Slashdot stories can be listened to in audio form via an RSS feed, as read by our own robotic overlord.

 



Forgot your password?
typodupeerror
Cloud Data Storage Privacy IT

Dropbox Pursues Business Accounts, But Falls Short On Privacy Laws 122

Posted by timothy
from the your-privacy-is-very-important-to-us dept.
deadeyefred writes "Dropbox last month launched its Teams service, targeted at small and mid-sized businesses — but acknowledges it's not PCI-, HIPAA- or Sarbanes-Oxley compliant. Company executives say they also don't provide a highly visible warning largely because customers in beta tests didn't make it an issue. Should cloud services focused at businesses provide clear warnings if they are not compliant with key regulatory requirements, or should business customers just assume they are not?"
This discussion has been archived. No new comments can be posted.

Dropbox Pursues Business Accounts, But Falls Short On Privacy Laws

Comments Filter:
  • by hedwards (940851) on Saturday November 05, 2011 @05:53PM (#37961584)

    Yes, businesses that need PCI, HIPAA or SarbOx compliance ought to be directly asking, that's no excuse for not posting it in a prominent place.

    I'd personally be more concerned with the possibility of having some of my data clobbered if there's a collision with a hash for somebody elses file.

    • by gg1 (1921860)
      Just encrypt sensitive files before sending then will never have a match.
      • by Sancho (17056) *

        So you're advocating not being compliant?

        Payment card data is still payment card data, even if it's encrypted. Ask any QSA. If it's at rest on a machine, there are certain requirements for that machine which encryption does not (solely) satisfy.

        • by zoloto (586738)
          care to elaborate?
          • Re:Doesn't matter (Score:5, Informative)

            by Sancho (17056) * on Saturday November 05, 2011 @06:25PM (#37961806) Homepage

            It's all in the PCI DSS, which you can find via Google. Generally speaking, you have to isolate the machine on which the encrypted data is stored. I believe the requirements still call for the machine to be behind a NAT firewall, to be accessed with two-factor authentication, and for passwords to adhere to certain requirements as well as be changed every 90 days. The entire system has to be documented including network diagrams (that you probably won't have from Dropbox--I doubt that a giant cloud would be sufficient, but I could be wrong.)

            • All of which just goes to show that the whole PCI-DSS thing is more about legal ass-covering than real security. Leaving aside that some of the standard security policies are dubious anyway, if businesses really complied with the level of control you mentioned... well, most small businesses simply can't (in the sense that either they literally can't or they couldn't operate in any commercially viable way under such constraints).

              Given that the constraints on taking card payments in person in a store are vast

              • by Anonymous Coward

                Of course PCI-DSS is about covering your ass legally. That's the entire point, to legally cover your ass by being compliant with that standards set by the payment card industry. If yo're not compliant and something goes wrong get ready for some huge law suits. If you are compliant, get ready for some minor penalties.

                PCI-DSS compliance for a small company using a payment gateway is very simple - on the order of not storing and credit card data except the responses from the payment gateway you use. you don't

                • If yo're not compliant and something goes wrong get ready for some huge law suits. If you are compliant, get ready for some minor penalties.

                  And if the card industry were responsible for writing the laws, that might be true. Fortunately, even they aren't yet granted the power to legislate. In my country (England), if you screw up and leak the data, no amount of protesting that you were PCI compliant is going to get you off the hook. Moreover, if you suffer from credit card fraud, no amount of complaining to the card companies about how you followed their recommended procedures is going to force them to pay you back when they point at the small p

                  • Actually, while PCI-DSS may not be law, it's so deeply ingrained in the industry that it might as well be. I mean as far as international law exists, PCI-DSS holds the distinction of actually being adhered to outside of the US. Hell, even Iran's government follows this system.

                    if you screw up and leak the data, no amount of protesting that you were PCI compliant is going to get you off the hook.

                    The law, unless I'm very mistaken, simply requires that you implement "reasonable" security measures and register with the authorities. I believe there's also a requirement that you tell the police as soon as you find out that somethin

                    • The law, unless I'm very mistaken, simply requires that you implement "reasonable" security measures and register with the authorities.

