Slashdot Mirror
IBM's Ban on Dropbox and iCloud Highlights Cloud Security Issues
IBM has forbidden its employees from using cloud-based services such as Siri, Dropbox and iCloud, according to reports. These products (along with many others) are presenting a challenge to IT administrators who want to keep their organizations secure, as well as to consumer-software developers who suddenly need to build features with both consumers and businesses in mind.
While I'm not discounting the security concerns, we should also recognize that this is self-serving to IBM because it sells IT security consulting services.
This is a boring sig
My company deals with financial services. We are not allowed to access Dropbox either. Nothing like sharing personal identifiable client data across someone else's network. This is a violation of all sorts of laws, so yeah, it makes sense to deny employees access to shared drives outside the company's purview.
I work for a major provider of Bank software and services, and cloud services are banned here too. All data is encrypted here, and control of customer data is strictly kept.
We have a similar ban in my company (Alcatel-Lucent). Of course, I can carry out gigabytes of information on a thumb drive or the laptop I take home every night, but while I'm at work I can't connect to DropBox. I hope IBM also jams cell signals because all someone has to do is plug an LTE dongle into their laptop and they are outside the corporate firewall. This is the Maginot Line of security.
Since someone suggested Dropbox as a good place to put our disaster recovery documentation, my employer has started "raising questions" about it from a data-security perspective. After years of buying computers without floppies or optical drives, and locking down USB ports, he wonders if we ought to start blocking these services as well. He argues that with our corporate e-mail we at least have a record of it (and a chance to block it) if someone sends confidential information off-site, but not so with cloud storage. Personally, I think it's impossible to effectively secure against this without crippling legitimate business-related web access. I can think of several trivial ways to get information from a computer on our network to an outside host using just innocuous must-allow protocols, and without needing to install software on the secured machine... starting with any webmail or forum site that allows uploads of file attachments, to them newfangled "cloud drives", to setting up an FTP server that listens on port 80.
http://alternatives.rzero.com/
So, they're saying not to leave possibly sensitive information in the hands of 3rd parties where they have no real way of guaranteeing security?
Not exactly rocket science, guys.
If it were my job to set data security policy I sure as hell would not let my employees use dropbox. Especially in an organization that has a hit squad of lawyers commonly known as the 'Nazgul'.
I work in IT in a (UK) hospital. We are extremely "enthusiastic" about security. We were thinking about this sort of thing some time ago and then it was decided at the top that we would ban Skydrive immediately and other clouds have been added to our list since.
This is not always well received but this is the nice thing about policies. They apply to everyone and the higher they come from, the less can some manager make an "exception" where they see the need.
I'll see your Constitution and raise you a Queen.
Employees often times use these tools because IT does not provide their employees with good USABLE solutions. When IT's answer to everything requested by employees is SharePoint, then EEs turn to other solutions. I can Citrix in which is a lame experience, or use something like Zoho, which is an awesome experience from a user perspective. Obviously, any solution needs to be vetted, but employees want things that work great, like many of the consumer products they use personally.
"I don't think it's selfish, to eat defenseless shellfish." -NOFX
Ironically, IBM is probably providing a lot of the hardware and software that run these farms. Of course, it still comes down to trusting another company with access to your vital information. This has been the obvious Achilles heel in "cloud computing" since day one. It's one thing to pass encrypted data through an untrusted party, but it's another thing entirely when the untrusted party is an endpoint with access to the plain text. Not only do you have to trust that the endpoint has properly implemented security, but also that every individual with access to the data has uncompromising integrity.
https://www.eff.org/https-everywhere
anything you google, type into bing, yahoo, are all captured somewhere. Seems that they are fighting a losing war of data leakage protection.
Can anyone say IBM coming out with their own iCloud in the forceable future. Oh yes we can say it.
If they hate the cloud, isn't that the opposite of what they should be doing? I've read several articles about them moving away from Siebel towards SugarCRM over the past few weeks, this totally flies in the face of them hating on the cloud. Which is it?
this is the biggest question of any "Cloud" service phrased in a PHB friendly way. Now of course the details are a lot longer but IBM has basically said "Lets stay Inside and make sure we stay dry".
Does anybody know of a "CloudStack" that allows for a business to run a relay/inside server??
Any person using FTFY or editing my postings agrees to a US$50.00 charge
Can someone who works for IBM care to explain how they're planning on enforcing these rules?
Sure, I could see them scanning their employee's laptops to make sure that Dropbox isn't installed, but how are they going to stop you from using iCloud or Siri on your cell phone? I know that IBM certainly didn't pay for MY cell phone or cell phone plan when I worked there, and I sure as hell wouldn't let them install their bloatware security lockdown tools on my personal property.
