Welcome Guest | Sign In
ECTNews.com
E-Commerce Times TechNewsWorld CRM Buyer LinuxInsider
Discussions

E-Commerce Times Talkback

 
ECT News Community   »   E-Commerce Times Talkback   »   Re: Dropbox Security System Doesn't Lock Down Files, Says FTC Complaint



Re: Dropbox Security System Doesn't Lock Down Files, Says FTC Complaint
Posted by: Rachelle Dragani 2011-05-17 11:42:56
See Full Story

The cloud-based storage system Dropbox is the most recent online provider to be criticized for misleading customers in terms of of privacy and security, according to an FTC complaint. Dropbox deceived customers by making them believe that its employees did not have access to their data, alleges Christopher Soghoian. In Terms of Service posted on its website, Dropbox previously stated that "all files stored on Dropbox servers are encrypted (AES256) and are inaccessible without your account password." However, AES256 encryption doesn't mean that files are secure, Soghoian points out.


Supplement cloud storage with asymmetric encryption and DLP
Posted by: oldsntnick 2011-05-17 15:23:33 In reply to: Rachelle Dragani
This wreaks of the “cloud” security problem where data is no longer in your possession, so now you have to depend on the data being properly handled by the cloud provider. In this case, the de-dupe process requires decryption and compare. Decryption must be done since a hash result is likely not enough to compare the data since each user’s password is different. Without decryption, the provider must store the data uniquely for each user.

I’m also quite disturbed about the lack of investigation that companies will do who move to a cloud service provider – often these providers are hiring contractors, temporary workers, incumbent workers and/or off-shoring with little security knowledge and limited background checks. Then have rudimentary SLA’s and data handling practices once your data lives in their datacenters.

For data-at-rest solutions like Dropbox, a way to improve data security could be to add a layered security element, such as transparent asymmetric encryption. With keypair-based encryption, your data is transparently encrypted to an encryption public key for data-at-rest storage on your local workstation, then “synchronized” to the cloud where it could only be decrypted using your private key (or in corporate-managed environment, a corporate decryption key (ADK) or other assigned key(s)).

For corporations, they may also be interested in using a DLP solution to prevent this kind of information to even exist in a Dropbox folder and clearly monitor what is being “synchronized” to protect company interests.

In any case, educating customers on multi-layer security model approach can not only distinguish internal support teams as security partners, but also vendors who provide such services; plus it goes a long way in aligning with a customer’s overall security objectives – in this case, cloud security.
Jump to:
Which of these technology gifts would you most like to receive?
Portable Power Charger
Remote Video Monitoring System
Smart Speaker
Smart Thermostat
Smart Watch
Streaming TV Player
Video Doorbell
VR Gaming Headset
WiFi Signal Booster
Wireless Earbuds / Headphones