For four hours last week, a flawed authentication update allowed
anyone the ability to access the data of any user of the cloud
storage service Dropbox.
The error could have caused a massive privacy breach. As it
turned out, the company was notified and fixed the error before
widespread knowledge allowed the vulnerability to be exploited by
malicious actors.
"According to our records, there were fewer than a hundred
affected users, and neither account settings nor files were
modified in any of these accounts," the company wrote in a blog
post last Friday. "At this point, we have contacted all these users
and provided them more detail."
Security experts point to the incident as a reminder that the
consumer cloud can still cause problems for businesses. While
Dropbox is aimed at individuals, the company has not made a secret
of its business aspirations: Last year, it surveyed users about how
they use the service to help their businesses. Articles on the
benefits of cloud storage services, such as Dropbox and iCloud, are
widespread on the Web.
Consumers are increasingly bringing their personal technology
into the workplace, much to the chagrin of CSOs.
With cloud services such as Dropbox, companies need to make sure
that sensitive corporate data is not being posted to the cloud.
Dropbox encrypts data on the servers, but not to individual
accounts, notes Sorin Mustaca, a product manager with security firm
Avira. Anyone with admin access to the server can read all of its
data. In addition, data on the servers of external services have
lesser legal protections, Mustaca says.
"I always advise our users to be very, very careful what they
put online because if they put anything online, then the data does
not belong to them anymore -- it belongs to the cloud," Mustaca
says. "This is the most important lesson that needs to be learned
by anybody. If you put it online, you lose control of the
data."
Cloud services should allow users to encrypt their information,
thus making mass breaches much more difficult, if not impossible. A
week ago, Dropbox users started calling for better encryption, but
it isn't clear yet whether the service provider will offer that
feature. Dropbox prides itself on its ease of use -- adding
individual passwords would make the service more difficult to use
and more costly, says Puneesh Chaudhry, co-founder and CEO of data
management start-up Copiun.
"One part of security is the comingling of data and being able
to mitigate the threat by encryption," Chaudhry says. "Dropbox
comingles data from everybody in a huge data store, and that is a
concern to a lot of companies."
Dropbox declined to comment for this article. But Dropbox is not
the only consumer cloud service that has been the focus of security
concerns. Evernote, Apple's MobileMe, iCloud, and cloud offerings
from Google and Amazon all have generated security concerns in
recent months.
Barring employees from using cloud services usually does not
work, Chaudhry says. Companies attempted to bar the use of social
networks, but employees found ways of using the services anyway, he
notes.
Instead, enterprises should require that employees use data
storage that has an encryption key the company can access as well,
Chaudhry says. If the company has the key, then it can prevent
access to the data if the employee is terminated or if the data is
otherwise compromised, he observes. "We need solutions that run
within an enterprise's security mechanisms ... and yet provide
employees with a facility that allows Dropbox or iCloud
functionality," Chaudhry says.
Several services offer more extensive encryption than Dropbox --
and for a higher price -- and Copiun sells a product that allows
companies to offer their own servers as a cloud service.