Dropbox Password Breach Highlights Cloud Security Weaknesses
NEWS ANALYSIS: While cloud service providers try to ensure their offerings are reasonably secure, they usually fail in this basic requirement because their greatest weakness is their failure to anticipate how users will defeat their security.The now well publicized Dropbox security breach was the result of two things that Dropbox could have foreseen, and could have prevented. The first was failing to anticipate user misconduct, and the second was failing to take steps that would allow the site to remain secure even if the users werent. This was exacerbated by Dropbox employee practices that should never have been allowed and by lax management oversight. In other words, Dropbox created the perfect storm when it comes to security. For me, the whole thing took on a form of dÃ©jÃ vu. A few days prior to the disclosure of the Dropbox breach, Id been chairing a panel at the NetEvents Americas Press and Analyst Summit in Miami. The topic of that panel was specifically about the security challenges to mobile users of cloud applications and services. A significant part of the discussion was about just the sort of weakness that Dropbox revealed.
The list of problems with Dropbox was hardly surprising since the same list applies to other providers of public cloud services. First, the security depends solely on a name and password to gain access to a persons files. Second, Dropbox apparently had no oversight into employee practices, including the use of live customer data in development. Third, its fairly clear that Dropbox had not provided adequate training in basic security practices such as password reuse.