IBM's Ban on Dropbox and iCloud Highlights Cloud Security Issues

IBM has forbidden its employees from using cloud-based services such as Siri, Dropbox and iCloud, according to reports. These products (along with many others) are presenting a challenge to IT administrators who want to keep their organizations secure, as well as to consumer-software developers who suddenly need to build features with both consumers and businesses in mind.

Re:Self-Serving?

[gstoddart]

we should also recognize that this is self-serving to IBM because it sells IT security consulting services

Maybe yes, maybe no.

But the company I work for has banned DropBox and other things for some time. The problem with "the cloud" is you really don't know where your data goes, and you can't really be guaranteed of who might be accessing it.

So there's definitely a perception that unless you're dropping in strongly encrypted files, it's no longer secure. So depending on what it is, something like DropBox is potentially a bad idea.

I'll use DropBox to move around stuff that isn't sensitive, but anything proprietary or confidential, I just move it via another mechanism.

Also, since I do some occasional work for the Canadian government, I couldn't use DropBox or anything which might end up on a US server (so not even gmail) ... because under the Patriot Act, we have no guarantee that this data wouldn't become visible to American law enforcement. Which means I could be running afoul of Canadian privacy laws -- so by policy any service ran by an US company, or in the cloud, is just something I can't use for work purposes.

Sadly, this is no different that the situation in which companies like Microsoft can either be in compliance with EU data laws, or in compliance with US Patriot Act -- but not both. From a professional perspective, the US has made themselves and many of their corporations untrusted parties -- I just assume that since the US has given themselves legal rights to snoop without disclosure, they do. So it's just easier to treat them as a hostile entity who isn't trustworthy. And, considering that EU financial and air passenger data is handed to the US, I find it hard to go against that stance.

From a legal perspective, once something hits the cloud, you lose a lot of safeguards and access controls to it unless you implement them yourself.

In many cases, what IBM is doing is just sound business.

Re:Not the first or only

[betterunixthanunix]

Dropbox is similarly secure if you store an encrypted container.

This is not officially supported by Dropbox, however, and is very much ad-hoc. It also requires the user to take the time to configure such a system, unless your IT staff is going to do it for you, and even then you have the problem of users trying to use Dropbox for things that IT did not set up for them. Anything that adds hurdles to people doing their work is a potential security problem; it is easier to simply ban dropbox entirely than to have a policy that requires people to try to do things manually.

Of course, they never ask why EEs use these

[mcwop]

Employees often times use these tools because IT does not provide their employees with good USABLE solutions. When IT's answer to everything requested by employees is SharePoint, then EEs turn to other solutions. I can Citrix in which is a lame experience, or use something like Zoho, which is an awesome experience from a user perspective. Obviously, any solution needs to be vetted, but employees want things that work great, like many of the consumer products they use personally.