Kevin Beaver's Security Blog

Dropbox “bug” = why the cloud cannot be blindly trusted

I’ve been ranting about “the cloud” (what a tired term) for a couple of years now. As if we haven’t seen enough examples lately of why we cannot put all our eggs in the cloud basket, here’s one more with the “code bug” that impacted Dropbox’s authentication mechanism over the weekend.

Sure, Dropbox isn’t an enterprise cloud app per se but I’ll guarantee you it’s impacting your enterprise this very moment. Think data backups, intellectual property, PII, password safes and whatever else your users are syncing across their multiple systems.

How do you explain such exposures to management or to your board when something like this happens. Do you say “Well, our cloud provider said their system was secure because they use SSL and, furthermore, have a SAS 70 Type II audit report to prove it.” or “Our legal team approved of the contract and the SLA and gave us the go-ahead.”??

I don’t know that management will ever get on board the way they need to but cloud insecurities will certainly work themselves out in the marketplace – and in the courts – and eventually get on the radar of the people that matter.

This Dropbox dilemma is a relatively small and insignificant example of what happens when you completely rely on others for information security. I’m not saying don’t use the cloud. I’m saying get your arms around the cloud before it impacts your business in a negative way. Odds are it’s going to somehow and everyone will be looking at you for a well thought out response.