                      The law in which jurisdiction? Although, having said that, most of the major ones are similar in this respect these days.

                      The problem is what happens if "reasonable" security measures from a technical and commercial point of view conflict with the measures indicated by PCI-DSS.

                      The banks, paypal, credit card processors, even ATM centrals may give you the "OK" on a transaction, and register it, and *still* refuse to pay you the money afterwards, claiming fraudulent use of the card. There's no way to protect yourself 100% against this.

                      Actually, these days there seems to be, at least with the providers we're looking at here: on-line transactions that have been verified using 3-D Secure are considered fraud-proof and immune to chargebacks on that basis.

                      This is the thi

                    • So let me get this straight.

                      Firstly, you think Chip and PIN -- a technology widely reported to reduce in-person card fraud by up to 80% around the time of its adoption in my country -- is a theoretical benefit drummed up by academics.

                      Secondly, you believe that 3-D Secure doesn't work either, despite the fact that the card industry (whose only interest here is in effectively reducing fraud) have been pushing it heavily for several years, so much that in some cases they will accept responsibility for fraudule

              • Re: (Score:3, Informative)

                by Sancho (17056) *

                All of which just goes to show that the whole PCI-DSS thing is more about legal ass-covering than real security

                For the merchant, it's primarily about legal ass-covering. The merchant doesn't care about his customer's credit cards. Why should he? He care much more that a fake card isn't used in his shop. Because the merchant doesn't care about the customer's credit cards, the payment card industry has to make them care by imposing regulations and penalties.

                It forces small companies to buy products which do most of that for them. It's a cost of doing business. There's an entire industry of payment processors (think Pa

                • The thing with PCI compliance is, some of the businesses having to wrestle with it AREN'T storing the credit card information in any way, shape or them on their systems. If they use a web based card processor and don't ever keep any paper copies of anything with the card info printed on it, I fail to see why it's much of an issue for them to comply with PCI regulations at all? The ways the card info might get compromised from their side of the equation, at that point, come down to things like a 3rd. party

                  • by Kalriath (849904)

                    Correct. If you don't process the card yourself (instead running it via a third party processor and you never see the card number) you qualify for the lowest level of compliance. That level of compliance is basically "don't do stupid shit". Hell, I don't even have to fill in the SAQ-A.

                  • by Sancho (17056) *

                    If their website became compromised, they could redirect to a fake payment processor to steal credit cards.

                    • On the other hand, there is nothing to stop a fraudster from setting up a completely fake web site in the first place without anyone from any legitimate merchant or card service provider even knowing about it, so any protection PCI-DSS supposedly offers against that particular kind of attack is dubious at best.

                    • by Sancho (17056) *

                      This actually seems to be an argument against any protection whatsoever.

                      Security is about layers. You protect as much as you can, and acknowledge that you can never get 100% protection. Silently hijacking a known good server gets around a lot of things--DNS, SSL, etc. Lots of warning flags that might go up with a wholly fake server won't exist.

                    • I certainly wouldn't argue for no protection whatsoever. However, security is a means to an end, and it only worth anything if there is something valuable to secure. If you impose such a burden on whatever that valuable thing might be that it becomes impractical, you've already lost. That goes for everything from inane security policies for office networks that stop staff actually doing their jobs right through to disproportionate obligations on someone running an e-commerce site such that running the web s

                • It forces small companies to buy products which do most of that for them. It's a cost of doing business.

                  The trouble is (and I'm writing this as a guy who runs small companies, some of which need to do card processing) that most of those services suck. They are expensive, of course, but worse than that, they are horribly limited in what functionality they offer compared to a direct integration with a payment gateway. Moreover, as I mentioned in another post, they tend to come with contracts so one-sided they actually make dealing directly with the banks an appealing prospect. If you're responsible for a small

            • by jimicus (737525)

              I did some digging on this myself - either I've grossly misunderstood something or the entire payment card industry is more than a little hypocritical.

