Forgot your password?
typodupeerror
IBM Cloud Security

IBM's Ban on Dropbox and iCloud Highlights Cloud Security Issues 115

Posted by Soulskill
from the data-sovereignty dept.
IBM has forbidden its employees from using cloud-based services such as Siri, Dropbox and iCloud, according to reports. These products (along with many others) are presenting a challenge to IT administrators who want to keep their organizations secure, as well as to consumer-software developers who suddenly need to build features with both consumers and businesses in mind.
This discussion has been archived. No new comments can be posted.

IBM's Ban on Dropbox and iCloud Highlights Cloud Security Issues

Comments Filter:
  • Self-Serving? (Score:5, Interesting)

    by Marillion (33728) <`ericbardes' `at' `gmail.com'> on Friday May 25, 2012 @12:41PM (#40110021)
    While I'm not discounting the security concerns, we should also recognize that this is self-serving to IBM because it sells IT security consulting services.
    • Re:Self-Serving? (Score:5, Interesting)

      by NeutronCowboy (896098) on Friday May 25, 2012 @12:58PM (#40110179)

      Yes, of course. At the same time, what would have them do? Not ever mention anything about potential security holes, because it could be construed as a conflict interest?

      Here's the real question you need to ask yourself before putting anything in the cloud: do you trust them to be more competent than yourself at backing things up, providing uptime and securing the data? If you answer no to any of these questions, you have a reason to keep stuff in-house. Note: beware of Dunning-Kruger effect. If you answer yes to all three, you have no reason to keep things in-house.

      What IBM has done is to say that they can do a better job securing their data than Dropbox and iCloud. Considering the rather significant breaches that have occurred at Dropbox, and the completely unknown state of data security in iCloud, IBM is spot on with their assessment. I would only put encrypted stuff on either, or stuff where I have no problem if people are snooping through it. Want to take a gander at my weekend pictures? Knock yourself out. Want to find out what my truecrypt file is about? Good luck with that.

      • Re: (Score:3, Interesting)

        by Anonymous Coward

        I have a better question to ask. Am I paying for this or is it free and what do I expect of a free services. If I am paying for it what am I paying for? Convenience or Security, if I am paying for convenience its going to cost a lot less than if I am paying for a top secure cloud experience. If I going to put something on the cloud is it encrypted already as it should be and why am I putting important information on the cloud and not on my own companies backup server which should be how its done.

        I see IBM l

      • by Anonymous Coward

        Damn you to hell for referencing something I didn't know. An hour ago I looked up Dunning-Kruger on Wikipedia and just realized as I was reading about iridium that I had wasted my entire lunch hour.

      • Re:Self-Serving? (Score:4, Insightful)

        by mbkennel (97636) on Friday May 25, 2012 @07:03PM (#40115241)

        "Here's the real question you need to ask yourself before putting anything in the cloud: do you trust them to be more competent than yourself at backing things up, providing uptime and securing the data?"

        Generally it is, yes, yes, and yes.

        The final question: "Can you trust them to work as diligently as your employees to recover from some cock-up whose effective and immediate resolution is critical to your business?" "Or, conversely, is holding your most critical data hostage for predatory consulting rates their business model?"

    • by Anonymous Coward

      That may be, and this may have some marketing tones to it, but it is still a valid security concern.

      The list just continues to grow though ... Skype, Dropbox, Siri, Flash ... All opt in services and features, that make you less secure than if you didn't use them. Environment dependent, of course ....

      Sorry, but it's hard to argue IBM is wrong here.

      • by DJRumpy (1345787)

        Can't agree more, but any IS Security shop would have concerns about any cloud service, or the ability for employees to easily port data 'outside' of the company LAN/WAN. This is a common sense move, and speaks less about those specific services but rather more about controlling ANY data leaving the company firewalls.

        For example, Siri must convert spoken words to text for many queries, which is a concern, just as it would be a concern to allow employees access to social networks, 3rd party email services, a

    • Re:Self-Serving? (Score:5, Insightful)

      by gstoddart (321705) on Friday May 25, 2012 @01:00PM (#40110201) Homepage

      we should also recognize that this is self-serving to IBM because it sells IT security consulting services

      Maybe yes, maybe no.

      But the company I work for has banned DropBox and other things for some time. The problem with "the cloud" is you really don't know where your data goes, and you can't really be guaranteed of who might be accessing it.

      So there's definitely a perception that unless you're dropping in strongly encrypted files, it's no longer secure. So depending on what it is, something like DropBox is potentially a bad idea.

      I'll use DropBox to move around stuff that isn't sensitive, but anything proprietary or confidential, I just move it via another mechanism.

