Just found out that a few of our users are using Dropbox as a way to store and transfer documents between parties.

Have any of my fellow IT middle managers on here any reservations concerning the use of this? I’m am not at all comfortable with it but would appreciate any advice pro or anti before I go wading in as there are some pretty senior managers using this.

Thanks in advance.

I think there are some privacy issues about it but not really sure on the details. Personally I love dropbox and wouldn’t be without it now, it’s so useful to share files amongst computers and has rendered my usb sticks obsolete 🙂

Use it all the time and i often save documents there that i need access to quickly or to be able to edit on multiple sites.

as a user, used it here for a while until it was blocked.
Then used skydrive until it was blocked.

Now it is a pain in the arse to share files between users both in the office and at home.

I understand the security concerns though.

Small business, 10 of us working remotely across mac and pc we all use drop box and haven’t had any issues. Considering upgrading to the ‘corporate’ package, but I’ll watch this thread unfold first.

It really depends on how critical the security of your data is.

If you’re doing classified/export-controlled/military work then it’s not going to be acceptable.

If it’s being used for personal data (eg HR records) then there could be privacy and data security issues

If it’s just being used to swap non-sensitive data then it may well be fine.

Also, how secure are their passwords and your networks and their home computers that they may also be accessing the data on?

You need to understand the situation and then either state why it’s not acceptable or put the case to your business along with explaining the risks and any possible mitigations you could put in place.

It sounds like dropbox have further security methods available

can require two-factor authentication and monitor employee use, including restricting shared folders and links within the company.

so those might be part of a proposal on how to make it work for you securely but there have been breaches…

Dropbox To Business: Never Mind The Breaches, Come Store Your Stuff With Us!

Bit of a minefield, but it depends on your line of business and the expectations about data.

e.g. Some data shouldn’t cross borders. E.g. you could end up in hot water if there are laws about storing the data in the same country, and it ends up hosted in other regions. We come across this in some European countries. Also means you lose sight of where the data is being accessed and stored… e.g. if someone opens it on their tablet, then loses the tablet, what’s your plan?

Most of the docs we share are CAD so use Autodesk Buzzsaw. Seems to work very well. Although we could use DropBox some of our sites wont. Use it to share Scouting stuff, pics, session materials etc, & for that Dropbox is spot on.

Have a read of this

http://www.pcpro.co.uk/realworld/380488/dropbox-for-teams-is-it-fit-for-business

Coyote,

Yes I have some serious concerns about its use for business, it relies on two essential features:
(i) You trust your employees [and employees who might be about to become or have just become ex employees!]
(ii) Your employees have a basic understanding of security and how it works.
I prefer Google Drive.

Dropbox is incredibly user friendly and very useful. That has been achieved at the expense of granular and management controlled security. If you are going to tell senior managers not to use it you’d better have a good alternative as otherwise they will see IT getting in the way of doing their job.

Bear in mind that some users will resort to even worse / just as bad alternatives if you ban it. e.g. keeping local uncontrolled copies of files on their private computer, usb stick etc, positing on a ‘web’ site or public ftp site, badly managed shared folders…

I’d look at it the other way round – what functionality are you not providing (or that they are not aware of) so that they feel they need to obtain it from an outside service like Dropbox?

Are they collaborating on documents and trying to avoid emailing new versions around all the time?

Do they have files to get between people that hit email attachment size limits?

Are they concerned about doing a load of work on a document on their laptop and the disk dying, or the laptop getting lost or stolen and losing their work?

Do they need access to their documents from mobile devices (given the Dropbox is almost the defacto filesystem for iOS)?

Do they need or want to work on documents from non-work devices, like a home PC?

If this is data that needs to be controlled (and if it does, you really need proper controls and classifications for it already) then you probably do need to have a conversation about responsible data handling, and the consequences of losing it. The unencrypted laptop left in a taxi is a classic data loss scenario, but if the user was syncing data via dropbox to a home PC that is lost in a burglary, it amounts to the same thing.