              On the one hand they'll freely advertise you can have a virtual terminal (which is a website into which you can punch people's card numbers much like a proper card machine), how it's much more convenient because you can access it from your laptop wherever you are - you're not obliged to be sitting in your office to process card payments.

              Then they'll ask you t

              • by Sancho (17056) *

                I didn't know that they advertised it like that. Yeah, that's pretty crappy.

      • by deroby (568773)

        Care to explain how that would be ?

        AFAIK a hash is just a (smallish) number calculated on a (largish) set of data. By sheer definition a single hash will match multiple distinct sets.
        How does encrypting a data-set affect the possibility of match with a different set ?

        • by hedwards (940851)

          Exactly, I can encrypt my data, but all that means is that if there is a match, which is definitely possible, I end up losing the entire volume rather than just a portion of it. Neither possibility is acceptable for a service of this type. The likelihood increases substantially when you start matching everybody's blocks to everybody elses blocks. It's unlikely that you'd have two such blocks within a particular customers data, but when you deal with all the customers' data...

        • Encryption isn't going to change the fact that there are fewer hashes available than there are inputs; but it might actually reduce the chances of a collision in practice...

          Since most users are uninterested in storing random length-n chunks, but are interested in storing office documents and pictures and things, the expected set of inputs will probably be pretty strongly skewed in the direction of slightly-shorter-than-n-chunks with boilerplate file format required headers and/or footers. If your files a
        • by jbolden (176878)

          A dropbox hash is about 256 bits. There are ballpark about as many dropbox hashes as their atoms in the universe. You are unlikely to hit one by chance.

      • wrong!
    • i dont trust them
    • by Anonymous Coward

      I'd personally be more concerned with the possibility of having some of my data clobbered if there's a collision with a hash for somebody elses file.

      Trust me, you have better things to be worried about than hash collisions on Dropbox. :)

      Based on my quick research, Dropbox uses the SHA-256 algorithm with 4 Mbytes chunks. Let's assume for the sake of argument that the total amount of data Dropbox stores for its users is (pinky finger!) 1 million terabytes of data.

      That would mean there are 262,144,000,000 chunks. A SHA-256 hash is 256 bits long.

      Applying the Birthday Paradox, the probability of a collision is thus:

      P = 1-EXP((-(262144000000^2))/(2*(2^256)))

      T

    • by theolein (316044)

      It doesn't matter until their are legal complications. Then it matters a lot.

  • by Dunbal (464142) * on Saturday November 05, 2011 @05:57PM (#37961620)
    But with computers and storage being relatively cheap, and with internet access being ubiquitous, why exactly should I trust a 3rd party with my data anyway?
    • by Anonymous Coward

      Because when your (small or home) office burns down along with your storage (and, your offsite storage also destroyed because of the earthquake that started the fire that burned down your office), it'd be nice to have your data backed up in the cloud somewhere.

      That said, if they're not PCI compliant, there's no fucking way I'm trusting them with my credit card details.

      • Seriously? My small home/office burns, destroying my data there (along with every friggin' thing I use to work). My offsite storage (which is presumed to be in the same locale) is destroyed because the instigating incident to my data loss is a fucking earthquake....

        And you think somehow, that I will give a shit about my data.

        Pal, I'm going to be worrying about sleeping, eating and whether everyone I know is dead. Your scenario merely indicates the reach you have to use to "justify" the cloud.
        • by afabbro (33948)

          Seriously?

          Yes. And quit being an ass and think a minute.

          My small home/office burns, destroying my data there (along with every friggin' thing I use to work). My offsite storage (which is presumed to be in the same locale) is destroyed because the instigating incident to my data loss is a fucking earthquake....And you think somehow, that I will give a shit about my data. Pal, I'm going to be worrying about sleeping, eating and whether everyone I know is dead.

          Sure, for the first month. But what happens a year later when you're audited by the IRS and want a copy of your tax returns, or twenty years later when you want to show some pictures to your grandchildren? Yes, there are more important things than your data - the well-being of those you care about, your own personal shelter, income, and survival, etc. But that doesn't mean your data is unimportant.

