By: Dr. Steve Marsh, VP of Product, Nucleus Cyber
Cloud based collaboration tools, like Dropbox, are one of the best and worst things to happen to business collaboration. Ironically, the ease of which users can share files is both their appeal and security downfall.
Today, the options for sharing and collaborating on content are more plentiful than they have been at any other point in time. Tools have evolved to the stage where collaborating in real time, on a single piece of content through simultaneous editing and conversing with team members in the same user interface, has become commonplace.
With tools like Dropbox, it has never been easier to share files with a colleague or a third party (i.e., simply copy and send the link), either inside or outside your organization. Plus, you can access files from any device with mobile apps designed to access your cloud shares at any time, from anyplace.
When used properly, link sharing is a useful collaboration tool. In fact, it’s a common capability found in most collaboration platforms (not just Dropbox). However, improper usage can have serious data privacy and exposure repercussions. While companies rely on collaboration tools to facilitate communication and improve productivity, platforms like Dropbox are teeming with sensitive data, from intellectual property (IP) to customer information.
Therefore, it’s easy to see how this surge in collaboration tool use has caused companies to struggle to identify and secure sensitive data within cloud storage platforms because of the very reason they have become so popular-the ease of sharing files with almost anyone inside and outside of the organization.
Dropbox Sharing May be Putting Your Data at Risk
Collaboration has its advantages, but also comes with some pitfalls. Following are three reasons why standard Dropbox sharing may be putting you at risk:
Securing the data repository doesn’t fully protect the content
It’s an approach that’s been around almost since the dawn of time when it comes to protecting what is valuable to us. Whether personal possessions, money, or – in this case – sensitive data, we put them in a location that we attempt to make safe by making it difficult for someone to access – usually by hiding it and securing it with some type of lock. In the IT world that means keeping the data in a location, such as Dropbox, that is not accessible by “just anyone” and securing it with access controls (like permissions).
However, with today’s Cloud storage options, repositories are no longer hidden behind a firewall or buried within a corporate network. Instead, they’re hosted on the internet. While the location of these repositories is not readily available to the general public, if settings are misconfigured (as was the case in a well-publicized mass Box security incident), folders can be scraped and indexed by Search Engines and easily found with little know-how, putting your data at risk.
Data and users are in a constant state of movement and change
Today, many of us work remotely from almost anywhere at any time: home offices, customer or partner sites, coffee shops, airports, etc. Even if a daily commute to an office is still the norm for employees, it’s very likely they occasionally need to access work-related data outside of office locations. This changing workplace dynamic is one of the reasons that cloud-based collaboration tools, like Dropbox, became so popular.
Just as users’ context changes, so does the data that they interact with. As the content changes, so can the associated level of sensitivity. A file may not start off as sensitive in nature, but as data-such as personally identifiable information (PII)- is added, it needs to be treated differently.
If security is based on the location of sensitive data, how can you ensure that as it evolves it is moved to the correct secure location? Taking that one step further, as it is accessed, shared or downloaded, how can you ensure that data is being appropriately handled if protection stopped at the folder or data repository perimeter?
This is important to consider with new data regulations, such as GDPR, extending to legitimate and correct use for handling sensitive data, and holding organizations accountable for more than just securing the content at rest in its repositories.
Quite simply, users make mistakes
Here are a few examples of the types of simple error that happen every day:
- Accidentally sharing a sensitive file with the wrong individual or group.
- Mistakenly sharing the wrong file either by Dropbox or email attachment.
- Sharing a file with a setting that is too open and allows recipients to then share it with others (e.g., The “anyone with the link can view” setting.
- Sharing sensitive data with someone who should not have access to it (e.g., “I’m not supposed to send you this but…”).
- Delegation of the creation of the sharing folders to end users, which results in wrongly configured sharing settings (e.g., anyone with the link can access the file or folder, or files are accidentally open to the public internet).
Reliance on “secure” locations once again fails when it comes to protecting against these user error scenarios. Users are usually not being malicious or deliberately trying to damage their own organization – human error is a common side effect of the modern collaboration environment that we operate in.
Four Tips to Protect Dropbox Content
While Dropbox has built-in security capabilities, sensitive information is still at risk from accidental sharing and misconfigured settings caused by human error. An effective security model must take a balanced user and data-centric approach to protecting sensitive data.
The collaboration tools themselves cannot take center stage with the security mechanisms, but instead must work in tandem with technologies that maintain security long after the data has left the confines of the repository. To do this successfully, organizations must adopt a data-centric approach to security to provide adequate protection for modern collaboration.
1. Security should travel with your data – Data-centric security emphasizes the security of the data itself, rather than the security of networks, servers, repositories or applications. If security is placed on the data, then it travels with the file no matter where it goes or who it is shared with. Modern data-centric security tools can look at the file contents and context to make intelligent decisions on how the data can be shared and with whom.
2. Security should adjust to your data and users – A successful security strategy must look at data on a continuous basis to account for how information and its associated access attributes change over time. Assess the risk profile associated with the data and use case, then consider the security that should be applied in each scenario. For example, consider a user accessing a file from their personal device from a public location. Should the user be limited to read only access if it’s sensitive data? Or, perhaps the document is so sensitive you don’t want to provide remote mobile access to it at all.
3. User training alone is not enough – A recent report from Cybersecurity Insiders looked at what companies believe are the drivers for insider attacks. The top answer – lack of user training. The solution to the problem most cited – more user training. While employees need access to sensitive information to do their job, organizations need a plan to make sure their own people are not the cause of a data breach – both malicious insiders and negligent insiders. However, training alone isn’t the answer – training backed by automated enforcement is.
Technology exists to effectively eliminate user error to protect both sensitive data and your people – two of your most valuable assets. The stakes are too high to accept a strategy that is full of holes and caveats. And the excuse of it being a matter of trust in your employees is a little naive. Unfortunately, there are sometimes abuses of trust, but remember that trust goes both ways. Organizations have a responsibility to uphold the trust that their employees place in them to provide reasonable protection for when things go wrong.
4. Balance the needs of users with the security obligations of the organization – A successful data-centric strategy keeps the right balance between what users want from a collaboration perspective and what the organization demands from a security perspective. Go too far in either direction and you can make your situation worse. Too lax and your data can be shared too freely. Too stringent and your users will find alternative ways to share and collaborate. In either situation, you lose visibility and control of your sensitive data.
At the end of the day, the pros of using collaboration tools (like Dropbox) outweigh the risks. Just as organizations have modernized their collaboration methods and tools, the same investment must be made to ensure that data security can keep pace.
Data-centric technologies that adapt security controls to match data sharing scenarios, without placing a burden on users that will cause them to circumvent or reduce their productivity, is the key to secure collaboration inside and outside of Dropbox.