Date: Fri, 29 Mar 2024 08:32:58 +0000 (UTC)
Message-ID: <1543274892.7707.1711701178597@ip-10-10-7-29.ec2.internal>
Subject: Exported From Confluence
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_Part_7706_1619347399.1711701178595"
------=_Part_7706_1619347399.1711701178595
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Content-Location: file:///C:/exported.html
Cloud Data Storage Solutions: Dropbox Securit=
y & Privacy Considerations
Dropbox is a cloud data storage solution that Higher Education security =
professionals are frequently asked to evaluate for the storage and sharing =
of institutional data. The issues of concern are common to most cloud data =
storage services; however vendor solutions and implementations vary greatly=
. The following outlines an evaluation of one vendor that can easily be app=
lied to others, such as SpiderOak, box.net, Skydrive, and CrashPlan.
About Dropbox
From Dropbox:=
"Dropbox is a service that lets you bring all your photos, do=
cs, and videos anywhere, and share them easily. Any file you save to your D=
ropbox will automatically save to all your computers, your phone, your iPad=
, and the Dropbox website."
Dropbox Features:
- 2 GB of Dropbox cloud storage space for free, with subscriptions up to =
100 GB ($19.99 per month) available. 500 Mb additional increments available=
for each student referral.
- Work offline. Your files are available, whether you have a connection o=
r not. Files are also available from the Dropbox website, wherever you logi=
n.
- Multi-platform. Dropbox works with Windows, Mac, Linux, iPhone, iPad, A=
ndroid, and Blackberry.
- Dropbox stores your files using AES-256 bit encryption in the Amazon S3=
service. Files are transferred from your device(s) to Dropbox using 256 bi=
t SSL encryption (for supported devices).
- To save time and bandwidth, Dropbox only transfers the parts of a file =
that change.
- Share files with others by placing them in the (globally) public folder=
and sharing the URL, or share individual files and folders with specific D=
ropbox users.
- Restore all your files from the Dropbox website (e.g. after a disaster)=
.
#Top of page
Considera=
tions for Sharing Data
- Data Leakage possibilities are magnified. Universities often secure ind=
ividual servers, desktops, and even laptops with tools and controls. Howeve=
r synchronizing sensitive data from these local environments through Dropbo=
x greatly increases the number of devices and networks which need to be sec=
ured for any particular file, potentially including multiple mobile devices=
and flash storage. Now there are many more copies of the data to be protec=
ted in much less defensible positions.
- Data stored in public folders are available to the world. Dropbox works=
by having basically two types of folders, Public and Private. Private fold=
ers are restricted to the individual creating the folders, plus an access l=
ist of Dropbox users the creator may specify. Public folders on the other h=
and are available to anyone with the URL, can be searched (even by search e=
ngines such as Google if the URL is published) and should be considered as =
having no security whatsoever. It is easy to inadvertently publish files to=
the Dropbox public folder.
- Location of the data in the Dropbox repository is not restricted to the=
USA. Dropbox uses the Amazon S3 service as their data repository. Amazon h=
as several data centers world-wide; therefore US export restricted files sh=
ould not be stored in Dropbox.
- Dropbox is a convenient place to store and share personal files. Instit=
utional data that is of a sensitive or proprietary nature, as well as valua=
ble intellectual property, on the other hand, may not be appropriate for st=
orage in Dropbox, because of the potential for unintended exposure.
#Top of page
Security Con=
cerns and Issues
- Information in the Dropbox servers is encrypted using AES, but with a c=
ommon key for operational purposes, so that Dropbox administrators possessi=
ng the key can decrypt the user data in any folder. Dropbox asserts that th=
is capability is used only by a very few administrators for support and deb=
ugging. However, any hacker uncovering the common key or a rogue employee c=
ould read any encrypted data. It is possible for the individual Dropbox use=
r to encrypt files prior to placing them into Dropbox (e.g., using PGP or T=
rueCrypt), but this approach has not proved to be very elegant. In most cas=
es, the entire file has to be re-encrypted, uploaded, and then synchronized=
with all devices each time it's changed, and there are no built-in key man=
agement capabilities.
- Although most synchronization is accomplished using SSL to protect the =
data during transit and to identify the device being synchronized, certain =
mobile downloads are accomplished in the clear without SSL protection. Anyo=
ne obtaining the URL for one of these mobile endpoint synchronization targe=
ts would be able to intercept all of the synchronized data for both public =
and private folders.
- Dropbox clients enable "LAN Sync" by default, adding a listening servic=
e to your local computer. Essentially, this is a peer to peer mechanism for=
syncing Dropbox files for a user with multiple Dropbox clients on the same=
local network, using cheap subnet bandwidth instead of 'expensive' interne=
t bandwidth. LAN Sync runs a service on TCP port 17500 which listens for co=
nnections from anywhere in the world (unless specifically NAT'ed or firewal=
led) and broadcasts to the local broadcast domain on UDP 17500 looking for =
other Dropbox instances owned by the same user. Users accept the risk of al=
lowing this communication to their client computers.
