As one of the worlds’ most popular file-sharing platforms extends functionality to collaborative file editing by getting in bed with one of the world’s most popular file editing suites- we offer some guidance on security implications.
It’s been just a few months since Dropbox and Microsoft signed a partnership agreement to integrate Dropbox file-sharing into Microsoft Office products but it is already becoming the standard way to edit Word, Excel and PowerPoint files stored on Dropbox – especially for users of Office for iPad, which now can be linked to a Dropbox account.
Change is Inevitable
This alliance has effectively ended the debate about whether to use file-sharing because of its porous data security. Most companies like IBM that try to block access to file sharing (either technically or by policy) are eventually going to lose that battle. The best that most companies can do is to apply appropriate controls.
It’s true that some file-sharing sites use sophisticated safeguards like Captcha codes and download delays. But that doesn’t mean that they deliver adequate data security. Last year, the Infosec Institute concluded that cloud-based file-sharing websites were a “data security disaster waiting to happen.” And don’t forget that Dropbox itself got hacked back in 2012.
Risk Management Red Flags
There are many reasons why companies should be wary of using file-sharing sites, including:
- Encryption at rest is “owned” by Dropbox and similar sites. They have the master encryption key, and encryption is performed on their servers. They can decrypt any of the content stored there.
- Most file-sharing services like Dropbox refuse to sign a Business Associate Agreement, which is a major obstacle in industries like healthcare.
Establish Appropriate Controls
Companies that want to follow Microsoft’s lead should at the very least implement some ironclad controls over corporate file-sharing. Here’s a checklist of what those controls should encompass:
- Extensive training to alert employees to the potential dangers of consumer-style cloud storage and file-sharing
- Training employees on how to properly classify information that may be stored or shared on cloud providers
- Implementing data loss prevention (DLP) technologies that can screen for and block inappropriate transfer of sensitive information in violation of company policies
Be Savvy With Your Selection
Select cloud storage/file-sharing partners based on these criteria:
- Willingness to sign both a Non-Disclosure Agreement and Business Associate Agreement
- Controls and frameworks spelled out in contracts
- Periodic review and attestation of security posture by the service provider
- Comprehensive review of the provider’s incident/breach management process
- Service provider’s willingness to incorporate the company’s own processes for incident and breach management
- Third-party review and attestation of security posture by the service provider (SOC2 Type 2, ISO 2700x, etc.
Since the Microsoft/Dropbox agreement, there’s been a lemming-like rush by many organizations to pull down security barriers to file-sharing to capitalize on productivity. These companies may be nearing a cliff, however, unless they implement comprehensive controls.
Get more Information Risk Management Essentials:
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis Tip – Part 4 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 29, 2017
- HIPAA Risk Analysis Tip – Part 3 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 21, 2017
- HIPAA Risk Analysis Tip – #WannaStopCrying - May 17, 2017