The DropBox Hack That Wasn’t

Dropbox is a widely used cloud-based storage platform that is now the target of security researcher scrutiny, as user data privacy is being called into question. A pair of researchers at the USENIX security conference in August released a white paper in which they describe methods for attacking Dropbox and obtaining user data. While the merit of the actual research is debatable, it raises questions about what enterprises should be doing to protect the integrity and security of data in the cloud.

While Dropbox is aware of the research, it isn’t treating it as a security risk that demands immediate attention. A Dropbox spokesperson noted in an email to eWEEK that Dropbox appreciates the contributions of security researchers and everyone who helps keep Dropbox safe. That said, Dropbox does not currently hold the view that the research presented at the USENIX conference presents a vulnerability in the Dropbox client.

Not such a big risk?

“In the case outlined there, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user’s Dropbox, open to attacks across the board,” the spokesperson said.

Although Dropbox is not raising the alarm bells about cloud storage security, others are. Willy Leichter, senior director at CipherCloud, told eWEEK that the problems with the cloud storage security model go beyond the bugs found in Dropbox’s authentication method.

“Cloud-based file sharing sites bypass most corporate security, but businesses still need to be able to inspect information leaving their networks and prevent loss of sensitive or regulated data to unauthorized outsiders,” Leichter said.

Steven Sprague, CEO of Wave Systems, told eWEEK that in his view, the fundamental problem is that Dropbox can read all of the files, for all of the customers.

“The fact that they are stored encrypted is of no value if the keys are owned by Dropbox,” Sprague said.

Geoff Webb, director of Solution Strategy at NetIQ, agrees that ownership of the encryption keys is a key consideration. Webb told eWEEK that one of the big fallacies that users make is assuming that simply because companies like Dropbox encrypt their data, that it’s somehow perfectly safe.

Who has your keys?

“So while you may be assured that data you upload to Dropbox is encrypted, you can’t be sure of who has access to the keys themselves, and if the keys are compromised, the encrypted data is no longer protected,” Webb said.

The challenge for Dropbox and indeed for anyone trying to provide a secure online cloud service is that ease of use and security are often antithetical. Matt Richards, vice president of products at open-source cloud storage vendor ownCloud, told eWEEK that it’s important to remember that security is relative: The most secure system is one that no one can access. In his opinion, that is the opposite of the Dropbox experience, which is all about ease of use.

“The question for us is more; is this model secure enough for what you want to do with it?” Richards said. “In other words, can you trust sensitive corporate data to a service designed for consumers? Pictures of that trip to Amsterdam are very different than your draft earnings statements, sales forecasts, product roadmaps or financial spreadsheets.”

Best Practices

So, what should enterprise users be doing to properly protect data in the cloud? Enterprises need to be able to protect sensitive or regulated information before it leaves the organisation, CipherCloud’s Leichter said. In his view, security models need to move beyond just securing Secure Sockets Layer (SSL) tunnels or relying on application vendor security promises to proactively preventing certain types of data from leaving the organization and/or encrypting sensitive data before it goes to the cloud.

Wave Systems’ Sprague recommends the use of independent encryption and independent provisioning of encryption keys.

“This way, the content uploaded to Dropbox can’t be read by the provider,” Sprague said.

Not coincidentally, Wave Systems enables its customers to encrypt data uploaded to the cloud through a product called scrambls. Sprague explained that to hack the scrambls system, an attacker must have access to both systems. This provides protection from internal and external attacks at either Dropbox or scrambls.

Fundamentally when it comes to putting data in the cloud, control is the key.

“Don’t put sensitive information in a cloud you don’t own and don’t control,” ownCloud’s Richards suggests. “In practice, the need for privacy/security has to be balanced with the need for access.”

The ability to integrate a cloud storage solution with existing security practices is also key to success. The ownCloud approach leverages an open-source project that can be installed on-premises or remotely, and integrated with existing IT policies and procedures.

“When you configure ownCloud, you can choose your primary storage location, add secondary storage location(s), and make those as safe as your existing enterprise storage because you control it,” Richards said.

The ownCloud storage locations could include Amazon’s S3 storage, Google or even Dropbox.

In the final analysis when it comes to cloud-based storage, Dropbox or otherwise, it’s important for enterprises to understand the risks and the limitations.

“Like most cloud services, the assumption they should make is that the user is still responsible for security,” NetIQ’s Webb said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

What do you know about Internet security? Find out with our quiz!

Originally published on eWeek.