"There are four critical questions every enterprise and IT administrator should ask when considering file sharing services," says Adam Gordon, author of "Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press)." These include: Where will the service store and share files? Who will view the files? How will the service protect the files? And, what types of files will the service permit in the storage system? If a service provider doesn't respond satisfactorily, CISOs should consider their options.
CSO decided to measure the security of Box and Dropbox using these questions. Does either meet enterprise security standards for cloud-based file sharing? Judge, dear reader, how each application stands up under scrutiny.
File storage requirements
File sharing services store data outside corporate IT where enterprises can lose control of it. Enterprises cannot ensure service up time, file availability, or even that the service will not shutdown altogether.
"This exact circumstance left customers of the Megaupload file sharing service virtually stranded, without access to files in the service's cloud environment, regardless of their legitimate and proper use of the service," says Gordon. These situations leave customers wondering who has access to their files and whether someone will delete them.
Box assures enterprise customers with an SLA guarantee of 99.9% uptime, maintaining that uptime in several ways and offering customer account credits where it fails. "First, we have a single infrastructure serving all our customers at all paid levels. We deploy the highest quality networking and services at a much bigger scale, which allows us to offer enterprise protection more efficiently," says Grant Shirk, group product marketing manager, enterprise, Box.
That infrastructure spans four geographically dispersed locations including three primary data centers. "We select colocation facilities with the highest levels of service bandwidth and disaster avoidance for these data centers," says Shirk. A fourth facility offers emergency backup storage for encrypted binaries so Box can restore from that location.
Dropbox offers uptime guarantees, but doesn't share them publicly. "We provide uptime or SLA guarantees in specific commercial contracts," says Cory Louie, Head of Trust, Safety, & Security, Dropbox. Dropbox stores customer data on Amazon S3 and mirrors encrypted file data in collocated data centers. Dropbox currently stores all customer data inside the U.S.
Who has access?
Cloud file sharing services must protect the access rights of individual accounts. But, Box enables account managers to roll employee's free accounts into the enterprise's business accounts.
"Businesses with a large number of employees who are currently using Box as free users will often formalize their relationship with Box and roll the free users into a corporate account to gain access to additional features," says Gordon. Sometimes these free users include external collaborators who are not employees. This scenario leads to a variety of undesirable complications.
A collaborator account that an enterprise should not manage could end up rolled in with the employees, according to Gordon. Collaborators can end up having their accounts managed by the enterprise without their knowledge or consent. Unauthorized people may end up sharing their data, and they may expose that data in any number of ways or delete it.
Though there was just such an incident, Box has taken measures to ensure that it will not repeat itself. "Our security and compliance teams walked through our processes for managing users and added controls to the system to ensure that this cannot happen again," says Shirk. "We added controls to make sure that no one rolls in accounts without the understanding and knowledge of both parties — the account holder and the organization."
Cloud data services such as Dropbox offer an easy portal for data theft, according to Gordon. "Companies may want to keep an especially tight leash on contractors in restricting their access to future Dropbox business accounts," says Gordon.
But Dropbox guards against inappropriate access using two-factor authentication and identity and access management tools of the customer's preference, which Dropbox integrates into its application. "We have built integrations into the leading identity providers or federated identity providers like Okta, Ping Identity, OneLogin, and Centrify. It's all standards based so we can work with any kind of IAM tool that an enterprise uses," says Ross Piper, Vice President of Enterprise Strategy, Dropbox.
How they protect your files
Box transmits files using SSL encrypted sessions and encrypts files at rest using 256-bit AES encryption, according to Shirk. Box is ISO 27001 certified and offers its SSAE 16 SOC 2, Type 2 report, which replaces SAS 70 as evidence of meeting enterprise security and compliance standards. Box is working on industry-specific frameworks such as compliance with PCI and HIPAA. Box can help companies achieve compliance with HIPAA while using its service, according to Shirk.
Dropbox supports TLS 1.0 through 1.2 and SSL v3 for data in transit. "This creates a secure tunnel that up to 256-bit encryption protects," says Louie. The encryption level depends on the level negotiated with the client. Dropbox also uses a 256-bit AES cypher for data at rest. In addition, Dropbox splits the files. "We anonymize each of those file pieces or b-file blocks with a hash value. We then encrypt those hashed file blocks separately and store the encryption keys separate from the encrypted file blocks," says Louie.
"We have a current SOC 2/type 2 report available to our customers by request," says Louie; "we're going to maintain that and be subject to audit at least on an annual basis." The Dropbox compliance roadmap also includes plans to earn the ISO 27001 2013 certification this year, according to Piper.
If an enterprise customer wants to use Dropbox in compliance with regulations such as HIPAA and FIRPA, third-party developers offer applications that work with Dropbox and some of those applications help organizations to meet those specific regulatory requirements, according to Piper.
Kinds of data permitted
Hackers could create "floating" attack staging platforms inside these file sharing services. Due to the nature of these file sharing services, says Gordon, they heavily defend customer files from the outside in, but don't examine them as carefully from the inside out.
"Specifically, due to a desire to be all things to all customers, many of these vendors follow a guiding business principle to acquire ever larger shares of the customer segments that they target by allowing almost totally unrestricted content storage within their systems. Some of that content can be highly toxic and lethal," explains Gordon.
Hackers can easily store and share malware in these systems. "Since these systems are often used without the oversight and knowledge of IT and apart from compliance functions within the enterprise, the services can bypass the most basic elements of user awareness and oversight in favor of ease-of-use and flexibility," says Gordon.
But according to Box, its various controls make floating attack platforms inside the service highly unlikely. "While Box does not restrict the kinds of files customers can upload, Box is not a live, runtime environment. Scripts and executables cannot run within the platform," says Shirk. Further, Box enables customers to run A/V scans on Box content to mitigate any potential for infection. "And, we restrict file conversion and interpretation only to known file types (.doc, .txt, .xls, etc)," says Shirk.
Dropbox, however, doesn't take as many precautions as Box does. Though Dropbox can store any file type, Dropbox users agree to not misuse the service, according to Louie. "We review reports of abuse and violations of acceptable use policies and take appropriate action when necessary," says Louie.