      Also, since I do some occasional work for the Canadian government, I couldn't use DropBox or anything which might end up on a US server (so not even gmail) ... because under the Patriot Act, we have no guarantee that this data wouldn't become visible to American law enforcement. Which means I could be running afoul of Canadian privacy laws -- so by policy any service ran by an US company, or in the cloud, is just something I can't use for work purposes.

      Sadly, this is no different that the situation in which companies like Microsoft can either be in compliance with EU data laws, or in compliance with US Patriot Act -- but not both. From a professional perspective, the US has made themselves and many of their corporations untrusted parties -- I just assume that since the US has given themselves legal rights to snoop without disclosure, they do. So it's just easier to treat them as a hostile entity who isn't trustworthy. And, considering that EU financial and air passenger data is handed to the US, I find it hard to go against that stance.

      From a legal perspective, once something hits the cloud, you lose a lot of safeguards and access controls to it unless you implement them yourself.

      In many cases, what IBM is doing is just sound business.

      • by Vancorps (746090)

        I'll agree with your general principle. With applications like Truecrypt out there though you can still use these services without the worry of some entity making a copy and rifling through your stuff. Just put up your truecrypt file and you get all the convenience and almost none of the worry. The only problem becomes how you send your passphrase or whether you know your passphrase from memory.

        • by gstoddart (321705)

          Just put up your truecrypt file and you get all the convenience and almost none of the worry

          From a legal perspective, I will opt to not use the cloud for work purposes. They can't crack the encryption if they don't have the files in the first place.

          In theory what you propose would probably work ... in practice, it's only theory. :-P

          I'll stick with old fashioned access-based security. especially since it would be me who would take the risk for saying "oh, well this should work". Not using the cloud is les

        • Assuming, of course, that not only is the underlying encryption algorithm that TrueCrypt uses secure (it probably is), but that the implementation is 100% bug free. Given the complexity of the code, I would hate to bet anything too important on that.

      • by Obfuscant (592200)

        ... because under the Patriot Act, we have no guarantee that this data wouldn't become visible to American law enforcement.

        Ummm. Asking a question here. What does the Patriot Act have to do with anything? Does a US citizen using a Canadian server have any guarantee that his data won't become visible to Canadian law enforcement? Do you not have search warrants in Canada? Can Canadian law enforcement not walk into a Canadian court and say "we have evidence of illegal activities on this server, we need a search warrant so we can look at everything..." and get access to whatever data I have on that server, whether or not it is il

        • Re:Self-Serving? (Score:5, Informative)

          by gstoddart (321705) on Friday May 25, 2012 @02:10PM (#40111081) Homepage

          Ummm. Asking a question here. What does the Patriot Act have to do with anything?

          The difference being you'd need to go to court to get a warrant, and I believe there would be a legal opportunity to be notified of this. If Canadian law enforcement accessed your data, you could legally know about it.

          The Patriot Act basically says they can demand it, with very little legal support, and it is against the law to tell someone that their data has been accessed from your servers under this request.

          So, it comes down to the US having granted themselves access to any and all data from a US owned company or US hosted server ... and made it illegal to disclose that access has happened.

          If that data access comes under the guise of secrecy and not going through the normal courts, you'll never know it happened.

          As I said, those provisions of the Patriot Act give access that concerns a lot of people ... see here [zdnet.com].

          So, based on what I've read, and what I've been told by corporate policies ... for anybody who isn't in the US, America and American owned companies are completely untrustworthy since the law reads like it bypasses local laws when it comes to data security and privacy.

          Now, for a bit of balance the other way, I see that people are starting to say the Patriot Act isn't so intrusive [pcworld.com] and this is all blown out of proportion.

          But, until I see company and legal policies changing here in Canada, I will continue to treat data being put into a US server as a stupid idea, and I will continue to treat those entities as hostile and not trustworthy.

          Since I'm not a lawyer, and I don't have anything to gain by suddenly trusting these entities, if I stick with this, I'm in compliance with company policy. I'll just err on the side of caution -- not trusting the US government is just a bonus at this point.

          • by Obfuscant (592200)

            If Canadian law enforcement accessed your data, you could legally know about it.

            After it happened. If you disclose to your target that you are seeking a search warrant, especially for a computer that can be accessed remotely, they'll just delete anything they don't want you to see. Much better to be charged with obstruction than posessing CP, isn't it?

            But in neither country is there any guarantee that law enforcement will not have access to your data. Your only point is that in the US they won't tell you that they have gotten access, but that doesn't change the fact that they've acce

        • by Anonymous Coward

          Canadian law enforcement certainly can obtain data from servers, however the following has to be met:

          A warrant is required. The filing of the warrant also requires a limitation to what is being searched, and how the data is to be destroyed after use (or, at the very least, the retention policy).

