IBM's Ban on Dropbox and iCloud Highlights Cloud Security Issues

IBM has forbidden its employees from using cloud-based services such as Siri, Dropbox and iCloud, according to reports. These products (along with many others) are presenting a challenge to IT administrators who want to keep their organizations secure, as well as to consumer-software developers who suddenly need to build features with both consumers and businesses in mind.

Self-Serving?

[Marillion]

While I'm not discounting the security concerns, we should also recognize that this is self-serving to IBM because it sells IT security consulting services.

Re:Self-Serving?

[NeutronCowboy]

Yes, of course. At the same time, what would have them do? Not ever mention anything about potential security holes, because it could be construed as a conflict interest?

Here's the real question you need to ask yourself before putting anything in the cloud: do you trust them to be more competent than yourself at backing things up, providing uptime and securing the data? If you answer no to any of these questions, you have a reason to keep stuff in-house. Note: beware of Dunning-Kruger effect. If you answer yes to all three, you have no reason to keep things in-house.

What IBM has done is to say that they can do a better job securing their data than Dropbox and iCloud. Considering the rather significant breaches that have occurred at Dropbox, and the completely unknown state of data security in iCloud, IBM is spot on with their assessment. I would only put encrypted stuff on either, or stuff where I have no problem if people are snooping through it. Want to take a gander at my weekend pictures? Knock yourself out. Want to find out what my truecrypt file is about? Good luck with that.

Re:Self-Serving?

[gstoddart]

we should also recognize that this is self-serving to IBM because it sells IT security consulting services

Maybe yes, maybe no.

But the company I work for has banned DropBox and other things for some time. The problem with "the cloud" is you really don't know where your data goes, and you can't really be guaranteed of who might be accessing it.

So there's definitely a perception that unless you're dropping in strongly encrypted files, it's no longer secure. So depending on what it is, something like DropBox is potentially a bad idea.

I'll use DropBox to move around stuff that isn't sensitive, but anything proprietary or confidential, I just move it via another mechanism.

Also, since I do some occasional work for the Canadian government, I couldn't use DropBox or anything which might end up on a US server (so not even gmail) ... because under the Patriot Act, we have no guarantee that this data wouldn't become visible to American law enforcement. Which means I could be running afoul of Canadian privacy laws -- so by policy any service ran by an US company, or in the cloud, is just something I can't use for work purposes.

Sadly, this is no different that the situation in which companies like Microsoft can either be in compliance with EU data laws, or in compliance with US Patriot Act -- but not both. From a professional perspective, the US has made themselves and many of their corporations untrusted parties -- I just assume that since the US has given themselves legal rights to snoop without disclosure, they do. So it's just easier to treat them as a hostile entity who isn't trustworthy. And, considering that EU financial and air passenger data is handed to the US, I find it hard to go against that stance.

From a legal perspective, once something hits the cloud, you lose a lot of safeguards and access controls to it unless you implement them yourself.

In many cases, what IBM is doing is just sound business.

Re:Self-Serving?

[CannonballHead]

How is it self-serving? Keeping your employees from using non-internal storage services for confidential data... I guess that's self-serving in the "protect your assets/intellectual property" way, but forbidding your employees from using external companies for storage of confidential data is hardly self-serving. It's right up there with making your employees password and/or encrypt their work laptops... :)

Re:Self-Serving?

I have a better question to ask. Am I paying for this or is it free and what do I expect of a free services. If I am paying for it what am I paying for? Convenience or Security, if I am paying for convenience its going to cost a lot less than if I am paying for a top secure cloud experience. If I going to put something on the cloud is it encrypted already as it should be and why am I putting important information on the cloud and not on my own companies backup server which should be how its done.

I see IBM looking to bring out a high level expensive cloud service soon for their employees and for sale to corporations which is not what most cloud based services are in the business of doing right now.

Re:Self-Serving?

[gstoddart]

Ummm. Asking a question here. What does the Patriot Act have to do with anything?

The difference being you'd need to go to court to get a warrant, and I believe there would be a legal opportunity to be notified of this. If Canadian law enforcement accessed your data, you could legally know about it.

The Patriot Act basically says they can demand it, with very little legal support, and it is against the law to tell someone that their data has been accessed from your servers under this request.

So, it comes down to the US having granted themselves access to any and all data from a US owned company or US hosted server ... and made it illegal to disclose that access has happened.

If that data access comes under the guise of secrecy and not going through the normal courts, you'll never know it happened.

As I said, those provisions of the Patriot Act give access that concerns a lot of people ... see here.

So, based on what I've read, and what I've been told by corporate policies ... for anybody who isn't in the US, America and American owned companies are completely untrustworthy since the law reads like it bypasses local laws when it comes to data security and privacy.

Now, for a bit of balance the other way, I see that people are starting to say the Patriot Act isn't so intrusive and this is all blown out of proportion.

But, until I see company and legal policies changing here in Canada, I will continue to treat data being put into a US server as a stupid idea, and I will continue to treat those entities as hostile and not trustworthy.

Since I'm not a lawyer, and I don't have anything to gain by suddenly trusting these entities, if I stick with this, I'm in compliance with company policy. I'll just err on the side of caution -- not trusting the US government is just a bonus at this point.

Re:Self-Serving?

[mbkennel]

"Here's the real question you need to ask yourself before putting anything in the cloud: do you trust them to be more competent than yourself at backing things up, providing uptime and securing the data?"

