The Dropbox economy: A teaching point on securing data in the cloud

In 2007, consumers were introduced to Dropbox—a cloud-based offering intended for file storing and sharing. The service caught on like wildfire, and it wasn't long before consumers started to recognize its potential business benefit.

State of Security Operations 2018: Go Inside World SOCs

The rise of Dropbox

Upon being (informally) introduced to the enterprise, Dropbox's popularity within businesses spread. The service became a stark example of shadow IT, or IT functions operating without the knowledge of IT pros. In Dropbox's case, lack of IT oversight raised potential regulatory compliance and security issues, because content could easily escape the enterprise.

As Dropbox became a staple app for business users, security companies jumped at the chance to turn the security "wrongs" to "rights" and created complementary (and at times, competitive) solutions to better protect users' data stored within the Dropbox cloud. The resulting revenue stream isn't unlike the economy Facebook created in its wake as it jumped from consumer to enterprise use. One could say we are living in a Dropbox economy.

Concerns over cloud data security

The Dropbox economy hasn't only provided additional revenue streams for vendors; it also allows opportunities for the industry to collaborate. Vendors may not even realize the amount of "partners" they're working with to secure Dropbox for Business and other similar cloud storage products. The opportunity persists for the security industry to increase interoperability among products to reach its common goal of securing customer data and combating not only hackers but also the insider threats prevalent in today's virtual world.

In a recent Harris Survey we conducted, less than half of the 200 IT decision makers interviewed restrict cloud storage use to a company-implemented and controlled solution. This means a majority of corporations are at risk of shadow IT. Rather than Bring Your Own Device, IT departments have to be on the lookout for Bring Your Own Storage—in which corporate data hides out with questionable protection. Without connection to central administration, fundamental security management functions such as an emergency remote data wipe or even password resets aren't possible.

A security vendor's dream

Dropbox isn't an endpoint-security encryption company. The company acknowledges that it doesn't have a full security solution at this point, which allows other vendors to improve upon the existing security infrastructure within the Dropbox solution. Some areas where other vendor solutions can be used to augment Dropbox include central administration, persistent endpoint encryption, encryption of data-at-rest and data-in-transit (advanced users are free to add their own encryption), decryption of data at the endpoint for end-user access, enterprise-controlled and managed key management, and policy control.

To its credit, Dropbox has evolved its services to enable seamless integration into the enterprise, launching an official business solution. When Dropbox for Business transitioned out of Beta in April 2014, security vendors clamored to announce how their solutions could "help secure" data stored within Dropbox. At this time, confidence in cloud computing was at a low in the wake of the Target breach, and the IT security community was heads down trying to figure out best practices for protecting the ever-growing cloud technology.

Best practices for cloud security

Even with the advancements made by Dropbox, IT personnel should keep in mind three best practices for cloud security when considering file sync-and-share solutions such as Dropbox or Box:

1. Encryption on the Endpoint

For cloud file sharing services like Dropbox, the files should be encrypted on the endpoint before they're saved in the cloud, and the encryption key should be managed by the corporate owner of the file, not the cloud service provider.

2. Key management

Key management ensures that keys are generated, distributed, stored, retrieved, and used in a secure fashion, and it's the main cog in data security management that touches everything from authentication to identity management. How a device is encrypted is irrelevant if the proper key management isn't in place. While the devices are encrypted, it's important to consider how users gain access to secured information.

3. Authentication

Authentication goes hand in hand with key management. Authentication for storage encryption technologies should also be separated from the encryption function. This is particularly important for remote architectures, such as public cloud usage, so that a single compromise doesn't lead to the exposure of both encryption keys and the encrypted material they protect. The authentication piece of key management is about ensuring the right user is getting access to the right information with the proper authentication process.

Back to basics

Ironically, the emergence of new techniques to improve efficiency, such as cloud sharing, remind us of fundamental security concepts, such as encryption. Encrypting data at the endpoint is a back-to-basics approach to ensuring data security in any storage environment, and key management capabilities offer administrators the granularity of control they need without being a hindrance to the end user.

For an IT department to reach the optimized level of data security, organizations have to deploy encryption for all data, no matter where it resides. Management solutions enable a view and control of all endpoints, irrespective of platform, and key management for securing and encrypting data that resides in public or private cloud. At this maturity level, organizations are in the best position to reduce risks significantly and safeguard confidential data.

State of Security Operations 2018: Go Inside World SOCs
Topics: Security