Why Dropbox’s security changes are going to improve cloud computing

On July 1, Dropbox announced a revision to its terms of service, privacy policy and security overview document. While the intention of the update was to make Dropbox’s terms and conditions more transparent through new language surrounding privacy and security, the changes made by Dropbox have much broader implications for users of cloud based applications than it would appear at the surface. Dropbox now states it owns your files and can redistribute or further sell them to third parties at its liking and without your consent. Taken right from their website, their terms and conditions include:

We sometimes need your permission to do what you ask us to do with your stuff (for example, hosting, making public, or sharing your files). By submitting your stuff to the Services, you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent reasonably necessary for the Service. This license is solely to enable us to technically administer, display, and operate the Services. You must ensure you have the rights you need to grant us that permission.

This is not the first time that Dropbox has done something that goes against the concept of security and privacy. In a four hour window last month, the company left all accounts open and vulnerable to access by anyone. Dropbox has now taken it a step further by nationalizing its user’s data.

Companies that are concerned with file security are now actively moving away from Dropbox to new cloud providers, but this may not resolve privacy concerns. If you try to close your account, Dropbox does not guarantee it will completely delete your data, and may continue to retain your files on its server. Dropbox seems to, once again, be employing business security objectives that are not in the best interest of its users.

The recent occurrences with Dropbox’s gaping vulnerability issues have put corporate file security concerns back into the spotlight. There is no question that cloud providers offer numerous benefits.

Cloud applications are convenient (with almost transparent integration) as you can access files anywhere and anytime, they increase your productivity and finally they reduce your costs (in terms of infrastructure). This being said, many security questions have been raised as data now resides outside of a company’s firewall and sphere of control.

At first, the worry was about whether outside threats could get into the services being used; now it has extended to threats coming from within the cloud providers themselves.

Thankfully, not all cloud providers are like Dropbox and some of the companies in this industry do value the security and privacy of the users and their data without compromising on convenience. Some of them because they believe this is the right thing to do, others to gain a competitive advantage in the marketplace.

The need for security and privacy in the cloud has grown significantly over the past years as more and more data and services are making their way to the cloud.

Know what you’re signing up for
Companies considering the cloud should evaluate each provider on a case by case basis with regards to its security policies in place to ensure protection of critical data.

1. Is the company proactive in advertising security on their website?

2. Is the data encrypted in the cloud?

3. Is the data encrypted while transferred?

4. Are employees able to access file content?

5. What is their data retention policy?

6. Where are the encryption keys located and how are they protected?

When it comes down to it, if you really want to be sure, read the terms and conditions.

Is your data truly safe in the cloud?
For cloud companies to effectively provide data security, remote storage and deliver files seamlessly they, by design, need to store the files as well as the encryption keys on their side.

This presents the first security risk. If the vendor’s infrastructure is compromised, an attacker can get access to the encryption keys and the files therefore compromising the security of the documents. There’s no doubt that it is possible for cloud providers to implement comprehensive security measures to safe guard against outsider threats, however by design, these measures are insufficient to protect against insider threats.

The current suboptimal approach is to enforce employee policies limiting the encryption key access to a few people, therefore limiting potential risks.

The answer to cloud security: the best of both worlds
What seems to be a more appropriate approach, benefiting both cloud and security providers, is to separate the two services. Cloud providers then focus on their core business: providing file access anywhere and anytime, best service availability and data retention so that no information gets lost.

Security companies then focus on core encryption, authentication and key management in a way that is as transparent as possible for the users such that integration with the cloud can be done seamlessly.

This approach would allow users to encrypt documents directly on their endpoints, whether laptops, desktops or mobile devices and then upload the encrypted data to the cloud. This process can be performed manually or automatically with service integration, thereby giving the end users the best of both worlds.

This separation of tasks allows both the cloud and security providers to focus on their respective core competencies. With such approach both insider and outsider threats are protected essentially because nobody in either organization has access to all the elements necessary to read the file content.

It is now time for cloud and security providers to begin the dialogue, working together to bring about greater security and privacy in the cloud and to enable more value and peace of mind for the end user.


Subscribe to the Help Net Security breaking news e-mail alerts:

More about

Don't miss