          Your scenario merely indicates the reach you have to use to "justify" the cloud.

          Did the cloud rape your grandmother or something? It's not l

          • by raydobbs (99133)

            Odds are, if there is a disaster large enough to wipe out your office, all of your storage, all of your backups, all of the off-site backups and defeat all of your CBO plans - your out of business. Time to call the insurance agent, notify any surviving employees, set up a mailing for your remaining clients, and see what you might be able to salvage. The IRS doesn't generally bust asses of people who have survived massive disasters like that... but if they do, they can talk to your accountant and insuranc

        • "Seriously?"

          Yes.

          "And you think somehow, that I will give a shit about my data."

          Yes. It was at 4AM and it was just a big damn fire, so nobody is injured. The first week is a nightmare, yes, but then, you recall your insurance and hire a new office and then, what? Where's your customers data, your financial records... your everything?

          Small business tend to undervaluate how dependant they are on their data (except for the from-time-to-time cry for help from somebody "please, how can I recover my hard disk?

      • by jgtg32a (1173373)
        Get a dropbox account and then drop a 2GB true-crypt volume in it, you're all good
    • by assantisz (881107)
      Because sometimes it can cost a lot of money to run and maintain a storage system. It doesn't stop with capital costs. There is maintenance fees and labor costs. It can be a lot cheaper to outsource these things.
      • Cheaper in the short run or long run?

        Are you factoring in legal costs from your employees suing you for having personal information spread across the Internet?

        Or possible damage to business revenue from your company's work falling into competitor's hands?

        Or almost complete loss of business when the Internet goes out?

        Me thinks an entire culture inside of certain IT Departments are not well versed in Risk Aversion, instead seeking to make their lives easier at the expensive of their employer.

        • Me thinks an entire culture inside of certain IT Departments are not well versed in Risk Aversion, instead seeking to make their lives easier at the expensive of their employer.

          Or, perhaps more likely, the scenario is: "We need this, without it we're left wide open." Management response: "It's not in the budget and what are the chances.....?"

          I've been there....

        • by hedwards (940851)

          Except that most of the time when data is stored it's not been through the cloud, it's because a laptop has been lost, or there was a burglary. The cloud isn't really any substantial increase in risk, if you encrypt the data before it's stored on the cloud and go through the appropriate measures to ensure that the keys are protected from unauthorized use.

          • by 0123456 (636235)

            The cloud isn't really any substantial increase in risk, if you encrypt the data before it's stored on the cloud and go through the appropriate measures to ensure that the keys are protected from unauthorized use.

            Let's suppose you upload personal data to 'The Cloud' and 'The Cloud' just happens to turn out to be a server in the EU. Suddenly you risking violating the EU data protection laws if you access that data.

            • by hedwards (940851)

              That's not just going to happen if you're doing some research. Plus, European data protection laws don't apply to people that are living in the US. The EU can't enforce a judgment against a company with no presence in the EU, no matter how much they might want to. They would have to file suit in the US, where their data protection laws don't apply. Otherwise they would end up in a situation where they have a judgment that they can't collect on, assuming that the court rules they have jurisdiction in the fir

          • At least in my limited experience, the set of people who will happily put sensitive information on Dropbox because it is simple and easy and the set of people who are implementing appropriate encryption and access control measures do not overlap very much...
            • Unfortunately, however, both groups intersect the set of people who have access to sensitive information.....

        • Cheaper in the short run or long run?

          It's not about long term vs. short term, it's about scale.

          Organising IT infrastructure always incurs some level of overhead, but you can see great economies of scale when you reach a certain size. On the other hand, at a very small scale, you still need to deal with at least the basics, and that still requires a certain level of expertise and incurs a certain drain on your staff's time.

          I'm not a huge fan of outsourcing IT infrastructure. I think a lot of services you can outsource to tend to do 75% of the j

      • by teg (97890)

        Because sometimes it can cost a lot of money to run and maintain a storage system. It doesn't stop with capital costs. There is maintenance fees and labor costs. It can be a lot cheaper to outsource these things.

