The Public Cloud – Is it Safe for Enterprise Files?

The enterprise file-sync-and-share (EFSS) market has been heating up for the past few years. There are now more than 120 vendors in this space and nearly all of them leverage the public cloud — infrastructure operated by 3rd parties – for storing files on behalf of enterprise users.

The way many of these vendors market to enterprises is rather clever. In a nutshell, here’s how it works:

1. Target tech-savvy consumers and mobile professionals with free, easy-to-use file sharing software.
2. Give generous amounts of free storage to these users, who in turn recruit their friends, collaborators, and clients to use the software.
3. As these network effects take hold, monitor the platform for accumulations of users within large enterprises.
4. Pitch a company-wide license to these enterprises, presenting active user counts as proof that “the people have spoken, and our product has won.”

Given the intense competition, it’s often the case that several pitches occur simultaneously within a given enterprise. Unfortunately, IT leaders are put in the awkward position by top management: choose a “winner” among several EFSS products that lack adequate, enterprise-grade security and management features. If you’re one of these IT leaders, and you’re being asked to make these uncomfortable trade-offs, this post is for you.

People use it. So it must be secure, right?

In late 1920’s America, as the stock market was booming, it was a common practice for individual investors to buy stock on margin. It seemed like everyone was doing it and making loads of money. But it turned out to be a bad idea. It’s also very risky for enterprise management to assume, despite the claims of some EFSS vendors, that end user adoption numbers have any bearing on a product’s readiness to meet enterprise security requirements. This is particularly true for enterprises in highly regulated industries like Healthcare, Finance, and Education.

Dropbox is just one EFSS public cloud vendor that, having accumulated end users on a “freemium” basis, is now attempting to gain traction in the enterprise segment. But Dropbox has some work to do convince enterprises that it can overcome significant security issues. Here a just a few stories we’ve compiled that highlight these concerns.

• In 2011, Dropbox disclosed that all of its users’ files were publicly accessible for almost four hours. As VentureBeat reporter Sean Ludwig noted, this snafu underscored the security risks of cloud services. When all of your files are stored on another company’s servers, can you trust that company to keep your data safe?

• Then in April 2012 a security hole was discovered in Dropbox’s iOS app that allowed anyone with physical access to a user’s phone to copy their login credentials. Dropbox wasn’t the only one to encounter this problem – Facebook’s and Skype’s apps were vulnerable as well. The problem was resolved, but while users were vulnerable any sensitive information pertaining to their organization that was stored on the apps was at risk.

• Just a few months later in August 2012 Dropbox announced that some usernames and passwords were stolen from other websites and their accounts were accessed. Since this security breach came on the heels of Dropbox’s snafu just three months earlier it led many to question whether the cloud is secure enough for the enterprise. Karsten Strauss at Forbes stated in his article on the security breach that “This type of central intel hub – these server facilities and their contents – may require more than tweaked third-party security software to assure safety.”

• This past May – just one month after Dropbox released its enterprise-facing product Dropbox for Business product – BBC announced that users of some cloud-based file storage services such as Dropbox and Box could be at risk of inadvertently leaking their own files as a result of a sharing function that creates a public link. Intralinks uncovered the problem when it found links to documents including bank statements and mortgage applications during routing use of Google’s Adwords and Analytics services.

• Dropbox has also been battling an ongoing malware problem – unscrupulous individuals have discovered how to use Dropbox’s features to spread malware, particularly the kind that holds your files hostage until you pay a fee. Dropbox tests for viruses and malware using a variety of different anti-virus and anti-malware programs, but Slashgear reported on June 23 that these abuses of Dropbox’s services are still happening.

• And most recently, startup CTO Jan ?urn documented, in detail, a Dropbox incident that resulted in the permanent loss of 8000 files.

Still not ready for enterprise prime time

As noted above, Dropbox has taken incremental steps to improve matters, such as an audit trail to track sharing, and allowing users to separate business and personal files (assuming the users are willing to do the separating). But even with all its financial resources ($1.1 billion USD in total funding as of July 2014) Dropbox still does not offer the manageability and security required by enterprise IT.

This may be because Dropbox does not take security as seriously as enterprises do, or because they prioritize end user adoption over security controls. Case in point: Dropbox Vice President for Enterprise Strategy Ross Piper said in an interview with FierceEnterprise Communications, “if you can get five times the number of users to use it, it’s okay to give up a little bit of security control.” Hmmm, I wonder how many CIOs and IT Directors at large enterprises share Mr. Piper’s opinion?

451 Research Analyst Alan Pelz-Sharpe, in an interview with TechCrunch, sums up why Dropbox’s strategy isn’t suitable for enterprises: “Dropbox has been so successful to date by being end user friendly and largely ignoring IT,” Pelz-Sharpe said. He added that Dropbox is going to have to find a way to balance the needs of both, but that will be much easier in SMBs than in large enterprises. “In the much bigger small and mid-sized business market, it’s much easier to meet their administrative and security requirements without compromising ease of use – these buyers don’t typically have the complex integration, process or compliance requirements that Fortune 1000 firms do.”

----------

This LinkedIn Pulse Article originally appeared as a post on Attachmate's Data In Motion blog. In the spirit of minimizing promotional content on LinkedIn Pulse, I've removed a final section of that article discussing my company's alternatives to public cloud file sharing services. The original post can be found here.