It’s summertime down in my neck of the woods and that’s a good time to go out on a limb with a statement that might get people a little fired up. Bear with me on this one though… Over on GigaOm Barb Darrow has a good write up about the findings of a survey commissioned by Nasuni into the use of Dropbox within large enterprises. As she wrote:
One out of five of 1,300 business users surveyed said they use the consumer file-sync-and-share system with work documents… And, half of those Dropbox users do this even though they know it’s against the rules. The most blatant offenders are near the top of the corporate heap — VPs and directors are most likely to use Dropbox despite the documented risks and despite corporate edicts. C-level and other execs are the people who brought their personal iPads and iPhones into the office in the first place and demanded they be supported.
Now it has to be mentioned that this survey was sponsored by Nasuni, an enterprise storage vendor that has a vested interest in stirring the pot about shadow IT. Clearly companies providing a more ‘enterprise grade” service do well out of panicking all those overworked CIO types about rogue IT within their organization. But I wonder if it’s not worth taking a step back and looking at this from a pragmatic perspective.
First, why do people go around IT to use Dropbox? In the majority of cases these are good, solid, hardworking employees that don’t want to introduce risk to their organization but that do want to get stuff done. For whatever reason (inflexible legacy systems, stubborn IT departments, need to be agile) they’ve decided that for a particular project, they want to introduce Dropbox into their workflow to quickly and easily share some content.
Now clearly this might breach an IT policy here or there and potentially (but only potentially) may introduce a vector for data loss. But let’s look at the practicalities here – oftentimes the content being shared isn’t exactly ground breaking – while I’m sure there are cases where the recipe for ana amazing new miracle drug has been shared outside of the organization and gazillions of dollars in pharma revenue might have been risked (or not), the majority of example that I’ve seen are much more mundane than this – maybe a marketing plan here, a draft report there or (heaven forbid) a guest list to the department’s client Christmas party.
In another part of my life, I’m a firefighter and have spent a bunch of time looking at risk assessment and reduction. In firefighting situations we use a simple matrix to determine whether a course of action should be taken or not – essentially we look at the potential outcomes from that course of actions (on a continuum from minor to catastrophic). Along the other axis is the chance of that outcome occurring. A matrix might look like this:
If we apply this methodology to the “Dropbox in an enterprise setting” – let’s see what we come up with. Of those 20% of organizations where Dropbox is being used, and across the 100 million users that Dropbox boasts of, how many people are really sharing critical business information as opposed to more mundane content? I’d wager that the vast majority falls into the “mind numbingly boring to anyone outside of the org” category and hence the severity of harm from a data breach could be seen as negligible.
On the other hand, we need to look at the likelihood of harm. While of course conceptually we can imagine an entire plethora of ways in which it could happen, the fact is those 100 million users are, for the most part, using Dropbox an suffering no data loss – as a measure of likelihood of harm occurring then, data loss from Dropbox is reasonably low.
So let’s plot that axis and see where there is a real issue. It seems to me that the situation of real concern is where highly critical organization data is being shared, and individuals have poor security practices (simple passwords, using passwords on multiple sites etc). Outside of this situation, the severity and likelihood measures would indicate that, just maybe, we could relax about the use of Dropbox within the organization a little.
Now of course my infosec friends are paid to be eternally suspicious. These guys are (professionally at least) glass half empty – heir concerns are valid and they bring an important balance to the picture. But it’s just that, balance, at the same time we need to look long and hard at the benefits that “rogue IT” can bring and ask ourselves whether we shouldn’t in fact lighten up a little.
Of course all this would be solved by simply storing Dropbox content within a truecrypt folder – but my point still stands – shouldn’t we lighten up some?
(Cross-posted @ The Diversity Blog – SaaS, Cloud & Business Strategy)
For many businesses and the vast majority of individuals storing and sharing non-sensitive content, you’re probably right: no one really cares about your stuff. If anyone broke into my Dropbox account, I doubt they’d find anything useful or interesting.
On the other extreme, there’s WikiLeaks: an individual used a combination of USB drives and rogue file-sharing apps to share highly-confidential information. More realistically, a company’s financial information, competitor notes, forecasts, unreleased press releases; a clinic’s patient information; a credit card company’s customer account numbers; legal information; government information; police records; and on and on for millions of other “For Your Eyes Only” information that, given to just any person doesn’t mean a thing, but given to the wrong person, can have serious consequences.
But that’s obvious. And it doesn’t mean there’s no place for Dropbox or any other consumer file-sharing tool.
The reality is that every individual and business will value different pieces of content differently and place a value on security and reliability and fortunately, there’s hundreds of vendors out there—including Dropbox—with a solution tailored to meet those needs.
Quite a few companies (Bitrix24 is a classic example) managed to sign up tens of thousands of enterprise clients based on Dropbox secuirity issues, so I’d say it does matter. And it also matters what kinds of documents are being shared – because Dropbox offers no document management and collaboration features.
Dropbox is one of those resources that can be useful to easily share non-sensitive information quickly. However I think it needs to stay at just that.
Uploading sensitive information seems a ludicrous idea personally for a business. The security of your information is out of your hands if you leave it stored with Dropbox. If anything was to happen to this information it could have devastating effects depending on the nature of the content. As you stated the chance of something happening the Dropbox account is extremely low, but will always be a possibility.
For a business, as short term sharing method it may suit ones needs, as a long term I don’t truly understand the reason a business would have to using it. They would have a lot more control over a internal system (where possible).
An internal system may be able to be made more secure than Dropbox, but Dropbox uses SSL and 256-bit encryption, while all files stored online by Dropbox are encrypted and kept securely on Amazon’s Simple Storage Service (S3) in multiple (physically) secure data centres.
Maybe I’ve missed something, but this seems to be significantly better than many FTP or intranet solutions that many companies are using.