I hope this shames Dropbox into implementing proper client side encryption.
I like many others have become dependent on Dropbox for my work because it is so darn convenient but I know in the back of my mind that it poses a security risk. I would feel much more comfortable if everything was encrypted on my PC (and under my control) before it was transmitted.
Why is IBM the only company bright enough to notice this obvious problem? Shouldn't we all be worried about this? The cloud is just becoming another form of spyware.
I don't see why an employee would need a service like Dropbox while working for a large corporation like IBM.
They already have all kinds of subversion, document, and content servers in-house, readily available by logging in to the VPN (securely!)
External services like Dropbox are fine for consumers whose employers don't already provide intranet "cloud" storage for data, but employees of large companies? What kind of employee shoot-myself-in-the-foot insanity would place cricital corporate information on a public cloud service instead of securely within the intranet cloud?
I do not fail; I succeed at finding out what does not work.
Creating solutions is important, rather than merely complaining about the problems with public clouds. I find CloudI useful and very relevant: http://cloudi.org
This has always been the issue with the "cloud." Oh, sure, it sounds great to be able to pull up documents from wherever, to collaborate, to do all sorts of things, but if that server is hosted by an outside company, then all of your trade secrets, business plans, legal documents and briefs, personnel documents, marketing plans, and whatever confidential corporate information you have is under somebody else's control. How well do you trust the host company? How well do you trust the other other companies that the host company services?
Public clouds are about as useful as facebook. Only store things there you wouldn't mind your mother or in the case of businesses, your competition seeing. Private clouds are where the real benefit is at. It's not foolproof, but it is certainly more secure than relying on somebody whose server may reside in who knows what country with who knows what legal system protecting it, or not.
The first rule in securing data is preventing access. Putting data on a public network violates the first rule of securing data.
IBM has banned storing Sensitive Private Information on unencrypted storage, either locally or in the cloud. It's nearly impossible to segregate SPI / non-SPI, so it's easier to make a blanket statement that it all must be encrypted. Dropbox isn't encrypted, as well as most of the public cloud storage companies out there. The message was that if you want to use a public cloud, you need your 1st line manager approval, for which they will ask you what you want to store there, is it encrypted, and why you want to store it there (sharing with customers / business partners). We also have to encrypt all of our hard drives, as part of the new security policies. I'm not seeing how this is a big deal. It sucks, but the necessity is real.
Dropbox a great way to sync files with co-workers, customers, and business partners. It makes version tracking among many users really neat, and instant. Very much easier than email. For what dropbox charges, knowing that the cost of storage drops year over year and that Dropbox hasn't had any price drops lately, they should have had encryption a long time ago. Instead Dropbox releases a neat picture plugin instead.
Encryption requirements are going to rule every data center in less than 6 years.
These are my views, and not the views of my employer.
BR
Not remotely. Historically, IBM has never to my knowldege enforced such bans via robust technological means (not least because, as a technology company, there have always been exceptions where access to the technology is needed in order to do the job). During the quite-a-few years I worked for the company, IBM decided from time to time to ban the use of several external services (for reasons varying from security to bandwidth usage). Enforcement, though, was, to the best of my knowledge, entirely a matter of letting employees know the rules (making a breach of those rules a disciplinary issue), and relying on professional employees to get on with doing their jobs.
(I didn't exactly part company with IBM on the best of terms, and have very little love or admiration for the current higher-management - but as a company they've always had a mature and pragmatic attitude to such things, that needs to be recognised.)
Where's the story? Yeah, my company does this too. We have Google, but no Mail or Docs, no social media except LinkedIn. Etc.
But we all have phones...
You might be interested in what the new standard for desktop (i.e. Laptop) operating system is with Big Blue for employees that access companies servers for support.. Its Not MS, although to do you work you still have to have a virtual machine with MS.
Always remember that the key lesson of Dunning and Kruger's research is not that *other* people are stupid, but that you shouldn't trust your *own* certainty so much.
I work at a small bank (assets around $1B). We have been banned from using cloud-based services like iCloud since they were .Mac. This is no surprise. However, I wonder how businesses like mine will cope with the cloud as it becomes more popular. I already wish we could use Google Docs and DropBox...but alas, we cannot.
Mr. Bond, they have a saying in Chicago: Once is happenstance. Twice is coincidence. The third time is enemy action.
These services are key to businesses operating fluidly and for internal organization to be both transparent and collaborative. Accessing files and folders from common directories saves time and storage space. My company, Infinit, is currently working on a solution that offers Dropbox-like features to individuals and organizations via an encrypted infrastructure maintained on local devices. So... same functionalities as a cloud, better UI and the security a large organization needs without ever relying on the cloud.