The now well publicized Dropbox security breach was the result of two things that Dropbox could have foreseen, and could have prevented. The first was failing to anticipate user misconduct, and the second was failing to take steps that would allow the site to remain secure even if the users werent. This was exacerbated by Dropbox employee practices that should never have been allowed and by lax management oversight.
In other words, Dropbox created the perfect storm when it comes to security. For me, the whole thing took on a form of déjà vu. A few days prior to the disclosure of the Dropbox breach, Id been chairing a panel at the NetEvents Americas Press and Analyst Summit in Miami. The topic of that panel was specifically about the security challenges to mobile users of cloud applications and services. A significant part of the discussion was about just the sort of weakness that Dropbox revealed.
The list of problems with Dropbox was hardly surprising since the same list applies to other providers of public cloud services. First, the security depends solely on a name and password to gain access to a persons files. Second, Dropbox apparently had no oversight into employee practices, including the use of live customer data in development. Third, its fairly clear that Dropbox had not provided adequate training in basic security practices such as password reuse.
Because of these shortcomings, the Dropbox breach was not a matter of if it would happen, but rather when it would happen. In this case, the only thing that we know has happened was that a number of Dropbox users got some spam for gambling sites. As far as we know, only the customer email addresses in the Dropbox employees breached storage area were compromised.
Dropbox has now promised to clean up its act. The company will begin requiring two-factor authentication, a way to spot suspicious activity and a means for users to examine the activity on their accounts for suspicious activity. And the company is asking for password changes on some accounts. If youre a Dropbox user you should at the very minimum change your password to one thats both very strong and unique, and dont wait for the company to tell you to do it.
Unfortunately, the Dropbox breach has implications that stretch far beyond Dropbox. Most public cloud services have similar weaknesses because they, too, rely only on a user name and password to protect the data. If that information becomes known then the contents of a users cloud storage area are open for the taking.
Encryption Is a Must for All Sensitive Data
Since its unlikely that you can depend on your public cloud provider to provide really good security any time soon, you need to take matters into your own hands. Here are a few things you can do:
- If possible, make sure your user name and password are unique to the service. If you must use your e-mail address for a user name, then use one not used elsewhere, even if you have to create one.
- Dont share your login information.
- Dont ever, under any circumstances, put documents or records subject to compliance requirements into a public cloud service. Not ever.
- Encrypt any files you put into a public cloud service before you upload them. There are a number of ways to do this, including some open source automatic encryption packages.
- If youre using a public cloud service, change your password. Now. Then do it again on a set schedule. This helps ensure that if you did reuse your password, a hacker wont have as much likelihood of getting to your data.
- Dont make the public cloud service the only place where you store critical data. Its great as a place to keep presentations so you dont lose them, pictures of your pets and grandchildren so you can show them off and things like to-do lists. If the data contains information that needs protection, such as credit card or social security numbers, encrypt it or dont store it there.
- Keep tabs on your account, check it for unusual activity or unexpected changes to content, or other evidence that someone else may have been there. If you find that, either change your password immediately, or get your stuff out of the cloud, close your account and find another provider with better security.
The one thing missing from Dropboxs statement about its breach is more detail on what theyre doing in terms of additional controls. Did they remove the employee from a position in which they had contact with customer data? Is there better management oversight? Is the company improving its training?
The sad truth is that there is no shortage of dumb things that users can do to compromise security. This has never been a secret and it isnt now. Dropbox should have anticipated this, and should have taken steps to make sure it wouldnt happen. Perhaps now the company will take those steps.
What it means to you is that before you store data thats even remotely important or sensitive, check the security policy and practices of the cloud service youre planning to use. Then encrypt everything anyway.