        Also, a lot less risky. Small outfits are far more likely to do things wrong, not keep things updated and are certainly not doing sophisticated intrusion detection, network monitoring etc.

        Most small companies thinking that e.g. Google Apps is a security risk run a much higher risk if they do it all themselves.

    • by siddesu (698447)
      Don't ask slashdot, ask the shareholders.
    • by artor3 (1344997)

      Because you probably don't know what you're doing. Not you, specifically, but the average person who asks that question.

    • by mark_elf (2009518) on Saturday November 05, 2011 @11:05PM (#37963156)

      Some mook I was working for forced a team of ten of us onto dropbox last year because we weren't all in the same office and he couldn't figure out how to FTP. The dropbox advertising seemed very simple and reassuring to him. It makes sharing files easy! It was the right thing. Immediately everyone was walking around saying how they loved dropbox! It has a very simple graphic design people liked, like Apple computers and Google websites (most of the people on the team were "creative"). They even have an iPhone app!

      The first thing that happened was some other mook accidentally the entire share because he didn't need all the files, not understanding how the folders are synced. There is no "mook" permission, no permission structure at all. Just in or out.

      After that, none of us were shared with "everything" anymore, so it became a completely unmanageable mishmosh of invites. Everyone used different folder structures and ways of naming things, which you have to live with. The dumbest person on the team gets to set the SOP, which is just chaos of course. The only people who liked it were the ones who dumped files on there and didn't have to ever open them again (graphic designers). It tends to fill up your hard drive with stuff that maybe has a 20% chance of being for you. People work to these folders because they are local, not realizing or caring that everyone else has to download all their crap.

      So when everyone is in the same room, it nukes the wi-fi completely as everyone tries to sync the same garbage at the same time.

      If you do really care about a file, you have to copy it out of the dropbox folder so that someone else doesn't fuck it up. So you have to have two copies of everything. It ends up being a kind of fuzzy FTP anyway, which you have to manage, but is not manageable.

      If you understand email and FTP you don't need it. If you don't understand those things, you definitely will not understand dropbox. I learned this when someone kept asking me to just "show her where the files are".

      So to answer your question, you should trust them because they make sharing your files easier.

      • I believe that this is exactly the kind of scenario that the new "team" version of Dropbox is aimed at fixing.

        • No, Dropbox Teams only differs from normal accounts in one real way - shared folders only count once against the team storage. It has no permissions etc.

          Oh, and Teams accounts have been available for the past 18 months, they were just recently take out of (a very silent) beta...

      • This about sums up my group sharing experience as well. We also considered using a wiki, but dropbox won out. Either way, the group has to agree on some kind of standard for what kinds of files are shared, directory structures, and who has write access. Otherwise, it's a huge mess.
    • by antdude (79039)

      People are lazy to set them up and rely on others to provide the services.

      If people want to use them, then have them encrypt their stuff BEFORE putting on them!

  • by ohnocitizen (1951674) on Saturday November 05, 2011 @06:05PM (#37961670)
    If they are smart they will be compliant, and advertise that highly. How long until a competitor springs up who is compliant? When it comes to business needs, security is rightly a key focus. Not catering to that is ignoring the very market they want to serve.
    • Yeah but since DropBox is essentially just a front end bolted on to Amazon's S3 service, they actually do not have all that much control over the terms of service, if Amazon's is different or they change their terms of service afterward then Dropbox is screwed.
      • by LurkerXXX (667952)

        Amazon's S3/AWS services can have apps compatible with HIPAA/PCI if the application writer wants to go through the effort, so yes, they do have that much control.

        http://aws.amazon.com/security/ [amazon.com]

        http://aws.amazon.com/s3/ [amazon.com]

        • It's not cost effective for Dropbox. They break files into 2MB chunks, stored in S3 (and at last count, had between 22-24 billion objects stored). Their efficiency is due to being able to charge several people for storing the collective chunks of data once. If they have to start saving different chunks in different locations to deal with compliance, the whole business model goes to hell.

    • by Alan Shutko (5101)

      I'm going to guess that participating in regular audits alone would cost Dropbox more than $795 per client, making compliance a loss.

