A few weeks ago, Dropbox made the kind of headlines no cloud service wants due to a security breach and compromised customer data. This event put the spotlight on the security of personal file-sharing sites, particularly if they're being used to share business data. Employees have many reasons for using sites such as Dropbox, Microsoft SkyDrive, or Google Drive, which is why it's necessary for IT departments to be aware of the security liabilities and how they can alleviate the problem -- at least as much as possible.
First of all, I suspect most of these services might have prohibitions in the small print of their terms of service against any "commercial" uses, particularly if they also have a business-focused level of service that they'd like to sell you. However, we all know no one ever reads those terms of service. Using these services is an easy way to exchange files with external clients when email won't do (e.g., file size is too large). As security expert and Windows Security MVP Orin Thomas wrote, "People don't use cloud drives because they want to share confidential documents, but because they are convenient. Unfortunately convenience is the bane of security."
Part of that convenience is the anywhere access on any device that users can get with these services. You store something to the cloud, then you can pull it up later whether you're at your desk, working remotely on a laptop or tablet, or even on the fly on a smartphone. Of course, every access point is a potential security hole, and with mobile computing devices, you have the added fear of lost or stolen devices, which could still contain data or even stored passwords.
Another reason employees might be using personal file-sharing sites is the fact that they're free. With reduced staff and reduced budgets, we're all being asked to do more with less. Coming up with a file-sharing solution that costs nothing and doesn't involve the IT department just might be considered a winner in many cash-strapped businesses. Even without actively encouraging use of these sites, companies might be facilitating their use by not having an enterprise-grade solution and appropriate security policies in place.
You might take the security precaution of attempting to blacklist these sites at your corporate gateway -- a solution that requires you to know which sites your employees are likely to use, and might only be partially successful anyway. And you can put policies in place forbidding users from sending corporate data to any cloud storage site, but we all know how effective such policies can be when they rely solely on users to cooperate, right? So, considering that employees are going to use these file-sharing sites anyway, what can or should you do to protect both your network and your company's data?
At the root of this problem is the passwords users assign to their file-sharing sites, and the fact that they're probably using those same passwords for accessing other Internet sites or even the corporate network. This problem is specifically what the Dropbox hack revealed, as it was a Dropbox employee whose work password was compromised because he used the same one on a different site, which was where the hack originated.
"The challenge is that employees can't remember more than four or five strong passwords, so ultimately they take shortcuts with those passwords," said Bill Carey, vice president of marketing and business development at Siber Systems, makers of the RoboForm password manager. "They end up using the same password on multiple sites, or using the same password at work that they use on personal accounts, putting the yellow sticky on the monitor, sharing with a neighbor."
User training about good password management is essential -- and it's not just beneficial to cloud storage sites but to everything users do that's password protected. You can't dictate the password complexity of sites that your employees visit from their work computers, but you can make sure they know a strong password from a weak one. As Carey said, "Train them on techniques for how to create passwords that are unique and strong but easy to remember."
From a user standpoint, I think "easy to remember" is paramount. Carey suggested a couple of methods you can use, such as taking simple words and replacing letters with numbers or symbols; for example, "wireless" could become "Wir3Le$$" for a stronger password; alternating uppercase and lowercase letters will help as well. Another method is for users to pick a phrase they can remember and use the first letter of each word. So, "When you come to a fork in the road, take it," becomes "WYC2aFitRTI." Of course, these methods for developing strong passwords have been around for years, which means the hacking algorithms are also wise to them; nonetheless, they'll give you much stronger passwords than "wireless" or "password1."
Not using the same password on multiple sites is another key security principle. "The number one thing that these small businesses, and even people personally, should think of is using a unique password for all these different sites," Carey said. If you're relying on a third-party site for data storage, you have to accept that eventually that site could be hacked. By using unique passwords, a security breach one place isn't going to compromise any other data or systems you have going. "At least you can minimize your damage by having unique passwords for everything," Carey said.
You might find that training alone isn't enough. "Your next logical step up would be to invest in a password manager," Carey said. "The software can create really long strings of passwords. They can be longer than the 8 letters in football; they can be 12 or 15 characters because you don't have to type them in and remember them anyway. And they can be completely randomized with numbers and special characters and everything else -- and unique for every website."
The benefit of a password manager is that users have to remember only one complex password -- to the application itself -- and it handles entering usernames and passwords for them for each password-protected site they visit. Many commercial password managers are available, including Siber Systems' Roboform. Some are available for free or with free and premium editions; others you'll have to pay for. Some are cross-platform, others not. And some have mobile versions as well as browser or desktop editions. Be sure to check out all your options if you go this route -- and remember what it is you're trying to secure in the first place.
Another option, if you're investing anyway, would be to standardize your company on a specific file-sharing site that you can maintain IT controls over. As mentioned, many of the free products your employees might already be using have business-focused versions for a fee that can provide additional features and better control. Choosing one of these options could be a low-hassle move for your end users.
However, another service worth looking at would be Accellion's enterprise file sync and storage solutions. Accellion was the 2011 Best of TechEd award winner in the Security category for its Accellion Secure Collaboration product. Accellion Mobile File Sharing solutions, with kitedrive sync, also focuses on enterprise security. "Our focus is always on the enterprise," said Michael Ashley, product marketing manager for Accellion. "We're not a consumer company that's trying to move into the enterprise. We're actually an enterprise company that has made some of our enterprise features available to consumers for the first time."
Accellion Mobile File Sharing can be deployed on premises or in a hybrid configuration in addition to the standard cloud-based option. It supports an unlimited number of users, and features LDAP integration, as well as SharePoint connectors, so it can be a true, secure, enterprise solution. From the client side, kitedrive sync provides secure file synchronization. "It is the IT department's friend because they actually can control the deployment of kitedrive to their users, and they also have insight into the files so that they can control really what comes into and what leaves the company," Ashley said.
Perhaps the good news out of the Dropbox snafu is that it led that company to reevaluate and establish better security measures, such as two-factor authentication. Of course, the cynics will wonder why it takes a breach to get a company to implements these measures when they could be making customer data security a top priority from the start. But as Bill Carey said, "I put the onus on the consumer himself to just take that extra precaution and not rely on the third party to provide all the security." In other words, security is everyone's business.
End users often need a lot of help understanding the risks they open their company to by taking shortcuts, such as using personal file-sharing sites for corporate data and re-using passwords across multiple sites. However, if IT pros take the time, there are training methods and other solutions they could implement to help alleviate these problems. As Carey said, "As long as there are websites out there that have a lot of users' passwords and there are hackers out there, there's going to be interest in trying to hack these sites. You haven't heard the last of it -- it's only a matter of time before something else gets hacked. That's almost a guarantee."