- There have been significant problems with Dropbox's configuration files=
across computers. The impact of these is that someone else can steal acces=
s to your files by copying your configuration database file and effectively=
impersonating that computer's Dropbox credentials. It is rarely obvious th=
at this has even occurred, end users of Dropbox would have to periodically =
login to the web application for Dropbox to see if the last check-in from o=
ne of their computers originated at the right IP address. By copying the co=
nfig.db file from a computer running DropBox an attacker can access and dow=
nload all of your files without any obvious signs of compromise. Normal rem=
ediation steps after a compromise, such as password rotation, system re-ima=
ge, etc., will not preve=
nt continued access to the compromised Dropbox.
- Dropbox offers third party developers an API for allowing their softwar=
e to talk to Dropbox on behalf of a user and this access can include access=
to everything in the user's Dropbox. These permissions are not frequently =
audited by many end users and this technique provides another way for an un=
authorized party to get access to data stored in a Dropbox.
- Dropbox is examining content actively across users, ostensibly only for=
de-duplication. For example, if other Dropbox users have already uploaded =
the same file that you are uploading, Dropbox uses their copy without trans=
mitting yours.
- The vendor's change management procedures and communication to their us=
ers are of concern. A program update to the Dropbox service in June disable=
d authentication for the site's users for several hours. Essentially, anyon=
e could access any account without a password. Dropbox estimated the exposu=
re affected less than one percent of their accounts (which equates to about=
250,000 users). On this basis they delayed announcement and then provided =
only limited public notification of the incident.
- Dropbox does not require strong passwords, and does not integrate with =
locally provided (i.e., university directory-based) authentication services=
.
- These are truly personal accounts. The institution would have no abilit=
y to retrieve information from an account, or transfer ownership, or close =
an account, if the user was no longer associated with the school. This has =
potential to enable continued access on the part of a terminated employee t=
o institutional records stored with Dropbox.
#Top of page
Contractual Issues=
h5>
- Compliance with institutional contractual and regulatory requirements i=
s difficult. More and more research and other contracts specify security pr=
ovisions and restrictions on where and how the data may be stored. The Patr=
iot act, FERPA, HIPAA, NIH, NSF, individual State Identity Theft Acts, and =
many other agencies and laws include provisions for the protection of the d=
ata and even the locations where it may be stored. It would be very difficu=
lt to get these security provisions validated for a distributed Dropbox syn=
chronized folder implementation.
- The terms of service for Dropbox are between the account owner and Drop=
box. There is no opportunity to negotiate a "site license" agreement for yo=
ur institution.
- Dropbox does not have a mature enterprise licensing model. Instead of a=
n enterprise site license, Dropbox has a business solution referred to as D=
ropbox for Teams (a pool of licenses that can be created for a group of use=
r accounts). This solution allows a number of users to share storage quota,=
as it is bound to the team and not to individual accounts. They also offer=
something they refer to as Dropbox Rewind which allows for version control=
and rollback. This is included in the Dropbox for Teams model. Pricing for=
five or more "team members" starts at the annual price of $795 and include=
s 350 GB of shared storage. Additional users are $125 each and additional s=
torage is $200 for 100 GB. At this time, there are no pricing tiers for hig=
her volumes.
- Files placed into your Dropbox account remain your personal property, b=
ut Dropbox may share information collected from you. The service provides o=
ne month of history (file level changes) in backup; any of which you can re=
vert to and/or restore from. In addition, Dropbox states that they will not=
share your content with third parties for any purpose without being direct=
ed to do so by the account owner, however this does not apply to personal i=
nformation that they collect about account holders.
#Top of page
Recommendations
- Use of cloud data storage solutions such as Dropbox should typically be=
avoided for storage of high risk institutional information. That is, a fil=
e that contains private or sensitive information, information that is cover=
ed by federal regulations, or that has a very high intellectual property va=
lue to your institution.
- On the other hand, information that is intended to be public may be saf=
ely shared using Dropbox.
- Always create a backup user account that has access to the Dropbox.
- Always ask your institution's information security officer or team to a=
ssist you to evaluate the appropriateness of using Dropbox for specific ins=
tances of institutional data storage and sharing.
#Top of page
#Top of page
Questions or=
comments? Contact us.
Except wher=
e otherwise noted, this work is licensed under a Creative Commons Attributi=
on-NonCommercial-ShareAlike 4.0 International License (=
CC BY-NC-SA 4.0).
------=_Part_7706_1619347399.1711701178595
Content-Type: image/svg+xml
Content-Transfer-Encoding: 7bit
Content-Location: file:///C:/0d839e34c442efc3b909aa82acd46059