    • by Ritchie70 (860516)

      I am only tangentially involved with the compliance matters where I work, but it is my general impression that it is not possible for a vendor to say they are PCI-DSS compliant.

      They can be part of a PCI-DSS compliant solution but only the entire architecture/solution can be compliant.

      I was involved with the design and implementation of our current credit/debit processing solution, and as I recall the primary software vendor was very clear that they were not saying that they were or were not PCI compliant, b

      • This is the key point. Compliance is a "systematic solution" -- a process that leverages IT architecture, coding practices, and human behavior to meet a set of standards.

      • by KDR_11k (778916)

        To me it sounds like a weakest-link type of deal and Dropbox is a very weak link when it comes to compliance.

        • by Ritchie70 (860516)

          It's really the architecture.

          For example, if a credit processing system uses Dropbox for certain types of storage, but no cardholder data is contained in that storage, and there is no way for Dropbox to be used to compromise the non-Dropbox parts of the system, then Dropbox can be used now in a PCI compliant solution.

          On the other hand, it is extremely unlikely, no matter how good the security and audit-ability of Dropbox, that a solution that involves storing cardholder data in Dropbox could ever be PCI com

    • DropBox is pursuing convenience, not compliance.

      After all, would you trust them for important data even if they did have those certifications? Hell no! I personally wouldn't. At least, not after what happened a couple of months ago. I don't think I will ever trust them for that kind of security. And I don't think anyone should trust me as a business if I started trusting them for keeping that kind of data.

      And in that sense, their recent decision is the right one. They shouldn't pretend they're something the

    • by Shoten (260439)

      Actually, no. Being compliant with PCI is tremendously expensive, and I can't imagine many business cases that would give cause for a customer to need it. So it would be incredibly stupid to spend all of that money on PCI compliance for very little return. Furthermore, you're using the word "compliant" like it means "secure," which it absolutely does not. Hannaford was compliant, and still suffered a major breach. As far as they knew, TJX was compliant; they didn't know that many of the products sold t

      • by rjstanford (69735)

        And for what its worth, full expensive compliance certification is rare as well. Last time I checked, the threshold for needing level one compliance (at least in the service provider segment) was ~600,000 transactions per year. We go through it every year, and its a headache, but 95% of the requirements are actually reasonable - and the other 5% aren't that big of a deal to meet, as long as your systems were designed for it. But (again, IIRC) there are only around three thousand level one service provide

  • by Weezul (52464)

    There are no cloud storage solutions that provide any measurable degree of security, except perhaps Wuala but even that's funky.

    • by icebike (68054)

      Depends on what you mean by security.

      Granted you have no control over the reliability of the physical plant thr cloud operator uses.
      But as an offsite backup and transfer mechanism clouds are really quite good.

      Services like SpiderOak, https://spideroak.com/ [spideroak.com] where the coud operator couldn't decrypt your data even with a court order provide as much protection as you can realistically expect when asking someone else to hold your data.

      • by Weezul (52464)

        I hadn't heard about SpiderOak. They're equivalent to Wuala though, reasonable sounding, but : (a) you should avoid closed source crypto software for anything important, even if you otherwise use a closed source OS like Windows or Mac OS X, and (b) their de-duplication trick might weaken their encryption and lets users verify content exists on your cloud drive, which might leave individuals open to lawsuits from the MafIAA.

        SpiderOak looks vulnerable to U.S. NSLs and maybe European subpoenas. Wuala is Swis

        • by icebike (68054)

          SUBPOENA nets them nothing when Spideroak does not have the decryption keys.
          The encryption methodology is clearly specified on the website. 2048 bit RSA and 256 bit AES.

          The de-duplication in only between your own files not other people's files.

          • by Weezul (52464)

            Umm, they could definitely be ordered to roll out a fake update using a national security letter.

            It sounds like Spideroak uses better cryptography than Wuala thought, that's nice. Are you sure the deduplication is only among your own files? Why would anyone bother implementing deduplication for individuals? Or do you mean it does some version packing? If that's true, that's noticeably better than Wuala though. Thanks!

