Dropbox… an amazing stuff came
into market some where around 2007. This has been into limelight for last three
to four years for its features like file storage, file sharing and file
collaboration, and mobility (access anywhere, anytime) features.
In simple language, do anything
with you data anytime and anywhere. Wow. I have seen many companies have
started using this as a cost effective collaboration tool where multiple users
are working on same files.
One of
the MOST MOST user friendly feature is “Multi Platform Support”. This works on
Microsoft Windows, Mac OS
X, Linux, Android, iOS, BlackBerry OS, Windows
Phone and web browsers”.
Every technology has its own BENEFITS and RISKS
Legal and Regulatory
Risk:
Dropbox data center/ data storage
is located in some part of the world. If you are into financial industries or
BPO, KPO, IT/ITES-Services Company and dealing with customer/end user’s PII
(Personally Identifiable Information) or Sensitive PII (SPII), you could be in
danger risk if you are using Dropbox for business operation or process. Few
legal concerns could be:
·
Does your country’s law/regulation allow to
store citizen’s PII or SPII out side of country’s border?
·
Have you communicated your customer – “Where
their PII or SPII is going to store” and “How it is going to be protected”?
You could be serious legal &
regulation implication if this is not taken care.
Data Retention:
Many People believes that “delete
means deleted permanently”, but people are forgetting the backup tapes where
data is lying for many years.
I am 100% sure all organization
has its own Data Retention policy based on the type of industry and legal and
regulatory requirements. The objective Data Retention Policy is to flush out
data (older / not required) from the environment completely. However I would
also like to see this from “Risk Mitigation” perspective as well. The moment
you have flushed out data, you have mitigated your organization’s risk from
“Intentional / Unintentional Leakage of Information”. No organization would be
happy if their data gets leaked (no matter whether 7 or 10 years old). At the
end, data could be PII or SPII or any customer’s report.
I have seen many business level
agreements where customer wants service provider to destroy data as soon as
engagement is over.
But case is very much different
with data stored on Dropbox,
Have a look Retention Section:
this indicates Dropbox is not bounded to delete/destroy your customer’s data
even if your engagement is over with customer. So RISK here is your customer’s
data is still lying on Dropbox backup tapes. It further implies that they are bounded
only to follow their on “data retention policy”. This could lead to customer’s
dissatisfaction, reputation loss if data gets leaked from Dropbox server.
Accessibility:
As I said the most most user
friendly feature. But to me this is most most serious “Business Information
Leakage Risk”. Dropbox is available in almost for every platform. You can
access Dropbox from any device.
“Internal Employees are the biggest threat to
the organization”
Let’s take
an example
A person call Bob is Sr
.Execution and managing multiple key customer accounts at XYZ Company. Company
has provided laptop and smart phone to Bob to work remotely. Due to global
business, company has decided to use Dropbox for file sharing and
collaboration.
One day Bob forgot to carry smart
phone (company provided) so he used his personal smart phone to Access
Company’s information stored on Dropbox.
BIGGEST RISK is company’s
information has been downloaded on personal device without anybody’s knowledge
and without any traceability.
Now let’s assume a case where Bob is disgruntle employee.
BIGGEST RISK could be Bob can
download all company’s information stored on Dropbox without anybody’s
knowledge and without any traceability. This is as good as theft of information
and this can be sold for misuse.
User Management:
Most of the companies have
central authentication server to grant and revoke accesses. If any person
leaves, you can simply disable or delete user ID from central authentication
server.
But with Dropbox this becomes
cumbersome. You have to manually delete or disable access. This method is
definitely prone to human error. If this is not followed, Bob would be enjoying
all access even after not being part of organization. Dropbox do have “Event”
features shows recent events but if user is only viewing information, I don’t
think any “Event” would be triggered.
Your organization’s Name on Dropbox’s website:
This is very clear. Not further explanation needed. But question arises is “Is this acceptable to your organization? What if
your customer’s comes know? How customer is going to react? What immediate response comes to your mind if your customer is react negatively? Just Think….
As of now I could see these FOUR KEY RISKS, this risks are also applies to other site/services generally
we call personal storage category site.
If I have to use Dropbox, I shall
use only for sharing PUBLIC classified information. I shall NEVER EVER put my
personal contacts or personal information or any confidential information.
Hope this would be useful.....
No comments:
Post a Comment