Dropbox can put organizations at risk by not having adequate security controls, increasing the chance of security breaches. In one incident, Dropbox email addresses were successfully hacked and then used to send Dropbox users spam. Many enterprises are not prepared to take the necessary risk and are forbidding the use of Dropbox making it the number one banned application according to a survey by Fiberlink.
IT Security and Dropbox: Lifting the Ban
Dropbox introduces security risks by not including the necessary authorizations that are required as part of healthcare and financial regulations. For example, Dropbox is typically not integrated with an organization’s DLP (data loss prevention) solution that ensures that only authorized users transfer files and that sensitive data, such as credit card numbers and patient data doesn’t leak from the organization. Dropbox also does not include a full audit trail of which files were transferred, when and by whom, as well as who downloaded the files.
Once the data resides in Dropbox the risk continues. This data might remain on the cloud forever without any control or monitoring. Hackers are aware that Dropbox can contain important data and often make breaching Dropbox a high priority target and they will do whatever it takes to access this information.
Dropbox is not the only collaboration solution that can be more easily compromised. Other cloud file sharing solutions such as Google Drive and Microsoft SkyDrive have similar limitations.
Dropbox keeps coming back
Based on Dropbox’s vast scale — it boasts 200 million users with business users quadrupling in recent years — users are not likely to volunteer to give up using Dropbox on their own.
When users need to collaborate with business partners, remote users and customers, file sync and share services such as Dropbox are easy to use, offering a good alternative to the organization’s email systems which in most organizations don’t enable the transfer of large files (10MB and over).
There are other proprietary solutions available as an alternative to Dropbox, but they often add a level of complexity which users resist when they are under pressure to transfer a file. These procedures include encrypting passwords and requiring recipients to install specialized software.
Using Dropbox Safely
Rather than replacing Dropbox, another layer of security can be added to existing file transfer procedures that would enable organizations to control which files are uploaded to Dropbox, and who has authority to share these files. An open solution that integrates easily with existing security tools of the organization such as DLP, Anti-virus and authentication systems would enable all data shared to undergo authentication, data scanning and data encryption. These additional precautions significantly reduce the chances that data shared using Dropbox will be compromised.
Such a system would also include a full audit trail of who transferred which files, enabling compliance in the healthcare, insurance and banking industries and meeting over a dozen regulations including PCI-DSS and HIPAA. Providing additional checks and balances can also be used for automated file transfers. This enhances IT productivity and reduces operational costs by streamlining business processes which were previously done manually using standard file transfer solutions. Perhaps the most significant benefit is that files can be shared easily among partners, suppliers and customers, without requiring additional software or procedures on the receiving end.
The simpler the solution, the greater the chance that employees will use it. If they are required to change their habits too much there is always the risk that they will be tempted to go back to using Dropbox unprotected. By using security systems which add functionality to make Dropbox more secure, employees can do their work with the least amount of disruption, giving IT managers’ peace of mind knowing that their sensitive corporate data is well protected.