A potential Dropbox security breach has sparked concerns about cloud application security and has given some corporate Dropbox customers reason to tighten their employee use
A number of Dropbox users clustered throughout Europe have recently reported they received spam from an online casino. Those being spammed said they signed up for the popular cloud storage and file-syncing service with an email address created specifically for Dropbox.
IT pros have reason for concern because many people use the same logins and passwords for both work and personal services, industry watchers said. A security breach at Dropbox could potentially lead to a hacker finding access to corporate systems.
Dropbox said it has not had any reports of unauthorized use, and it has hired an outside team of security experts to assist them in determining the root of the problem.
Though the breach may be benign, it's a "scary" reminder how insecure the cloud can be, said Raheel Retiwalla, founder of Fuzed, a Dallas-based software company that uses Dropbox.
"Because we buy into the cloud for everything we do, it's easy to take security for granted when you go a long time without things like this happening," Retiwalla said.
Dropbox is "the poster child" for an application that's infiltrated the enterprise with huge security implications, but it's not just a problem isolated to Dropbox, said Eric Chiu, founder of HyTrust Inc., a Mountain View, Calif.-based virtualized infrastructure security and management vendor that offers employees a Dropbox alternative.
"Potential security breaches like this highlight that your data is out there, whether [organizations] like it or not," Chiu said.
While the issue is specific to Dropbox, it also impacts the overall perception of the cloud's security because employees use many other cloud-based applications that pose the same risks.
"Even if this doesn't impact people, it's still scary for the cloud when organizations and IT are just getting comfortable with it," Retiwalla said.
Dropbox shop reconsiders policies
As soon as Retiwalla heard the news of the possible Dropbox security breach, he had the company's "sergeant-like" network administrator make sure the company's data had not been comprised. Luckily, the company hasn't been affected.
The breach did, however, provide Retiwalla with the perfect opportunity to remind employees of the policies and guidelines established for safe Dropbox use, which include changing passwords on a regular basis.
"Our team is very strict about its use," Retiwalla said. Intellectual property and moderately sensitive documents related to customers are not allowed to be stored in Dropbox, but everything else is "fair game," he said.
But, "It might be time to revisit what we allow employees to do with Dropbox," he said.
Fuzed created a cloud-based social collaboration tool, and the worry is if Dropbox or another popular Software as a Service (SaaS) app suffers a major security breach, it will have a negative impact on the company's bottom line.
SaaS, cloud face constant threat of a breach
Controlling and governing the use of SaaS apps such as Dropbox is "like a whack-a-mole challenge," Chiu said. No matter how many IT accounts for and knocks down, there's always another one ready to pop up.
IT can prevent the risk if they provide employees "a reasonable alternative" so they aren't compelled to turn to their own personal applications and systems.
HyTrust saw early on that the use of Dropbox could create a data security headache, so the company adopted an alternative a few years ago that could tie into Active Directory and offer the IT department granular security control. Chiu would not reveal which Dropbox competitor HyTrust was using.
Employees have been happy enough with the supported alternative that HyTrust hasn't concerned itself with the rogue use of Dropbox in the organization.
If it turns out Dropbox has suffered a security breach, Retiwalla said he would look at another cloud storage and file-syncing service, such as SkyDrive from Microsoft.
But, he is aware DropBox alternatives are also a risk. "Hackers target Dropbox today, and tomorrow it could be someone else."
With more than 50 million users, Dropbox has still only had minor security breaches over the years. Those include recent flaws in its mobile apps, and last year accounts were left unprotected for four hours because of a coding error.
Following that security lapse in 2011, Dropbox said it was rededicating itself to user security. Unfortunately, that wasn't good enough for IBM, who notoriously banned the use of Dropbox by employees last May.