The Deleted (but not deleted) Data Dropbox Bug - How cloudy is your data?

January 26th, 2017

The Deleted (but not deleted) Data Dropbox Bug - How cloudy is your data?

In the news recently I came across an article that a bug in the Dropbox platform, in certain cases, was showing users’ data that they had deleted previously – or so they thought.

Dropbox publically addressed the issue, and indicated that the bug was caused while attempting to fix some files that had “metadata inconsistencies”. There wasn’t much clarification on what a “metadata inconsistency” was, or how it was caused, outside of the fact that users thought they had deleted this data – meanwhile it was parked elsewhere in the Dropbox environment. Many of these users wouldn’t have been aware that it wasn’t deleted unless they happened to login and notice these previously deleted directories and files reappearing in their accounts (In some reported cases, the files were deleted 2+ years previously and were suddenly back in their accounts again.).

It doesn’t appear that anyone else had access to the information – however my concern is that the information was still there years after the fact, even though the user actively deleted the files. Stop and think about that for a moment – you deleted some files years previously, and then all of a sudden they reappear in your storage view.

This is a great reminder that whenever you place your information or data in the cloud you should always assume that someone else can access, view, modify or delete that data (among other uses) – it doesn’t mean that they will, but they can. This concept may or may not affect you -- It comes down to what the data is, and how important it is to you. For example I am teaching my children, as they start to dip their toes into the swamp of social media, “Whatever you post, to whomever, assume every one of your friends can see it as well as every stranger, and most importantly – your father!” (That should at least buy me some time until they are into their teenage years…).

While this messaging is important for children to understand – it can also equally apply to organizations. Stop and think about what your employees are saving on their personal Dropbox accounts, or in Evernote, or Slack, or any other blended social media/productivity/storage cloud based tool while at the office. 

How much of your company data is out there on personal accounts?

Are you really ok with that data living on the Internet in perpetuity, and forever out of your control?

How do you know what’s truly sitting out there, and who has access to it?

How do you prevent your end users from exposing your confidential information through these services without stifling innovation?

You must accept that cloud services are here for good – and they aren’t going away. You can’t policy your way out of this, so take a deep breath, accept that all forms of cloud services from large scale enterprise services to fly-by-night operations are competing for your business (and data), and are already being actively used in your organization (whether sanctioned or not).

It is time to help your organization embrace this new world by arming your staff with the right information and tools, and the following steps will get you on your way to securing your data in the cloud and building the initial stages of a cloud security strategy.

Develop your understanding. Who, what and why?

Engage your employees by leveraging your technical teams to discover where your data is travelling, and through open discussions across the organization – you will need to build a common understanding of what people are doing on the cloud, and why they are doing it. This isn’t a punitive action, but should be framed as a chance for your teams to participate in forming your organization’s cloud strategy.

If you don’t truly understand why and how your employees are using cloud services, and the type of your data floating out there -- you cannot form an appropriate risk picture, and in turn you cannot provide an adequate security strategy.

Research tooling, do your fact checking

After you’ve established the list of tools in use in your organization, and vetted the reasoning behind it (after all, there will be some services being used that may not jive with your corporate culture) – build your list of business desires/needs and cross reference that to enterprise grade tools. Leveraging existing business relationships, you may be in a position to negotiate attractive pricing while also standardizing your organization on a single set of tools.  Most “personal” cloud services/tools offer corporate versions that typically allow for greater visibility into your data, while offering enhanced security controls.

When you are doing your research, make sure you do your due diligence and do not fall into the trap of “Company X is using them, and they are huge. What could we possibly need to ask and verify that they didn’t already?”. 

This is a very common fallacy that I’ve run into across the industry – You do not know what “Company X” is using the service for, and you don’t know what their risk appetite is. Make sure that your own scoping processes are followed, and you’re happy with the service’s responses to satisfy your own organizations risk appetite.

Extend your controls; don’t blind yourself!

Just because it is in the cloud, doesn’t mean that you should settle for reduced security and visibility into what is happening with your data. There’s a whole industry popping up to try and tackle this, and the market consolidation in this space will likely align with some big players owning a large market share here (Think McAfee, and Symantec).

If your data is subject to filtering policies and encryption when it is in your own environment, you must be enforcing the same controls within your cloud environment. Storing it elsewhere has its advantages, but that does not mean that you should be blinded from seeing what is going on, or protecting it with your own encryption key. 

Your end user means well….

You need to address that forever well-meaning employee who is the reason that organizations end up in the media due to a data exposure incident. Even if you have a top of the line Cloud Access Service Broker (CASB), with Data Loss Prevention (DLP) integration, and 24x7 monitoring to a security operations center ready to pounce – end users can (and will) cause you a world of hurt in a matter of seconds if you don’t take the time to educate them on how to properly use company information, and what tools align with those uses. Make sure there is a common understanding of what data goes where.

Keep the process alive!

Think of the old school (cool?) Demming wheel, also known as PDCA (Plan-Do-Check-Act) and now commonly referred to as PDSA (Plan-Do-Study-Act). Whatever you want to call it, the idea remains the same -- this isn’t a one time work effort, but something that needs to be continually monitored and updated as the landscape changes. 

New generations enter the workforce and bring an entirely new way of thinking to the table, and new tools to go with it. Ensure you stay on top of this with regular checkpoints on your traffic, and your staff – and maintain congruence between the two.

These steps will go a long way to protect you from something like this Dropbox bug. If your data was properly evaluated and protected -- having it reappear again a couple of years later should be a non-event, or at most a minor event.