Is it Safe to Store Proprietary Data in DropBox?

Over the last 5 years, the volume of information that is shared and/or stored in the public cloud due to the increased use of social media platforms such as Facebook, Twitter, and LinkedIn has soared.  According to a report called “The Growth of Social Media“, compiled by Search Engine Journal:         

Facebook has in excess of 640 million registered users with over 7 billion pieces of content shared weekly. Twitter has in excess of 299 million registered users with over 95 million tweets per day. LinkedIn has in excess of 100 million registered users.
The risks associated with these popular social media platforms are well documented.  Fortunately, businesses worldwide are quickly evolving their understanding of the risks of what information should and should not be communicated or shared by employees via the various social media platforms. However, these same businesses may be at an even greater risk of exposing proprietary and confidential information by their employees through the use of public cloud storage platforms such as Dropbox.

At the Carmel Valley eDiscovery Retreat (CVeDR) held July 22-25, 2012 in Monterey, California, I had the pleasure of moderating several panel discussions on cloud computing featuring industry experts in eDiscovery, Internet security and the legal risks associated with storing data in a public cloud.  The consensus from the panels was that storing any data in the public cloud poised both a security and a legal risk.  
The recommendations from these experts regarding what data businesses should put in the public cloud varied from “don’t put any data in the public cloud” to “don’t put any proprietary or confidential data in the public cloud.”  However, regardless of what the experts say, the operational efficiencies and financial incentives of cloud computing are just too great for businesses to ignore.  But, that doesn’t mean that business owners should ignore the facts.

The Experts are Cautious

The consensus among the CVeDR cloud panel experts was that there was probably more data stored in Dropbox than most businesses realized and that it was a potential source of risk. Several of the lawyers on the CVeDR panels indicated that a business could potentially lose its claims to properly protecting trade secrets and other proprietary information by merely storing data in storage technologies like Dropbox.  The security experts on the CVeDR panel contended that there were still some very worrisome security issues with storage technologies like Dropbox.

What DropBox Says 

According to its website, Dropbox contends that they use modern encryption methods to both transfer and store your data such as Secure Sockets Layer (SSL) and AES-256 bit encryption.  In addition Dropbox contends that the Dropbox website and client software have been hardened against attacks from hackers, that public folders are not browsable or searchable and public files are only viewable by people who have a link to the file(s).

What Can Happen

However, Dropbox actually uses Amazon’s Simple Storage Service (S3) for storage and therefore they really don’t even have direct control over the security of the files that you store.   The potential problems with Cloud Service Providers (CSPs) such as Aamazon S3 was very evident this summer as a severe storm that rumbled across the Eastern U.S, leaving nine people dead and millions without power, also disrupted an Amazon Web Services data center, affecting service for social media sites like Pinterest, Instagram and Netflix, which host their services at Amazon’s data centers.

In another alarming security development for AWS, on Monday August 6, 2012,  Amazon changed its customer privacy policies closing security gaps that were exploited in the identity hacking of Wired reporter Mat Honan on Friday. As posted on the website in an article by Nathan Olivarez-Giles titled, “Amazon Quietly Closes Security Hole After Journalist’s Devastating Hack“, previously, Amazon allowed people to call in and change the email address associated with an Amazon account or add a credit card number to an Amazon account as long as the caller could identify him or herself by name, email address and mailing address — three bits of personal information that are easily found online.

Nathan Olivarez-Giles reports in this article that on Tuesday August 7, 2012,  that
 Amazon handed down to its customer service department a policy change that no longer allows people to call in and change account settings, such as credit cards or email addresses associated with its user accounts.

Amazon officials weren’t available for comment on the security changes, but during phone calls to Amazon customer service on Tuesday, representatives told us that the changes were sent out this morning and put in place for “your security.”

The security gap was used by hackers, one of whom identified himself as a 19-year-old going by the name “Phobia,” to gain access to Honan’s Amazon account on Friday. Once Phobia and another hacker gained access to Honan’s Amazon account, they were able to view the last four digits of a credit card linked to the account.

The hackers then used those four digits to trick Apple customer service into thinking it was dealing with Honan. Apple customer service then gave the hackers a temporary password into Honan’s Apple ID, which the hackers used to wipe his iPhone, iPad and MacBook, and gain access to a number of email accounts as well as his Twitter account.

We discovered Amazon’s policy change on Tuesday after we failed to replicate the exploits used on Honan this weekend. Amazon declined comment on the security hole on Monday, and has since failed to return repeated phone calls from Wired about the vulnerability.
In regards to these cloud storage vendors being able to keep data secure. Dropbox confirmed Tuesday, July 31, 2012 that its users had been experiencing a spam onslaught, and reported that the issue was tracked to employee. “Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts,” said Aditya Agarwal, VP of engineering at Dropbox, Tuesday in a blog post.
However, many of the spam attacks were ultimately traced to a password-reuse problem that existed within Dropbox itself. “A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses,” said Agarwal. “We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.” Those controls will include a page that lets users review the login history related to their account, mechanisms for identifying suspicious activity, as well as two-factor authentication.
There is no doubt that weather related issues have knocked out corporate data centers and passwords have been compromised behind the firewalls of even the largest corporations in the world.   However, when this happens, the corporate stakeholders at least have someone to hold accountable.  When these types of things happen with a cloud storage provider such as DropBox, the DropBox Service Level Agreement (SLA) protects DropBox from any direct responsibility or damages.Recommendation

Moving data to the public cloud is already happening at an accelerating rate.  And, the operational efficiencies and financial benefits are just too great for this trend to slow down.  Therefore, even though it is a fair question to ask if it is safe to move your data to a public cloud, a more realistic question might be, “What do I need to know and what do I need to do to ensure that my data will be safe once I move it to the public cloud?

With input and guidance from the CVeDR cloud panel experts, my recommendations are as follows:
  1. Don’t move any business data to the public cloud that is confidential, proprietary or is the essence of valuable corporate Intellectual Property (IP).
  2. Have your legal department read the providers Service Level Agreement (SLA).
  3. Develop and/or follow corporate data retention policies in regards to the data you store in the public cloud.
  4.  Develop and/or follow corporate password and other security policies in regards to the data you store in the public cloud.
  5. Talk to the cloud storage provider about eDiscovery and develop a joint plan for how it is going to be accomplished and how much it is going to cost.

Storing data in the public cloud is inexpensive and very efficient.  Just be aware that there are risks that need to be mitigated and addressed.

About Charles Skamser
Charles Skamser is an internationally recognized technology sales, marketing and product management leader with over 25 years of experience in Information Governance, eDiscovery, Machine Learning, Computer Assisted Analytics, Cloud Computing, Big Data Analytics, IT Automation and ITOA. Charles is the founder and Senior Analyst for eDiscovery Solutions Group, a global provider of information management consulting, market intelligence and advisory services specializing in information governance, eDiscovery, Big Data analytics and cloud computing solutions. Previously, Charles served in various executive roles with disruptive technology start ups and well known industry technology providers. Charles is a prolific author and a regular speaker on the technology that the Global 2000 require to manage the accelerating increase in Electronically Stored Information (ESI). Charles holds a BA in Political Science and Economics from Macalester College.