Dropbox security row prompts private cloud rethink

A cloud with a circle filled with an X on it.

Posted on Friday, September 16, 2016

Late last week news broke that cloud file storage provider Dropbox was bypassing key security features of their client operating systems. Researchers claim that these workarounds create potential OS vulnerabilities that could be exploited by cybercriminals to compromise network assets.

Fear, uncertainty and doubt reign

As details of the security “issue” began to circulate, so too did a number of rumors. Many users claimed that Dropbox stole the root administrator password, while others believe the client application “hacks” the MacOS operating system.

The discovery prompted many security-conscious users to ditch the platform and migrate to equivalent services from Apple, Google and Microsoft.

A rebuttal comes too late

Dropbox has since tried to calm their users, issuing a statement designed to provide some comfort:

“Dropbox, like other apps, requires additional permissions to enable certain features and integrations. The operating system on a user's device may ask them to input their password to confirm. Dropbox never sees or receives these passwords. Reports of Dropbox spoofing interfaces, or capturing system passwords are absolutely false.”

However this latest security headline comes hot on the heels that criminals stole 68 million Dropbox user account details in 2012. For many users, this latest revelation is one failure too far.

Time to re-evaluate cloud services

Dropbox are not alone in needing security workarounds and elevated permissions for their app to work – Google Chrome and the Steam gaming platform are similarly intrusive. For the risk-averse CTO, these kind of revelations are particularly concerning.

For a long time, hosted providers have been able to trade on their customers’ belief that the cloud “just works”. But as Dropbox acknowledge, a lack of transparency on their part means that many service users have no idea exactly how well their data and systems is protected – and what vulnerabilities those services introduce to their on-site infrastructure.

For any CTO using Dropbox (or other cloud service), this latest controversy provides the perfect excuse to audit their current estate. As well as the security provisions at the provider’s data center, they need to consider any client applications, and the effect they have on endpoint security.

Time for cloud evolution?

Private and hybrid cloud deployments are accelerating, precisely because of these concerns about public cloud services. The Dropbox/Chrome dispute may be the spur your business needs to begin building an in-house equivalent that allows you to control very aspect of the service.

A suitable private cloud platform can be deployed relatively quickly and inexpensively using existing assets. Costs can be reduced further still by redeploying post warranty hardware using a software defined storage (SDS) platform to manage data access and allocation.

As well as giving you greater control over data sovereignty and security, this approach opens the door to a new era of in-house computing. Alternatively, an SDS platform built using legacy storage hardware could also provide the backbone for a hybrid service, allowing your team to realize the best of both scenarios.

For Dropbox, the situation is currently extremely difficult. But they have done the rest of the industry a favor by providing a security wake-up call that cannot be ignored.

For more help and advice about cloud platforms and building your own low-cost SDS infrastructure, please get in touch.