            Btw, there is a pure open source system called Tahoe-LAFS that's kinda overkill for mo

  • A business should know what it's doing and therefore not assume anything. So it should have people going over the fine print (and of course as provider, put out fine print to read).

    But depending on type of agreement & exact conditions, some of that fine print may not even be legally binding. So if it's important enough: consult a lawyer. And consider consequences of privacy breaches, regardless of legal implications.

  • no, they should just not claim to be compliant. there are so many regulations in the world to which you can be compliant that a company who needs to be compliant just needs to *verify* that all services used are as compliant as its needed.

  • by flimflammer (956759) on Saturday November 05, 2011 @06:36PM (#37961884)

    Companies should assume they are not compliant unless the company tells them they are. I don't think Dropbox should need to put they are not compliant on their webpage, but they should be able to answer questions regarding their compliance if asked by a prospective business client.

    • by Fjandr (66656)

      Exactly. If a business needs them to be compliant, it's a question they are obligated to ask when signing up for the service.

      Anyone who needs compliance with one of those standards should be asking, and if you don't ask you should assume they're not.

      This isn't rocket science, it's common bloody sense. People who don't have it and then do stupid things as a result deserve exactly what they get.

  • If a company requires compliance with certain information security standards, then they should be checking these things prior to signing up. If it's not clear on their website, then a quick question sent to their sales staff should clear it up. If that doesn't clear it up, then I'd be concerned just because I'm not getting decent answers from their sales staff. I tend to contact sales staff and fire a bunch of questions at them anyway, just to get an initial idea of whether their service will be any good. I
  • This is targeted at small and mid-sized businesses....

    SARBOX only applies to publicly traded companies, of which very few in this market are, and even those few will be big enough to have professional IT resources.

  • Dropped Dropbox (Score:3, Insightful)

    by Bieeanda (961632) on Saturday November 05, 2011 @06:59PM (#37962028)
    Seriously, if a company is going to shrug and blame something like this on a lack of beta tester vigilance, don't bother with them because you can be sure they'll pass the buck on anything that happens to your data too.

    Hell, don't deal with this particular outfit, period. I mean, how could people forget them basically turning passwords off for four hours [geek.com] in June?!

    • by artor3 (1344997)

      They aren't "blaming this on a lack of beta tester vigilance". They're saying that in their beta tests, people didn't particularly care about these compliances, and thus they don't think that their customers will care either. They are being completely open and honest about the level of security they're providing. If it's insufficient for you, don't use their service. But don't say that nobody should use something simply because it doesn't meet your needs.

    • by adolf (21054)

      *shrug*

      I own a small business, and I keep my stuff on Dropbox just because it's an easy way to access it no matter where I'm at, or what computer(s) I happen to have with me.

      I keep backups of the stuff I put on Dropbox (using rsync and hard links to be somewhat space-efficient about having multiple generations of them stored locally). Anything which is even slightly sensitive is encrypted.

      I could care less if the entire contents of my Dropbox account were published freely, maliciously deleted/massaged, or

  • Are they can point out to the VP or other higher ups that NO YOU CAN'T USE IT for your work and point to a clear warning so the VP can take the fall and IT can say there was a clear warning and the VP did not read it and used it anyways.

  • SparkleShare is a free open-source Dropbox-like GUI for GIT repos. Once setup using passwordless PGP keys, non-technical users see and use SparkleShare exactly as they would DropBox. While under the hood is tried-and-true GIT source code version control. You can even set it up as PCI DSS since it only uses your own infrastructure.

    On Ubuntu I also installed Rabbit VCS which gave me a range of right-click GIT options (like check-in, merge, etc.) Seriously, I failed earlier attempts setting up either Bazaar or

    • by creepynut (933825)

      Sparkleshare looks like a really slick application but it still needs to mature. Most importantly, it doesn't run on Windows!

      So let me try at least give it a shot:
      My Debian box - nope, not in the repositories yet. Wasn't able to get it running manually
      My Windows 7 machine - nope, no Windows version
      My Macbook Pro - nope, doesn't run on Mac OS Lion

      I'm sure these issues will be resolved in time but until they at least run on Windows they aren't going anywhere.

