Cloud Zone is brought to you in partnership with:

Ben Kepes is an analyst, and entrepreneur, an commentator, and a business adviser. His interests include a diverse range of industries from manufacturing to property technology. As a commentator he has a broad presence both in the traditional media and as an extensive blogger. He sits on the boards of a number of organizations, both commercial and not-for-profit. Ben is a DZone MVB and is not an employee of DZone and has posted 197 posts at DZone. You can read more from them at their website. View Full User Profile

Sure Dropbox is Potentially Insecure, but Does it Matter?

  • submit to reddit

It’s summertime down in my neck of the woods and that’s a good time to go out on a limb with a statement that might get people a little fired up. Bear with me on this one though… Over on GigaOm Barb Darrow has a good write up about the findings of a survey commissioned by Nasuni into the use of Dropbox within large enterprises. As she wrote:

One out of five of 1,300 business users surveyed said they use the consumer file-sync-and-share system with work documents… And, half of those Dropbox users do this even though they know it’s against the rules. The most blatant offenders are near the top of the corporate heap — VPs and directors are most likely to use Dropbox despite the documented risks and despite corporate edicts. C-level and other execs are the people who brought their personal iPads and iPhones into the office in the first place and demanded they be supported.



Now it has to be mentioned that this survey was sponsored by Nasuni, an enterprise storage vendor that has a vested interest in stirring the pot about shadow IT. Clearly companies providing a more ‘enterprise grade” service do well out of panicking all those overworked CIO types about rogue IT within their organization. But I wonder if it’s not worth taking a step back and looking at this from a pragmatic perspective.

First, why do people go around IT to use Dropbox? In the majority of cases these are good, solid, hardworking employees that don’t want to introduce risk to their organization but that do want to get stuff done. For whatever reason (inflexible legacy systems, stubborn IT departments, need to be agile) they’ve decided that for a particular project, they want to introduce Dropbox into their workflow to quickly and easily share some content.

Now clearly this might breach an IT policy here or there and potentially (but only potentially) may introduce a vector for data loss. But let’s look at the practicalities here – oftentimes the content being shared isn’t exactly ground breaking – while I’m sure there are cases where the recipe for ana amazing new miracle drug has been shared outside of the organization and gazillions of dollars in pharma revenue might have been risked (or not), the majority of example that I’ve seen are much more mundane than this – maybe a marketing plan here, a draft report there or (heaven forbid) a guest list to the department’s client Christmas party.

In another part of my life, I’m a firefighter and have spent a bunch of time looking at risk assessment and reduction. In firefighting situations we use a simple matrix to determine whether a course of action should be taken or not – essentially we look at the potential outcomes from that course of actions (on a continuum from minor to catastrophic). Along the other axis is the chance of that outcome occurring. A matrix might look like this:


If we apply this methodology to the “Dropbox in an enterprise setting” – let’s see what we come up with. Of those 20% of organizations where Dropbox is being used, and across the 100 million users that Dropbox boasts of, how many people are really sharing critical business information as opposed to more mundane content? I’d wager that the vast majority falls into the “mind numbingly boring to anyone outside of the org” category and hence the severity of harm from a data breach could be seen as negligible.

On the other hand, we need to look at the likelihood of harm. While of course conceptually we can imagine an entire plethora of ways in which it could happen, the fact is those 100 million users are, for the most part, using Dropbox an suffering no data loss – as a measure of likelihood of harm occurring then, data loss from Dropbox is reasonably low.

So let’s plot that axis and see where there is a real issue. It seems to me that the situation of real concern is where highly critical organization data is being shared, and individuals have poor security practices (simple passwords, using passwords on multiple sites etc). Outside of this situation, the severity and likelihood measures would indicate that, just maybe, we could relax about the use of Dropbox within the organization a little.

Now of course my infosec friends are paid to be eternally suspicious. These guys are (professionally at least) glass half empty – heir concerns are valid and they bring an important balance to the picture. But it’s just that, balance, at the same time we need to look long and hard at the benefits that “rogue IT” can bring and ask ourselves whether we shouldn’t in fact lighten up a little.

Of course all this would be solved by simply storing Dropbox content within a truecrypt folder – but my point still stands – shouldn’t we lighten up some?


Published at DZone with permission of Ben Kepes, author and DZone MVB. (source)

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)


Stephen Gacho replied on Thu, 2013/01/24 - 5:30pm

 At the core of the task scheduler is implementing the scheduling engine. There’re so many options available to you. -Missed Fortune 

John Smith replied on Tue, 2013/02/19 - 4:38am

 Thank you for some other informative website. The place else may just I get that kind of information written in such a perfect method? I have a venture that I am simply now running on, and I’ve been at the glance out for such info.      interior designs singapore


Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.