Dropbox Pursues Business Accounts, But Falls Short On Privacy Laws

deadeyefred writes "Dropbox last month launched its Teams service, targeted at small and mid-sized businesses — but acknowledges it's not PCI-, HIPAA- or Sarbanes-Oxley compliant. Company executives say they also don't provide a highly visible warning largely because customers in beta tests didn't make it an issue. Should cloud services focused at businesses provide clear warnings if they are not compliant with key regulatory requirements, or should business customers just assume they are not?"

Doesn't matter

[hedwards]

Yes, businesses that need PCI, HIPAA or SarbOx compliance ought to be directly asking, that's no excuse for not posting it in a prominent place.

I'd personally be more concerned with the possibility of having some of my data clobbered if there's a collision with a hash for somebody elses file.

Re:Doesn't matter

[Sancho]

So you're advocating not being compliant?

Payment card data is still payment card data, even if it's encrypted. Ask any QSA. If it's at rest on a machine, there are certain requirements for that machine which encryption does not (solely) satisfy.

Re:Doesn't matter

[deroby]

Care to explain how that would be ?

AFAIK a hash is just a (smallish) number calculated on a (largish) set of data. By sheer definition a single hash will match multiple distinct sets.
How does encrypting a data-set affect the possibility of match with a different set ?

Re:Doesn't matter

[Sancho]

It's all in the PCI DSS, which you can find via Google. Generally speaking, you have to isolate the machine on which the encrypted data is stored. I believe the requirements still call for the machine to be behind a NAT firewall, to be accessed with two-factor authentication, and for passwords to adhere to certain requirements as well as be changed every 90 days. The entire system has to be documented including network diagrams (that you probably won't have from Dropbox--I doubt that a giant cloud would be sufficient, but I could be wrong.)

Re:Doesn't matter

[Sancho]

All of which just goes to show that the whole PCI-DSS thing is more about legal ass-covering than real security

For the merchant, it's primarily about legal ass-covering. The merchant doesn't care about his customer's credit cards. Why should he? He care much more that a fake card isn't used in his shop. Because the merchant doesn't care about the customer's credit cards, the payment card industry has to make them care by imposing regulations and penalties.

It forces small companies to buy products which do most of that for them. It's a cost of doing business. There's an entire industry of payment processors (think Paypal) that a small web merchant could use to avoid ever having credit cards touch their systems. The processors take a percentage (much like the bank) and the merchant raises the cost of their products accordingly.

some of the standard security policies are dubious anyway,

Absolutely. You'll get no argument from me. But most of them are good security practices that most businesses wouldn't even know are good practices. They absolutely should be doing them if they're going to store my credit card information.

Call me old fashioned

[Dunbal]

But with computers and storage being relatively cheap, and with internet access being ubiquitous, why exactly should I trust a 3rd party with my data anyway?

Re:Call me old fashioned

[assantisz]

Because sometimes it can cost a lot of money to run and maintain a storage system. It doesn't stop with capital costs. There is maintenance fees and labor costs. It can be a lot cheaper to outsource these things.

Re:Call me old fashioned

[MatthiasF]

Cheaper in the short run or long run?

Are you factoring in legal costs from your employees suing you for having personal information spread across the Internet?

Or possible damage to business revenue from your company's work falling into competitor's hands?

Or almost complete loss of business when the Internet goes out?

Me thinks an entire culture inside of certain IT Departments are not well versed in Risk Aversion, instead seeking to make their lives easier at the expensive of their employer.

Re:Call me old fashioned

[siddesu]

Don't ask slashdot, ask the shareholders.

Re:Call me old fashioned

[93+Escort+Wagon]

Yes, that's the question for the home user! I think the business should not even think about this question. Even a small company could afford own server for the sensitive data. RAID1/RAID10 for redundancy, Bacula for keeping older versions in case of user error, Samba or NFS support for accessing it, OpenVPN for remote connection.

You're assuming, then, that "even a small company" should have a full time sysadmin on the payroll. Sounds like that self-hosted setup just got a lot more expensive...

Re:Call me old fashioned

[black6host]

Me thinks an entire culture inside of certain IT Departments are not well versed in Risk Aversion, instead seeking to make their lives easier at the expensive of their employer.

Or, perhaps more likely, the scenario is: "We need this, without it we're left wide open." Management response: "It's not in the budget and what are the chances.....?"

I've been there....

Re:Call me old fashioned

[Anonymous+Brave+Guy]

Cheaper in the short run or long run?

It's not about long term vs. short term, it's about scale.

Organising IT infrastructure always incurs some level of overhead, but you can see great economies of scale when you reach a certain size. On the other hand, at a very small scale, you still need to deal with at least the basics, and that still requires a certain level of expertise and incurs a certain drain on your staff's time.

I'm not a huge fan of outsourcing IT infrastructure. I think a lot of services you can outsource to tend to do 75% of the job for 50% of the cost, but you need at least 95% of the job before it's worth anything at all.

Moreover, a lot of them have terms and conditions so one-sided I would describe them as abusive. For example, as far as I could tell without paying my lawyer real money, one prominent back-up service we looked at offers all sorts of ways to retrieve your data under normal circumstances, but they can decide to shut down their service without notice. In the event that they do so, they only guarantee to provide 72 hours' download time via the Internet to get any data you need back. That isn't even close to enough to download the volume of data their plans suggest they want you to trust them with, even assuming you can hold a solid connection to their servers at a time when your systems have crashed enough that you need to retrieve a back-up and every customer they've ever had is hitting their network at the same time. Many of the on-line billing services that are trendy right now have contracts you'd be crazy to sign, providing basically no guarantees of anything, while effectively locking your entire ability to take money from customers into their systems.