If it is not subject to strict controls, then putting barriers up is often counterproductive. People will always find ways to bypass them unless you spend a lot of time and money closing all the doors, and then they’ll waste a lot of time trying still.

There’s a lot of more business-focussed alterntives like Sharefile (aquired by Citrix a while ago), or things like the Microsoft Skydrive Pro idea where the storage is your own Sharepoint site, or Office 365 tenant.

I’d go to them and try to understand why they started using it, what they’re using it for now, what headaches it solves, see if there are real concerns about the data leaving the company, and what you can do to offer something better in-house.

(fwiw, I have company stuff on Dropbox – anything potentially sensitive lives in little truecrypt volumes though)

You’ve not been very clear when you say ‘between parties’ or indeed what they’re sharing.

My concern would be that if there’s a business requirement to share files then there should be a process and method in place for it.

If there is then why are the circumventing it, if there isn’t then why do they need to share stuff 😉

P.S. Sharepoint? 😉

My concern would be that if there’s a business requirement to share files then there should be a process and method in place for it.

If there is then why are the circumventing it,

It doesn’t work that well?

if there isn’t then why do they need to share stuff

Perhaps the people doing the business, rather than those serving it (IT et al.) are best placed to work out current requirements in a dynamic environment?

P.S. Sharepoint?

Excellent example of something that’s far too faffy for non-IT orientated staff to bother with.

Yes, very much so. Not my call though.
I tell the business what the risk is with using things like dropbox, the business then decide whether to accept that risk. When they then ask advice about whether they should use it I tell them I think it’s fine for anything they wouldn’t mind being in the public domain and terrible for anything that shouldn’t. It should be about data classification, if you can get the business to classify their data.

If it was Data Protection related data I’d refer it to legal but both our teams would strongly advise against storing any customer/employee related data on dropbox, the ICO would take a similarly strict stance on storing EU data on non-EU servers. Don’t forget, Obama can access any data held on US soil and if it’s a US company not on US soil they’ll mirror it to the US and then access it.

A quick poll of the people in my team suggests that the use of Dropbox for anything sensitive/confidential/important/that you don’t want the US to read is a no-no.

I use it for personal stuff (e.g. transferring eBooks to home for my Nook, that sort of thing) but will not use it for work data.

Have any of my fellow IT middle managers on here any reservations concerning the use of this?

I’m a professional but not a manager, and I would never use such a thing. It’s expressly forbidden in our company for starters, and for good reason.

Neither you nor your clients have audited Dropbox, you don’t know how secure it is, how well protected it is, how private it is or even where it is.

Imagine going to a client’s security team and asking for permission to put it in a place you know nothing about. Imagine the look on their faces!

We have a business account in our work, i think we have 1.4tb of storage? something silly anyway.

We use it to sync up files from our work PC’s to laptops, mobiles & tablets so we can work on the move & so we can share files with 3rd parties anytime.

Its has basically replaced our ftp because too many people were having difficulty using the ftp.

I would note we never keep sensitive documents on there though.

TBH its been great, no complaints, but I guess it depends what your using it for…

Perhaps the people doing the business, rather than those serving it (IT et al.) are best placed to work out current requirements in a dynamic environment?

Who has responsibility for data security within the business?

Box.net offers similar functionality with, supposedly, better security.

Google drive I have problems with on my Mac – the sync app won’t stay open and I have to fire it up daily to sync.

Dropbox works faultlessly everywhere. Too convenient not to use.

Pretty much all been said already but you need to understand what’s going on there and whether that data is anyway regulated either by yourselves (e.g. trade secrets) or by external regulators. If so stop it right now and tell em all off and get them to sign an acceptable use document about what they shouldn’t do. Then make sure you provide a convenient but secure alternative. If you’re a decent sized organisation you need to create or mature your data classification methods and policy and your acceptable use policy for internet/data/equipment.

It’s your data and they (the employees) just gave it away to who and what knows where. The only ‘secure’ cloud file share/storage services are those where you encrypt the data at your end – not those that encrypt it only in transit (over the internet) or at their end.

Happydaze.

