NEWS ANALYSIS: While cloud service providers try to ensure their offerings are reasonably secure, they usually fail in this basic requirement because their greatest weakness is their failure to anticipate how users will defeat their security.
The list of problems with Dropbox was hardly surprising since the same list applies to other providers of public cloud services. First, the security depends solely on a name and password to gain access to a persons files. Second, Dropbox apparently had no oversight into employee practices, including the use of live customer data in development. Third, its fairly clear that Dropbox had not provided adequate training in basic security practices such as password reuse.
Because of these shortcomings, the Dropbox breach was not a matter of if it would happen, but rather when it would happen. In this case, the only thing that we know has happened was that a number of Dropbox users got some spam for gambling sites. As far as we know, only the customer email addresses in the Dropbox employees breached storage area were compromised.
Dropbox has now promised to clean up its act. The company will begin requiring two-factor authentication, a way to spot suspicious activity and a means for users to examine the activity on their accounts for suspicious activity. And the company is asking for password changes on some accounts. If youre a Dropbox user you should at the very minimum change your password to one thats both very strong and unique, and dont wait for the company to tell you to do it.
Unfortunately, the Dropbox breach has implications that stretch far beyond Dropbox. Most public cloud services have similar weaknesses because they, too, rely only on a user name and password to protect the data. If that information becomes known then the contents of a users cloud storage area are open for the taking.
Wayne Rash is a Senior Analyst for eWEEK Labs and runs the magazine's Washington Bureau. Prior to joining eWEEK as a Senior Writer on wireless technology, he was a Senior Contributing Editor and previously a Senior Analyst in the InfoWorld Test Center. He was also a reviewer for Federal Computer Week and Information Security Magazine. Previously, he ran the reviews and events departments at CMP's InternetWeek.
He is a retired naval officer, a former principal at American Management Systems and a long-time columnist for Byte Magazine. He is a regular contributor to Plane & Pilot Magazine and The Washington Post.