An Enterprise Approach to Securing Dropbox

(See end of this post for a link to a demo video showing enterprise encryption for Dropbox and a beta registration form.)

This blog started by looking at the security of Dropbox and examining some of the issues that go into protecting data in a service like Dropbox. Since the first blog post, Dropbox has fallen under some significant heat and has now been the unfortunate recipient of an FTC complaint specifically because people feel they were mislead regarding the data security of Dropbox. When Dropbox recently clarified their privacy policy, some who had been using the service with sensitive data felt they had been misled, hence the FTC issue.

It is interesting to note that it’s possible for a 3^rd party to add data security for enterprises to Dropbox. What would need to be done by such a 3^rd party to make Dropbox safe for enterprise data? What are the specific problems we need to solve to allow our most sensitive data to move into cloud storage?

1. Encrypt all data - We need to ensure all data is encrypted with a key that we control and the storage provider does not. This means the storage provider can never have our encryption key when its open.
2. Replace file names - We also need to make sure we rename files so we avoid leaking information about the file from the file name itself. One way to address this is to simply rename the file with a GUID-based filename.
3. We need to track who is putting what files in the cloud. In other words, we need audit information that will give us visibility into how data is being used in the cloud so we know where our data is going.
4. We need to be able to allow collaboration and sharing of data between users.
5. We need to be able to report on confidentiality of all data moving into the cloud for compliance purposes.
6. We need to be able to automate the enforcement of policies, key management, auditing and reporting of all of this.
7. We need to be able to go to one central place to manage all of this.

These core capabilities are required for enterprises to be able to leverage cloud storage and allow their users to do the same. Fortunately, systems that support these kinds of capabilities are beginning to emerge from 3^rd parties.

The link below contains a video that is an example of just such a solution currently in development at CREDANT Technologies. The video focuses on the end-user experience for enterprise encrypted Dropbox usage.

The solution provides seamless end-user usage of Dropbox while automatically enforcing data protection policies that replace filenames, encrypt files, report compliance and centrally manage the entire activity.

In this video, we examine how a security client can be added to a device that is using Dropbox. The user can then place their files in a new Secure Dropbox folder and the data will be secured and then transferred to the Dropbox folder which will sync the data as it normally does. This is just one possible approach to protecting data with services like Dropbox. In the future, we will demonstrate other approaches and discuss pros and cons more fully. In the meantime, we look forward to any feedback the community may have.

Click here for the video.