An Enterprise Approach to Securing Dropbox

(See end of this post for a link to a demo video showing enterprise encryption for Dropbox and a beta registration form.)

This blog started by looking at the security of Dropbox and examining some of the issues that go into protecting data in a service like Dropbox. Since the first blog post, Dropbox has fallen under some significant heat and has now been the unfortunate recipient of an FTC complaint specifically because people feel they were mislead regarding the data security of Dropbox. When Dropbox recently clarified their privacy policy, some who had been using the service with sensitive data felt they had been misled, hence the FTC issue.

It is interesting to note that it’s possible for a 3^rd party to add data security for enterprises to Dropbox. What would need to be done by such a 3^rd party to make Dropbox safe for enterprise data? What are the specific problems we need to solve to allow our most sensitive data to move into cloud storage?

1. Encrypt all data - We need to ensure all data is encrypted with a key that we control and the storage provider does not. This means the storage provider can never have our encryption key when its open.
2. Replace file names - We also need to make sure we rename files so we avoid leaking information about the file from the file name itself. One way to address this is to simply rename the file with a GUID-based filename.
3. We need to track who is putting what files in the cloud. In other words, we need audit information that will give us visibility into how data is being used in the cloud so we know where our data is going.
4. We need to be able to allow collaboration and sharing of data between users.
5. We need to be able to report on confidentiality of all data moving into the cloud for compliance purposes.
6. We need to be able to automate the enforcement of policies, key management, auditing and reporting of all of this.
7. We need to be able to go to one central place to manage all of this.

These core capabilities are required for enterprises to be able to leverage cloud storage and allow their users to do the same. Fortunately, systems that support these kinds of capabilities are beginning to emerge from 3^rd parties.

The link below contains a video that is an example of just such a solution currently in development at CREDANT Technologies. The video focuses on the end-user experience for enterprise encrypted Dropbox usage.

The solution provides seamless end-user usage of Dropbox while automatically enforcing data protection policies that replace filenames, encrypt files, report compliance and centrally manage the entire activity.

In this video, we examine how a security client can be added to a device that is using Dropbox. The user can then place their files in a new Secure Dropbox folder and the data will be secured and then transferred to the Dropbox folder which will sync the data as it normally does. This is just one possible approach to protecting data with services like Dropbox. In the future, we will demonstrate other approaches and discuss pros and cons more fully. In the meantime, we look forward to any feedback the community may have.

Click here for the video.

Securing DropBox - Is there such a thing as one-size-fits all?

The other day I commented that we need to make DropBox safe for the enterprise. I mean there have got to be millions of users who put work stuff in DropBox so as an industry we need to make sure all that data is safe, right? Sure. Of course. But how?

Ah, that’s where it gets tricky. As any security professional will tell you, electronic privacy is hard to do well. It requires a host of technologies like encryption, key management, identity management and authentication. More fundamentally, it requires that the provider and the customer agree on something called a threat model or risk profile.

What this means in the case of DropBox and other storage providers is that users really should answer several questions:

1. Who owns the data I’m putting in DropBox? – This is the person or organization responsible ultimately for protecting the data. And this will be the party that law suits, subpoenas and other unpleasant realities affect if the data is inappropriately disclosed.

2. Who should be able to view the data I’m putting in DropBox? – Is the data owner okay with data going into DropBox being public or should it be kept private?

3. What consequences would result from public disclosure of this data? – Who could be hurt?

4. Is it possible that anyone would want to use this data for illegal or malicious purposes? – What might the impact of that be?

5. Would someone be able to tamper with this data without my knowledge? – How can I continue to trust the data?

These and other questions make what started to be something so simple to help users get their job done, a very serious consideration for most enterprises. When you stop to think about these questions, you reach one conclusion. Users should treat most providers like DropBox as publically visible file shares. In other words, only put files in DropBox if you are okay with those files being available publically at some point – because they just might become public someday.

But wait! There’s another side to this. Some vendors provide encryption to give user data privacy. That security may be built into the service or it may come as a 3^rd party add-on. They say it’s military grade, AES-256 encryption. That’s the best encryption available, right? Right. So that takes care of it right? WRONG!

Cryptosystems are difficult to implement properly. So we are now back to the tricky part I mentioned earlier: we have to understand and agree on who we trust and what we want to prevent. Here are a few points to think about in assessing your risk posture with respect to services like DropBox (I’ll generalize a bit and call them cloud providers to avoid beating up poor DropBox unnecessarily since most of their competitors have the same issue):

1. Is it okay for the cloud provider to store your encryption keys? – this certainly makes it easier for you but what new risks does it expose you to?

2. Even if they don’t store the encryption keys, is it okay for the key to be open and used for encryption within the service? – In other words, will you allow the provider to use your open key to encrypt and decrypt data, even if they have to get the key from you? Why is that an issue? Because if they have your open encryption key, it’s possible that they or some malicious code could access your data.

3. How does the encryption key get opened? – Does it open automatically or require a user credential first? Obviously automatically is more transparent but prompting for a user password can be disruptive to your users. Where do you draw the line?

4. Is access to the data audited? – How do you know who is accessing or attempting to access your data?

5. Can you prove that the data is encrypted? – This is the fundamental question for auditors and a requirement if you want to show those pesky folks that as an enterprise you are taking the right steps to protect your data – even in the cloud.

The questions could go on and on, but you get the point. Not every user or enterprise has the same answers to all of these questions. There’s no one-size-fits all cloud security. Instead we need to start talking about Trust Models to better frame the conversation of what’s okay and what’s not okay in the cloud.

DropBox got a lot right - now let's make it safe for enterprise!

I feel for the folks at DropBox. I really do. They have built a fantastic service over the last years. It’s simple. It’s clean. It’s easy to use. It provides great value.

With this one service, I can keep data in sync across the many devices that have come into my life over the last 10 years: my laptop from work, my iPhone, iPad, home PC’s and even my wife’s Mac. I can even access this data from the browser on my kid’s Playstation. I can share work stuff with co-workers without waiting for someone to set up a share for me.

But there’s the rub. Work stuff. Yes, I CAN share work stuff with others or even use DropBox or many of its competitors as a virtual briefcase for taking work home. But SHOULD I?

Unfortunately, the answer currently is without a doubt – NO!

Why? Because many services like DropBox do not keep your data secure in a way that only you can view it. How can I be so sure? Well in the case of DropBox, they recently clarified just this in a privacy policy update where they noted that they remove encryption from data when they hand over data to law enforcement. The fact that DropBox can remove encryption means your data is not private to just you.

And that’s why I feel for folks at DropBox. They set out to do a great thing for the world and did it. But security is very hard and encryption among the hardest of security disciplines to get right. When you then try to make that security suit the needs of enterprises (remember the work stuff we talked about?) it’s a whole different story entirely.

What is needed is an enterprise encryption technology that supports DropBox and its many competitors. Such a solution would work with DropBox to support all the great capabilities they will continue to innovate while giving enterprises the ability to control the protection, audit the use and report compliance on their data in cloud services. Fundamental to these capabilities for enterprises is the ability for key management and encryption to stay in the enterprise itself. I’m looking forward to seeing solutions to this problem in the near future.

In the meantime, does that mean that of the millions of customers of DropBox, SugarSync, Box.net, Soonr and all the rest, no one is using work stuff (i.e. enterprise data) with those services? Not a chance! In fact, they are doing it at an alarming pace. And that is all the more reason for urgency in solving this problem – soon!