Dropbox Pursues Business Accounts, But Falls Short On Privacy Laws 122
deadeyefred writes "Dropbox last month launched its Teams service, targeted at small and mid-sized businesses — but acknowledges it's not PCI-, HIPAA- or Sarbanes-Oxley compliant. Company executives say they also don't provide a highly visible warning largely because customers in beta tests didn't make it an issue. Should cloud services focused at businesses provide clear warnings if they are not compliant with key regulatory requirements, or should business customers just assume they are not?"
Re:Doesn't matter (Score:5, Informative)
It's all in the PCI DSS, which you can find via Google. Generally speaking, you have to isolate the machine on which the encrypted data is stored. I believe the requirements still call for the machine to be behind a NAT firewall, to be accessed with two-factor authentication, and for passwords to adhere to certain requirements as well as be changed every 90 days. The entire system has to be documented including network diagrams (that you probably won't have from Dropbox--I doubt that a giant cloud would be sufficient, but I could be wrong.)
Re:Doesn't matter (Score:3, Informative)
All of which just goes to show that the whole PCI-DSS thing is more about legal ass-covering than real security
For the merchant, it's primarily about legal ass-covering. The merchant doesn't care about his customer's credit cards. Why should he? He care much more that a fake card isn't used in his shop. Because the merchant doesn't care about the customer's credit cards, the payment card industry has to make them care by imposing regulations and penalties.
It forces small companies to buy products which do most of that for them. It's a cost of doing business. There's an entire industry of payment processors (think Paypal) that a small web merchant could use to avoid ever having credit cards touch their systems. The processors take a percentage (much like the bank) and the merchant raises the cost of their products accordingly.
some of the standard security policies are dubious anyway,
Absolutely. You'll get no argument from me. But most of them are good security practices that most businesses wouldn't even know are good practices. They absolutely should be doing them if they're going to store my credit card information.
get a clue (Score:5, Informative)
Should cloud services focused at businesses provide clear warnings if they are not compliant with key regulatory requirements, or should business customers just assume they are not?"
Neither. With all of those compliance regulations, it is the job of the company to ascertain compliance. You don't assume anything - if you do, you're not compliant. You not only need to know, you need to document your knowledge.
So really, it's a non-issue except that it means Dropbox won't be used in environments that require this kind of compliance.
Disclaimer: I used to be SOX compliance manager. I know what I'm talking about. /. would be a much better place if people submitting stories would, too.
Re:Call me old fashioned (Score:4, Informative)
Some mook I was working for forced a team of ten of us onto dropbox last year because we weren't all in the same office and he couldn't figure out how to FTP. The dropbox advertising seemed very simple and reassuring to him. It makes sharing files easy! It was the right thing. Immediately everyone was walking around saying how they loved dropbox! It has a very simple graphic design people liked, like Apple computers and Google websites (most of the people on the team were "creative"). They even have an iPhone app!
The first thing that happened was some other mook accidentally the entire share because he didn't need all the files, not understanding how the folders are synced. There is no "mook" permission, no permission structure at all. Just in or out.
After that, none of us were shared with "everything" anymore, so it became a completely unmanageable mishmosh of invites. Everyone used different folder structures and ways of naming things, which you have to live with. The dumbest person on the team gets to set the SOP, which is just chaos of course. The only people who liked it were the ones who dumped files on there and didn't have to ever open them again (graphic designers). It tends to fill up your hard drive with stuff that maybe has a 20% chance of being for you. People work to these folders because they are local, not realizing or caring that everyone else has to download all their crap.
So when everyone is in the same room, it nukes the wi-fi completely as everyone tries to sync the same garbage at the same time.
If you do really care about a file, you have to copy it out of the dropbox folder so that someone else doesn't fuck it up. So you have to have two copies of everything. It ends up being a kind of fuzzy FTP anyway, which you have to manage, but is not manageable.
If you understand email and FTP you don't need it. If you don't understand those things, you definitely will not understand dropbox. I learned this when someone kept asking me to just "show her where the files are".
So to answer your question, you should trust them because they make sharing your files easier.