      • by SpzToid (869795)

        TFA discusses PCI DSS, etc. and I proposed an open-source DropBox alternative on /. SparkleShare might not yet work on Mac OSX Lion, but it does work on Mac OSX Snow Leopard (not the latest OSX version I'll grant you but still).

        Since when does being PCI DSS compliant and mass-market user-acceptance become a mutual requirement? Frankly, I find avoiding mass-market OSs and software to be strategically more secure and thus desirable for PCI DSS infrastructures. Spear-phishing is less likely to function 'techni

    • I'll use SparkShare as soon as it uses an object storage system like Openstack's Swift on the backend (http://openstack.org/projects/storage/). Using GIT is a hack, when they should be using something like Swift (which is meant to be API compliant with Amazon S3).

  • get a clue (Score:5, Informative)

    by Tom (822) on Saturday November 05, 2011 @09:20PM (#37962756) Homepage Journal

    Should cloud services focused at businesses provide clear warnings if they are not compliant with key regulatory requirements, or should business customers just assume they are not?"

    Neither. With all of those compliance regulations, it is the job of the company to ascertain compliance. You don't assume anything - if you do, you're not compliant. You not only need to know, you need to document your knowledge.

    So really, it's a non-issue except that it means Dropbox won't be used in environments that require this kind of compliance.

    Disclaimer: I used to be SOX compliance manager. I know what I'm talking about. /. would be a much better place if people submitting stories would, too.

  • Should cloud services focused at businesses provide clear warnings if they are not compliant with key regulatory requirements, or should business customers just assume they are not?

    Seriously, no matter what Dropbox does or doesn't comply with these companies should - and must, I would hope - assume they're not. How would this work for anything? Backups? SLAs? Oh, we just assumed a seven 9's uptime and continuous multiple off-site backups in secured facilities, since the company didn't prominently say anything else. If it's not in the terms, you should never assume it is part of the package. Why, pray tell, should this be anything different for regulatory compliance? I don't need regul

  • State-owned enterprises in New Zealand also have to abide by a few regulations that Dropbox Teams doesn't address. I think its imperative that we all boycot Dropbox until all possible warnings are made prominent.

    Sarbanes-Oxley, HIPPA and PCI apply to a *tiny* subset of shareable business content globally. Welcome to the cloud. It's a big world - get used to it.

  • Their service has been shown to be less secure than normal FTP which is something that could be provided by any web service provider on the planet, so how's that for an epic fail? All that is required is for somebody to supply a similar front end to one of many secure back ends and you've got a superior service by any measure.
    Remember these are the guys that had a problem where anybody could log into anyone else's account without a password? Then they had the long standing security flaw where once you gav
  • Dropbox is about backups and disaster recovery. It's a terrific service for SMBs who are worried that important files might get damaged, corrupted, lost, or stolen. They do NOT claim to securely store, they only claim to securely communicate. You want secure storage, you have to encrypt the file that gets backed-up on Dropbox yourself.

    So, no, Dropbox is not your solution to PCI, SOX, or HIPPA. All of those standards require a whole heckuva lot more that just using a great online backup solution. The real qu

  • to use DropBox. Ffter the last SNAFU with their TOS they don't use them anymore. DropBox is simply not to be trusted.

    They now have several terabytes of storage on their servers and some screaming fast LTO4 tape drives in three tape changers that back up everything every night, and those are shipped off site every night.

  • Why would anyone use DropBox when there is SpiderOak? Hmmm?

  • Most businesses shouldn't be retaining payment card data. Just pass it to the bank, do the transaction, and keep the last 4 digits of the credit card number for checking purposes. If you operate that way, PCI data never reaches DropBox.

    If the business does retain credit card data, usually for recurring billing, much higher levels of security are required. Those are the most vulnerable systems, the ones that are worth breaking into. Merchants that do that have to comply with a long list of tough requirem

Brain damage is all in your head. -- Karl Lehenbauer

Working...