There is a little £200 NAS box that offers a DropBox like experience, but you can keep in your server room or home .. looked OK for SOHO use anyway if you’re concerned about the ‘where is my data’ question which you probably should be.

can’t remember what it was called though ..

We use both Dropbox and Google Drive for business

IMO Google Drive is better due to:

Having more control over the share settings.
Dropbox doesn’t allow different share settings for sub folders.
It’s better value
Works well with Google apps – Better for collaborating on files/docs
Dropbox is very slow.

Who has responsibility for data security within the business?

Well, without the people generating the data, there would be no business, and no need for IT to support it. I find it so strange that HR services / Admin services / Property services / IT services all seem to forget that without the business they serve, there would be no requirement for their existence.

Spot on Zokes, shame that it will be the IT guy getting fired for not having the right thing in place…

All the above comments are right. You need to do an assessment on whats going on, whats being shared and what the risks are.
If people are taking stuff home do they have the right software/AV at home (probably a bigger risk than drop box itself.
What is the version control on these files
If they are shared with clients are the folders set up right so that nothing else is shared.

The questions to ask next are
What are people trying to do?
Why are they trying to do it?
Why does what you have in place not work?

Once you work that out then you can answer the question about what you are going to do about it. As much as people will whinge if you tell them they can’t use DB/drive etc for certain files if you explain why and provide an alternative then you may have some chance of getting them to stick to it. Blocking Dropbox wont work.

We use Google Drive & Dropbox for work but there are only 3 of us and we work remotely. Any bigger and we will need a proper solution.

Dropbox (and similar services) are banned where I work as they’re considered insecure. For file exchange we have an SFTP server (Globalscape) and for sending encrypted email attachments we with use PGP Desktop or Egress (the latter being a lot easier to set up and better when dealing with 3rd parties that don’t have their own email encryption in place.

What companies need to do is change themselves to the way the technical world is changing.
It used to be that we all spent a lot of money (and still do) on securing our perimeter with big assed firewalls, proxies, email gateways. We all had a hard outer, soft inner for the most part and that’s all because of the types of threats we were experiencing. Network hackers, simple malware, SPAM.

The world has changed though, our borders are expanding with the proliferation of mobile devices and cloud services, the threats are now completely different. It’s pointless spending a million on some fancy firewalls if the data you are trying to protect just walks out the door in a directors pocket which he then leaves at the Golf club by accident because it’s just a toy to him.

What we need to do is stop protecting the devices, the perimeter has gone, the endpoint has gone, we need to protect the data. Build a data classification program, make it easy to use and then protect the appropriate data with the appropriate controls. We don’t need to worry that a director has left his ipad on a plane because we know the data is protected. We don’t need to worry that someone is using Dropbox to transfer files to customers because the data itself is encapsulated, controlled and secure. Only the people who need to access it can do.

Once you realise the infrastructure is less important than the data then this facilitates all the things that users want to do like bringing their own device in, using fancy (but inherently insecure), mobile devices, having a computer with a load of dodgy crap they want installed on it to help them work. It no longer matters.

Classify your data, protect the stuff that needs protecting. Worry not about how people move it about or store it.

You’d never guess you work in data / network security, would you, Jon? 😉

If only all IT managers were this savvy!

Well, without the people generating the data, there would be no business, and no need for IT to support it. I find it so strange that HR services / Admin services / Property services / IT services all seem to forget that without the business they serve, there would be no requirement for their existence.

You seem to be jumping to a number of conclusions.
Firstly those generating the data and IT are separate entities, they may not. Also that the “generation of data” in itself is somehow adding value and thirdly that these support services somehow don’t recognise their role within the overall group and that your experience allows you to generalise.
As an IT manager of a large business I and my team are all to aware of the business commercials and being answerable to a board who are in turn answerable to shareholders means that I have to “steer” my users to use the right tools to provide functionality and value but convince the board and internal and external auditors that we have appropriate security in place. I work hard on demonstrating the link between my teams and their individual and team performance and the ultimate success of the business, they see themselves as part of the team who are working to make the business a success (bit cliched but true)
Working for an acquisitive business I have absorbed a number of companies into the group and I am often surprised at what the IT focus is of these companies who have undefined IT strategies and strong senior managers who, without guidance, make stupid and costly mistakes, some of which have contributed to their failure and sometimes because they have listened to a vocal person within the group who has been persuasive in adopting an emerging, but partly useless or irrelevant technology!

