Dropbox File Brouhaha: Use Case Is The difficulty

Posted on by admin

Some are shocked by the revelation last week that Dropbox is indeed opening files which might be stored in its cloud-based file service. It’s now clear that there has been a very good explanation for this — Dropbox was processing a word processing file in an automatic manner to be able to provide an extra feature to users. Those people who are shocked simply haven’t thought through what the use case is.

From the time that cloud technology hit the streets, responsible cloud proponents were cautioning that not every use case for cloud was the best one. Must you put your city government emails in Google mail? Previously, the la CIO said, “Yes.” But must you put law enforcement emails into that very same Gmail store? Prior to now, the LAPD chief said, “No.” Which you could debate these particular instances endlessly, however the point is that this: Not individuals are happy with every use case.


Webcasts

More >>

White Papers

More >>

Reports

More >>

Those who think about Dropbox as a spot to place docs simply don’t understand the app, and therefore can’t appropriately match their use case to the app. Dropbox seriously is not simply a file repository. It’s made to share files easily, it’s made to be competitively priced via file de-duplication and AWS storage, and it’s made to be convenient to control files via an internet interface to do things inclusive of restore old document versions.

[ Cybersecurity isn’t any joke. But what do you consider this New Security Trend: Bring Your individual Attorney. ]

A document preview is something that does not make sense in case you reflect on Dropbox as your father’s G: drive, where you’ll want to look forward to IT to revive your files which you bollix up. But when you believe of Dropbox as something more than that, it makes perfect sense for Dropbox to exploit software to process files to present features beyond what Dad had.

But additionally it is really important for decision makers outside of IT to grasp how this process works with a view to decide whether it is a “good use case” or a “bad use case.”

When Dropbox generates a preview of a .gif, it’s doing almost the exact same thing to your file that the preview of a .doc file does. Your file must be read and processed by software in order to do anything useful with it, such as generate a preview. I say “almost” the same because a .gif doesn’t contain active content — it’s a pretty simple file format that doesn’t contain complex requests. On the other hand, a .doc file can contain active content. That’s what the Honey Docs tool allowed the security researcher to do — to embed active content into the file that would be triggered upon “processing.”

Trouble was, Dropbox used existing software — LibreOffice — which allowed the active content to activate. That was not such a great decision by Dropbox; it fails the test of “least privilege, least feature,” where complexity is the enemy of security.

Global CIO

Global CIOs: A Site Just For You

Visit InformationWeek’s Global CIO — our online community and information resource for CIOs operating in the global economy.

Aha! So Dropbox is evil, right? Not quite. If there was a security issue with active content in your files, the very worst case scenario is that it would affect you no matter whether it lived in Dropbox or on your desktop. You can’t throw a monkey wrench into an off-premises machine and then blame the machine.

So, in general, Dropbox doing automated processing is probably fine with many use cases. But your specific use case will be your true test.

If you’re saving Fort Knox alarm system plans, Dropbox probably isn’t the place you want to store them. And, to be fair, I’m not sure that you’d want to store them using any cloud provider’s app. Perhaps in those use cases, a good IT organization might use a belt-and-suspenders approach, where staff uses on-premises software to encrypt storage prior to it being synchronized to the cloud. Or maybe that wouldn’t be secure enough either — but the manager of Fort Knox would be the one to make that call after IT explains it. The point is that talking about use cases creates a good conversation: “Here are the risks. Are the portfolio of convenience and low cost worth the risks?” “Can we mitigate the risks for this use case?” And so on.

Finally, those who are anti-cloud will use this brouhaha to convince those who don’t know any better that CLOUD = BAD, and PREMISES = GOOD. The argument will go something like, we control the installation and configuration of all software, so nothing bad will happen if we host internally. Except, despite internal IT controls, stuff happens with premises software a lot more often than IT organizations like to admit. For example, last year at this time, Sophos released a nasty update that created chaos for lots of large organizations.

Unless we decide to write our own software and provide our own maintenance, we’re always going to have the possibility of something bad happening that we’re not 100% in control of.

So it’s not “good cloud, bad cloud.” It’s “good use case, bad use case.” But, above all, it is about having an informed conversation about the risks and the benefits of any tool or service, regardless of where it lives.

Metrics, data classification, governance, compliance — and your vendors — are all a part of the chance management equation. The The Risky Business Of Managing Risk report offers insight at the many pieces of the chance management puzzle, and the way to make it work to your enterprise. (Free registration required.)