That all said, given adequate security safeguards and binding robustness/reliability guarantees, I don't see a problem with off-site backups to third party services, and there are clear advantages to having that happen automatically on a regular schedule rather than relying on one of your staff to run a manual process and physically transport media to some off-site location (which you still need to find, trust, and potentially pay for, just like the on-line back-up services).

Re:Call me old fashioned

[mark_elf]

Some mook I was working for forced a team of ten of us onto dropbox last year because we weren't all in the same office and he couldn't figure out how to FTP. The dropbox advertising seemed very simple and reassuring to him. It makes sharing files easy! It was the right thing. Immediately everyone was walking around saying how they loved dropbox! It has a very simple graphic design people liked, like Apple computers and Google websites (most of the people on the team were "creative"). They even have an iPhone app!

The first thing that happened was some other mook accidentally the entire share because he didn't need all the files, not understanding how the folders are synced. There is no "mook" permission, no permission structure at all. Just in or out.

After that, none of us were shared with "everything" anymore, so it became a completely unmanageable mishmosh of invites. Everyone used different folder structures and ways of naming things, which you have to live with. The dumbest person on the team gets to set the SOP, which is just chaos of course. The only people who liked it were the ones who dumped files on there and didn't have to ever open them again (graphic designers). It tends to fill up your hard drive with stuff that maybe has a 20% chance of being for you. People work to these folders because they are local, not realizing or caring that everyone else has to download all their crap.

So when everyone is in the same room, it nukes the wi-fi completely as everyone tries to sync the same garbage at the same time.

If you do really care about a file, you have to copy it out of the dropbox folder so that someone else doesn't fuck it up. So you have to have two copies of everything. It ends up being a kind of fuzzy FTP anyway, which you have to manage, but is not manageable.

If you understand email and FTP you don't need it. If you don't understand those things, you definitely will not understand dropbox. I learned this when someone kept asking me to just "show her where the files are".

So to answer your question, you should trust them because they make sharing your files easier.

Re:Call me old fashioned

[davide+marney]

I believe that this is exactly the kind of scenario that the new "team" version of Dropbox is aimed at fixing.

Compliance == Smart Business

[ohnocitizen]

If they are smart they will be compliant, and advertise that highly. How long until a competitor springs up who is compliant? When it comes to business needs, security is rightly a key focus. Not catering to that is ignoring the very market they want to serve.

Re:Compliance == Smart Business

[Shoten]

Actually, no. Being compliant with PCI is tremendously expensive, and I can't imagine many business cases that would give cause for a customer to need it. So it would be incredibly stupid to spend all of that money on PCI compliance for very little return. Furthermore, you're using the word "compliant" like it means "secure," which it absolutely does not. Hannaford was compliant, and still suffered a major breach. As far as they knew, TJX was compliant; they didn't know that many of the products sold to them for POS processing cached the information in the clear, nor could they have. And in terms of other forms of compliance, there's DIACAP in the military, but nonetheless those systems get hacked fairly regularly anyways.

And, given your argument, where do you draw the line? Why stop at PCI, HIPAA, and SOX? Why not include NERC CIP? BASEL II? FIPS? NEI? FISMA? FOIPPA? You seem to think that it's easy or cheap to just "be compliant" with each standard...it is not. It's a massive undertaking, and if you decide you want to be compliant with all of them, guess what? You're basically hamstrung as to your architecture, personnel and business model...and it sure as hell can't be hosted in a cloud by Amazon.

Just read the fine print

[Alwin+Henseler]

A business should know what it's doing and therefore not assume anything. So it should have people going over the fine print (and of course as provider, put out fine print to read).

But depending on type of agreement & exact conditions, some of that fine print may not even be legally binding. So if it's important enough: consult a lawyer. And consider consequences of privacy breaches, regardless of legal implications.

They don't need warnings.

[flimflammer]

Companies should assume they are not compliant unless the company tells them they are. I don't think Dropbox should need to put they are not compliant on their webpage, but they should be able to answer questions regarding their compliance if asked by a prospective business client.

Dropped Dropbox

[Bieeanda]

Seriously, if a company is going to shrug and blame something like this on a lack of beta tester vigilance, don't bother with them because you can be sure they'll pass the buck on anything that happens to your data too.

Hell, don't deal with this particular outfit, period. I mean, how could people forget them basically turning passwords off for four hours in June?!

Re:Dropped Dropbox

[artor3]

They aren't "blaming this on a lack of beta tester vigilance". They're saying that in their beta tests, people didn't particularly care about these compliances, and thus they don't think that their customers will care either. They are being completely open and honest about the level of security they're providing. If it's insufficient for you, don't use their service. But don't say that nobody should use something simply because it doesn't meet your needs.

get a clue

[Tom]

Should cloud services focused at businesses provide clear warnings if they are not compliant with key regulatory requirements, or should business customers just assume they are not?"

Neither. With all of those compliance regulations, it is the job of the company to ascertain compliance. You don't assume anything - if you do, you're not compliant. You not only need to know, you need to document your knowledge.

So really, it's a non-issue except that it means Dropbox won't be used in environments that require this kind of compliance.

Disclaimer: I used to be SOX compliance manager. I know what I'm talking about. /. would be a much better place if people submitting stories would, too.