Dropbox is a widely used cloud-based storage platform that is now the target of security researcher scrutiny, as user data privacy is being called into question. A pair of researchers at the USENIX security conference in August released a white paper in which they describe methods for attacking Dropbox and obtaining user data. While the merit of the actual research is debatable, it raises questions about what enterprises should be doing to protect the integrity and security of data in the cloud.
While Dropbox is aware of the research, it isn't treating it as a security risk that demands immediate attention. A Dropbox spokesperson noted in an email to eWEEK that Dropbox appreciates the contributions of security researchers and everyone who helps keep Dropbox safe. That said, Dropbox does not currently hold the view that the research presented at the USENIX conference presents a vulnerability in the Dropbox client.
"In the case outlined there, the user's computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user's Dropbox, open to attacks across the board," the spokesperson said.
Although Dropbox is not raising the alarm bells about cloud storage security, others are. Willy Leichter, senior director at CipherCloud, told eWEEK that the problems with the cloud storage security model go beyond the bugs found in Dropbox's authentication method.
"Cloud-based file sharing sites bypass most corporate security, but businesses still need to be able to inspect information leaving their networks and prevent loss of sensitive or regulated data to unauthorized outsiders," Leichter said.
Steven Sprague, CEO of Wave Systems, told eWEEK that in his view, the fundamental problem is that Dropbox can read all of the files, for all of the customers.
"The fact that they are stored encrypted is of no value if the keys are owned by Dropbox," Sprague said.
Geoff Webb, director of Solution Strategy at NetIQ, agrees that ownership of the encryption keys is a key consideration. Webb told eWEEK that one of the big fallacies that users make is assuming that simply because companies like Dropbox encrypt their data, that it's somehow perfectly safe.
"So while you may be assured that data you upload to Dropbox is encrypted, you can't be sure of who has access to the keys themselves, and if the keys are compromised, the encrypted data is no longer protected," Webb said.
The challenge for Dropbox and indeed for anyone trying to provide a secure online cloud service is that ease of use and security are often antithetical. Matt Richards, vice president of products at open-source cloud storage vendor ownCloud, told eWEEK that it's important to remember that security is relative: The most secure system is one that no one can access. In his opinion, that is the opposite of the Dropbox experience, which is all about ease of use.