Is DropBox Safe for my Network?

[Jeff Zylstra]

I keep getting notifications that Sophos application control has found and blocked DropBox in one of my user's profile storage folders on the network.   I've always been skeptical of file sharing types of programs.  Should I continue to block this application, or is it safe to allow?

[Bloody Jack Kidd]

Write up a cloud storage policy for your business and mail it out to the staff, in it establish the ground rules for use of cloud storage on business systems and from the business network if you allow BYOD. You might want to limit which services you allow, or you might not care. 

We've tried to limit it to Dropbox despite personally not being a fan of their security - I use SpiderOak myself.

The main dangers of cloud storage are: data loss - disgruntled employee can just sync your entire client list to the cloud and quit. the other thing is employees / owners having critical data in their dropbox and then getting hacked.

[Conan_Ward]

I haven't heard good things about their TOS as far as what they can do with the files stored, but i'm both not a lawyer or even read into it too heavily. It might be cause for concern with that one service, but i've got a grandfathered skydrive account so i'm not really looking at using much else for cloud storage between that and what i've got with my domain/hosting.

As someone who's heard of agencies accusing employees of data theft after they've left and the effect it has on them, i'm mostly in the boat of not really allowing anything like that without good reason (which means I'll second the plan to put a policy in place).

[Jeff Zylstra]

I think that a policy is good first step, but this guy is a special circumstance.  He's a part time employee that owns his own computer, but does connect to our network. He's got limited access to TAM in a view only mode with no report access. 

What really concerned me was the fact that Dropbox seems to require a local executable file in order to work.  Why would a website based storage system that requires a user account and password need a local executable? The first thing I think of when I see that is some kind of file sharing, which just isn't going to happen on my network.  Anyone know what that is about?

[Billy Welsh]

There is an icon in the tray that monitors the folders and the servers for synching purposes.

[Conan_Ward]

ok, with that case, does he use his computer off the network at all for personal use? If so, it could just be that it's there for his stuff and shouldn't need access while he's on the clock and when he's off the clock/network it should work fine right?

Have a local exe doesn't concern me if its like skydrive, where it creates a folder it monitors for content that it syncs between local and the cloud servers (and in skydrives case, it can provide access to all folders on the local pc if you set that up and go through multi-stage authentication).

[Hans Manhave]

If it is the person's own hardware and there is personal and office "stuff" to be dropboxed, shouldn't there be multiple dropbox setups so the personal stuff doesn't intermingle with the business stuff?

[DebAmstutz]

If it's connecting to your network, it should be your hardware with your guidelines/restrictions, period.  Doesn't matter if it's a part time employee or not.  That way, the agency calls the shots and you don't have the concern over what his personal computer equpment is or isn't doing.  Just my opinion.

[Hans Manhave]

This isn't my topic, but there are many circumstances where it could be allowed or should be allowed.  Owners, investors, special knowledge workers, etc.  I'm sure there are more reasons why that I haven't thought of.  I could see the need for dedicated workstations, but some may not be feasible.  We all would like to have so many workers that we would easily pass a SOX audit, but sometimes that just isn't feasible in practical life.

[Billy Welsh]

Jeff:

I have no idea of the cost, but if Dropbox, Skydrive, Amazon Cloud Drive, et al don't make you comfy, consider the Citrix solution.  I am drawing a blank at the moment on the official name, but they offer a file sharing portal with authentication and other options that are not as wide open as Dropbox.  Marketed to CPAs given their "trafficking" in confidential tax info but anyone can sign up.

Same concept as Dropbox but more security so not as prone to hacking.

[Jeff Golas]

Actually I just found something a few days ago called "Liquidfiles"....not too bad price-wise and pretty easy to set up.

I use Dropbox myself for random crap, but I just feel like when you hear about all these people that leave laptops around with 10,000 socials on them...that Dropbox prob has tons of content just like that.

[Gene Foraker]

Dropbox now offers a two-factor login security.   I also have this turned on for my Facebook and my Steam account.    The first time you log in from a new device, they send a verification code to your email or text to your phone.   

[Jeff Golas]

Dropbox can have a giant hardened steel masterlock on it...doesn't stop Dropbox itself from looking at the data unless you encrypt it yourself. It also has issues in regards to segregated access...supposedly if you share something with someone, you're opening it up for that person to view other stuff as well. Something along those lines, I forget the specific scenerios.

[Bloody Jack Kidd]

Dropbox and likely other vendors will definitely hand-over data if ICE search and seizures are executed (Patriot Act etc.) - SpiderOak has a Zero Knowledge Policy - they have no keys and cannot decrypt your data - it leaves your computer encrypted. It's a little more complex to use, but it's a good product.

[Billy Welsh]

Good points.  I know of some folks who are using Amazon Cloud Storage and specifically requesting that the data be stored on their Canadian servers in order to avoid Patriot Act snooping.