From Ben Kepes’ post: Sure Dropbox is Potentially Insecure, but Does it Matter?
First, why do people go around IT to use Dropbox? In the majority of cases these are good, solid, hardworking employees that don’t want to introduce risk to their organization but that do want to get stuff done. For whatever reason (inflexible legacy systems, stubborn IT departments, need to be agile) they’ve decided that for a particular project, they want to introduce Dropbox into their workflow to quickly and easily share some content.
Evidently folks are storing important stuff in Dropbox, even though many of them know if violates their corporate policy. Duh. We have seen this over and over and over again through the years. Either IT and security helps employees get their jobs done, or employees find ways around the policies. Period.
Then Ben gets into a discussion of risk, and trying to understand how bad all this file sharing is. He is trying to gauge the real risk of these folks storing that stuff on Dropbox. He uses a firefighter analogy too, so Rich must love this guy. It gets back to remembering the role of security, which is to ensure business operates safely. It would be great to just implement a blanket policy preventing Dropbox or any application you don’t like. Spend a zillion dollars on a whole mess of NGFW to enforce the policies, and everyone wins, no?
It always comes back to making the right decision for your business. Don’t ever forget who you work for and why you are there. Ben sums up pretty well to close his post.
Now of course my infosec friends are paid to be eternally suspicious. These guys are (professionally at least) glass half empty – their concerns are valid and they bring an important balance to the picture. But it’s just that, balance, at the same time we need to look long and hard at the benefits that “rogue IT” can bring and ask ourselves whether we shouldn’t in fact lighten up a little.
There shouldn’t be absolutes, which irks me. I like clear black & white decisions. But that’s not the real world. If you are Dr. No, let me remind you of the immortal words of Sgt Hulka. Lighten up, Francis. I made my Stripes reference for the day, so I’m done. [drops mic]
Reader interactions
2 Replies to “It’s just Dropbox. What’s the risk?”
From my personal experience with Dropbox, I have found it quite secure for business use. After all, we all need to share docs and collaborate on work at some point and the process must be efficient for employees so that they don’t waste time. However, if you want an extra layer of security for your documents and files, I would recommend using Dropbox with GroupDocs. It is a document management solution which is secure and reliable and it integrates with Dropbox seamlessly to access files and folders while editing documents at the same time. Pretty awesome, right?
If we make security break users, we make users break security.
This is such a basic principle. I’m tired of being in an industry where my peers would rather have the illusion of control then actual, effective, risk proportinate security. We have so many pretenders and unfortunately many of them are loud voices and dominate the coversation to the extent that newly minted security practicioners think they are the ideal. Next one of them that says “we do X because it is a best practice” is getting a wedgie.