Generally it is, yes, yes, and yes.

The final question: "Can you trust them to work as diligently as your employees to recover from some cock-up whose effective and immediate resolution is critical to your business?" "Or, conversely, is holding your most critical data hostage for predatory consulting rates their business model?"

Not the first or only

My company deals with financial services. We are not allowed to access Dropbox either. Nothing like sharing personal identifiable client data across someone else's network. This is a violation of all sorts of laws, so yeah, it makes sense to deny employees access to shared drives outside the company's purview.

Re:Not the first or only

[Hatta]

Nothing like sharing personal identifiable client data across someone else's network.

Have you ever used a VPN? Then you've done exactly that. It's just encrypted. Dropbox is similarly secure if you store an encrypted container.

Re:Not the first or only

[betterunixthanunix]

Dropbox is similarly secure if you store an encrypted container.

This is not officially supported by Dropbox, however, and is very much ad-hoc. It also requires the user to take the time to configure such a system, unless your IT staff is going to do it for you, and even then you have the problem of users trying to use Dropbox for things that IT did not set up for them. Anything that adds hurdles to people doing their work is a potential security problem; it is easier to simply ban dropbox entirely than to have a policy that requires people to try to do things manually.

Re:Not the first or only

[mcwop]

That is key, IT has not set up easy to use file sharing, so people turn to Dropbox. IBM should implement an official one that works well. It could be a different provider like Box, or another. But give EEs the ability to use things to do their job easier, while maintaining security.

Re:Not the first or only

Nothing like sharing personal identifiable client data across someone else's network.

Have you ever used a VPN? Then you've done exactly that. It's just encrypted. Dropbox is similarly secure if you store an encrypted container.

No, Dropbox is *nothing* like a vpn with an outsourced storage provider. And they wont ever be, unless they start signing NDA's and confidentiality agreements with companies.

Re:Not the first or only

I give my IT department a 5-star rating, too!

Unrealistic

We have a similar ban in my company (Alcatel-Lucent). Of course, I can carry out gigabytes of information on a thumb drive or the laptop I take home every night, but while I'm at work I can't connect to DropBox. I hope IBM also jams cell signals because all someone has to do is plug an LTE dongle into their laptop and they are outside the corporate firewall. This is the Maginot Line of security.

Ban the cloud?

[tverbeek]

Since someone suggested Dropbox as a good place to put our disaster recovery documentation, my employer has started "raising questions" about it from a data-security perspective. After years of buying computers without floppies or optical drives, and locking down USB ports, he wonders if we ought to start blocking these services as well. He argues that with our corporate e-mail we at least have a record of it (and a chance to block it) if someone sends confidential information off-site, but not so with cloud storage. Personally, I think it's impossible to effectively secure against this without crippling legitimate business-related web access. I can think of several trivial ways to get information from a computer on our network to an outside host using just innocuous must-allow protocols, and without needing to install software on the secured machine... starting with any webmail or forum site that allows uploads of file attachments, to them newfangled "cloud drives", to setting up an FTP server that listens on port 80.

Re:Ban the cloud?

[Gilmoure]

Basic connectivity to such services can be blocked and policy of no use can be published but ultimately, there's no real way to keep a trusted employee from walking out the door with a butt-load of data.

Re:Ban the cloud?

[bws111]

You are missing the point. This is just part of a policy for protection of internal assets. "Don't put confidential data where outsiders can get to it" is a perfectly reasonable policy. Implementing that policy means rules like "no data on DropBox" and "no confidential data on internet-facing servers" and "no services on internet-facing servers that would allow access to the internal network". Having been informed of those rules, if information is leaked because you violated the rules, you will be held personally responsible (fired and/or sued).

Of course it is always possible that some dope will intentionally leak information. These rules are not about that. These rules are in place to so people don't make faulty assumptions about what is secure and what is not.

Of course, they never ask why EEs use these

[mcwop]

Employees often times use these tools because IT does not provide their employees with good USABLE solutions. When IT's answer to everything requested by employees is SharePoint, then EEs turn to other solutions. I can Citrix in which is a lame experience, or use something like Zoho, which is an awesome experience from a user perspective. Obviously, any solution needs to be vetted, but employees want things that work great, like many of the consumer products they use personally.

Re:Of course, they never ask why EEs use these

[mcwop]

It has nothing to do with lazy or incompetence, lack of funding, lack of resources, and it has nothing to do with being against productivity, it is the biases in solutions. One example is the anti-mac thing that still exists, however the iPhone really upset that apple-cart. However, I would say this is all changing and cloud and consumerization of enterprise solutions is forcing the change.

Trust

[StikyPad]

Ironically, IBM is probably providing a lot of the hardware and software that run these farms. Of course, it still comes down to trusting another company with access to your vital information. This has been the obvious Achilles heel in "cloud computing" since day one. It's one thing to pass encrypted data through an untrusted party, but it's another thing entirely when the untrusted party is an endpoint with access to the plain text. Not only do you have to trust that the endpoint has properly implemented security, but also that every individual with access to the data has uncompromising integrity.

Re:Trust

[Jesus_C_of_Nazareth]

Indeed, my son. I know everything, and I don't recall IBM ever specifically endorsing Dropbox, iCloud or the other thing for enterprise use.

What about search engines?

[hsmith]

anything you google, type into bing, yahoo, are all captured somewhere. Seems that they are fighting a losing war of data leakage protection.