There are often many ways to achieve the same end and file sharing and data availability is only one challenge. A businesses IT strategy (whilst always being flexible and open to new developments and contributions) cant be driven by by the latest trend. Dropbox/skydrive/cubby have all been available for years in commercial environments and under different names. As a manager I sometimes have to say no to people who consider themselves early adopters and leading lights amongst their peers which means I often receive the inevitable frustrated complaints from people who can do the job better 🙄

Interesting post Samuri and I agree to a large extent but I would say there still needs to be a mix between the two.

I agree and I would never advocate completely dropping perimeter and end point defences but the focus needs to change. The data classification discussion is a very interesting one. If you take it up peice meal and ask every data owner separately how important their data is, they all tell you it’s the most important data in the business. Then when you explain the controls that will be needed to protect that data they immediately change their minds and say it’s actually not that important after all.

Some people will tell you it’s not that important from the start and these are generally the people that need educating. Once you find a good way to explain the risk and make it real to them, you have a much better chance of providing adequate controls and more importantly, of being given the money to make it happen.

Coyote – we rolled our own, using OpenUpload. Not quite 100% Dropbox functionality, but it works very well.

This allows staff and clients to easily send/receive documents via HTTP, from a server in our data centre.

Email me, and I’ll setup a limited demo account for you to see it in action.

The other downside with the data-centric approach is it’s very hard to do properly. That’s not to say it shouldn’t be done but adopting a shift from the tangible perimeter to the less tangible, multi-faceted, omni-present data approach takes commitment and budget, isn’t just solved by technology and is a step too far for immature organisations. All organisations who do any amount of information security (I’m not talking owning an SSL cert here) should be considering the approach.

Having said that everyone ought to know what (and where) their data is, even on a personal/domestic level (P60’s vs junk mail, digital pics, things_to_do.txt vs 2013_expenditure.xls) whether it’s secured, backed up, alive or dormant and it should be no different in any business.

So.. when is someone going to make an appliance that you plug into your corporate network and it makes a secure encrypted cloud solution, along with an app or image for your iphone/android/macbook/laptop whatever, that will ‘just work’ without needing a highly skilled IT dept?

when someone decides that the cost is justified. Things like this don’t “just happen”

My main concern is that unless you really tie down permissions you don’t really have control of downstream sharing of data.

That said I actually find it useful myself for simple transfer of large (size or volume), non sensitive files – a case in point being last year when we had a guy scouting properties in France and transferring photos back to us.

Horses for courses really – fine for transfer of non critical data between people you trust.

I’ve got reservations but have not blocked it here (yet). I always make people aware of the security issues when they ask for it but I’ve only had a couple so far, and they’re generally the ones I’d trust to use it sensibly.

So.. when is someone going to make an appliance that you plug into your corporate network and it makes a secure encrypted cloud solution, along with an app or image for your iphone/android/macbook/laptop whatever, that will ‘just work’ without needing a highly skilled IT dept?

There’s a number already out there. Most are tied into mobile device management solutions but there are a few that also work with your standard egress points. Switch is a good email one that many legal firms already use for contract exchange, it’s not cheap though.

Seems to me like it’d be a great seller. Especially with all this PRISM malarkey happening currently. Wouldn’t be expensive, particularly, doens’t require much specialist kit.

We use it at work. I work for a technology company that has a lot of ‘interesting’ data.

The IT dept. don’t like Dropbox, but as I have nothing to do with said data and they haven’t provided anything that does the job even remotely as well, we’re still using it.

If you haven’t got the solution you need, you can’t just do whatever you want. You need to escalate it.

Citrix does a lot of stuff that is directly linked to cloud, both public and private, and has a number of technologies that would give a simple cloud/virtualisation deployment.

Some of them may be a fit for your business.