you do not pass go.. I believe now, that is handled by FTC and Homeland Security..
The DB terms of use specify (basically) that if its installed on a business PC, (Dropbox assumes that person because the person installing in on the business PC guarantees they are by clicking through the TOU) that the "authorized" individual is doing so FOR THE ENTIRE COMPANY.. Period... (First section ion Dropbox.com/terms)
What stops me from using this outside of my server and work environment is simply ethics... You have a consumer product like Skydrive that in big letters says "No Business.. Don't! because they do not want to risk customer's data on a business level because they KNOW it is a risk! And then Flippin Dropbox who uses legal words in their contracts such as the word "stuff", who patty cakes the entire "security thing" and acts like its no big deal (would you want to lose profit and shares that valuable? Probably not...)....
It is a big deal.. The more security groups beg you and I to follow simple practices, the more big comps like dropbox come out and for money.. for profit, act like its no big deal...
What if your business stored a tiny piece of a single credit card number and a name and expiration date? Now say the PC the dropbox client was installed upon was uhmm "gotten into.." through a Dropbox security breech... Following me? Visa/Amex etc.. the ginormous bank companies WITH government support (because Payment Card Industry (PCI) Standards says so.. that's who...) WILL fine you.. get this... you may want to sit down.. a staggering $500,000.00 PER INCIDENT... It is enough to put a small or medium business out of the business they are in....
the ONLY way to get around it, is to locally encrypt that data using a PCI certified encryption product, BEFORE it goes to dropbox, purchasing licensing for all your remote devices, downloading the file you need, and de-encrypting it before you can use it.. (Nope don't sound like it aint no funs at all...) (Or encrypting data on your servers network, and clients at the gateway...)
With all that, for less than $20 a user (about $11 for the basic one) you can get an Office365 E series plan, that IS HIPAA, SOX, ISO, and PCI certified.. (Dropbox, hidden in there pages clearly states "at this time", they are not.... )
So ask yourself, albeit in your mind small... Is it actually worth the risk? and DO you want to do business with a company who I think, steps lightly or makes light, the risks associated with using their product....
Is it worth the risk to your career if you are in technology and you do get breeched and you DID allow dropbox? DO you think you are employable after your name is beside a breech and you make the news? As a CTO, I can promise you, not on my life would I even hear the excuse behind it.. I would never even interview anyone in technology who by their own actions or decisions, caused a breech of data on any sized network.. Yes we all make mistakes, which is why your job in IT is to eliminate any risk, big or small as best you can.. Not open up the worm hole and scream for Alice...) It is a disaster for PR.. for a business, (if a competitor found out and leaked who you are.. (gasp) what you did.. and an increased liability to hire someone because they allowed a file sharing service who publically acknowledged and stated they were not PCI, SOX, ISO, HIPAA, or PCI certified
Well.. That's for you to decide... Is it worth a career? Is it worth the loss of your company or customer data?
For me.. It is not... Consumers use consumer products, not businesses... Period.
An update (1,5 Years later): Dropbox claims now that they transmit the data via SSL protocol and store them in AES-256-Containers they cannot access themself (without the password).
Dropbox recently admitted that they don't use SSL for transferring file metadata between mobile clients and their servers. They do this on purpose, for performance reasons. They don't state anywhere on their website that they do this. You can read about it here:
https://grepular.com/Dropbox_Mobile_Less_Secure_Than_Dropbox_Desktop
I think they're working on a version for companies to use internally, with more security, but meanwhile, the files aren't encrypted on their servers, so you do have to trust them.
Other than that, I can't see other security risks specific to Dropbox (like information leakage).
A lot is going to depend on the policies in place at your company. If its like where I work - where all development I do belongs to the hospital, and not me - then I'd be worried about it being an easy means for company intellectual assets to "wander off".
There are plenty of document management systems that would let you set up something that is only accessable internally or via a monitorable connection.