          The US Patriot Act (as far as I can tell - I'm a dipshit Canadian) simply allows the FBI to request access to any (or all) electronic records without oversight. The mention of receiving a national security letter i

          • by Obfuscant (592200)

            The US Patriot Act (as far as I can tell - I'm a dipshit Canadian) simply allows the FBI to request access to any (or all) electronic records without oversight. The mention of receiving a national security letter is illegal, while the warrant process has a paper trail and full disclosure to what was being searched.

            According to the fount of all knowledge, the venerable Wikipedia, the NSL part of the Patriot Act was ruled by a court as unconstitutional and the amended version was also struck down.

            The PIPEDA act in Canada has very strong personal protections in place, and isn't a joke act.

            That may be, but it has no standing in any country outside Canada. If your fear of loss of data control is based on the foreign county not obeying PIPEDA, then you must fear them all, not just the US. The Patriot Act has no relevance to whether PIPEDA is obeyed in the US or not.

            This appears to be more scare mongering trying

            • by sl149q (1537343)

              Our Canadian laws don't prevent access from any legitimate law enforcement agency, including US or any others.

              It DOES say that such access MUST BE granted by a Canadian court. If the FBI or anyone else wants to look at my Canadian data stored on a Canadian server then they can go through the appropriate process in a Canadian court.

              This makes sense, as presumably if I'm located in Canada then I am subject to the Laws of Canada and not of any other country. You want me you need to convince a Canadian court th

            • Most of the civilised world has rough analogues of PIPEDA, such as the EU Data Protection Directive. If your data is hosted in companies with similar laws to yours with respect to access, it is less important if the wording is exactly the same. It's only when you host it in a company that has no equivalent and does have laws that directly contradict the ideas of these laws that it becomes a problem.
        • by sl149q (1537343)

          The point is that if Canadian data is stored on a US server then US law enforcement can access it.

          The opposite is also true for US data stored on a Canadian server, it can be accessed by Canadian law enforcement.

          I'll note that a) not many services have data farms in Canada and b) Canadian laws make it slightly harder.

          The end result is that if you have data that must be stored and be accessible ONLY under Canadian privacy laws (i.e. safe from US law enforcement eyes, e.g. personal data stored by government o

    • by Anonymous Coward

      You can view the announcement as self-serving, but to be fair, the ban is for their employees. I'm sure many other workplaces have policies on what data (if any) can be uploaded to which clouds (if any).

    • Re:Self-Serving? (Score:5, Informative)

      by CannonballHead (842625) on Friday May 25, 2012 @01:12PM (#40110323)
      How is it self-serving? Keeping your employees from using non-internal storage services for confidential data... I guess that's self-serving in the "protect your assets/intellectual property" way, but forbidding your employees from using external companies for storage of confidential data is hardly self-serving. It's right up there with making your employees password and/or encrypt their work laptops... :)
    • Now that IBM is making a stand I am sure a lot of other venders will start making a stand.
  • by Anonymous Coward on Friday May 25, 2012 @12:44PM (#40110035)

    My company deals with financial services. We are not allowed to access Dropbox either. Nothing like sharing personal identifiable client data across someone else's network. This is a violation of all sorts of laws, so yeah, it makes sense to deny employees access to shared drives outside the company's purview.

    • by Hatta (162192) on Friday May 25, 2012 @12:52PM (#40110113) Journal

      Nothing like sharing personal identifiable client data across someone else's network.

      Have you ever used a VPN? Then you've done exactly that. It's just encrypted. Dropbox is similarly secure if you store an encrypted container.

      • by betterunixthanunix (980855) on Friday May 25, 2012 @01:02PM (#40110225)

        Dropbox is similarly secure if you store an encrypted container.

        This is not officially supported by Dropbox, however, and is very much ad-hoc. It also requires the user to take the time to configure such a system, unless your IT staff is going to do it for you, and even then you have the problem of users trying to use Dropbox for things that IT did not set up for them. Anything that adds hurdles to people doing their work is a potential security problem; it is easier to simply ban dropbox entirely than to have a policy that requires people to try to do things manually.

        • by mcwop (31034)
          That is key, IT has not set up easy to use file sharing, so people turn to Dropbox. IBM should implement an official one that works well. It could be a different provider like Box, or another. But give EEs the ability to use things to do their job easier, while maintaining security.
          • How do you know that IBM has not implemented an official file sharing system? As to whether or not it is easy is another question. However, my experience is that easy and secure rarely go together. That is not to say that a secure file sharing system has to be hard, but knowing the way most people think, I doubt you could make one they think of as "easy" that was secure because in order for it to be secure it requires the user sharing out the file to give information to the parties receiving the shared file
        • if you're concerned about encryption in the cloud check out truefriender [truefriender.com]. Full disclosure, I created truefriender specifically for this purpose and the way I've implemented the algorithms I can't see your data without your private key.
          • Is there a no-javascript version, or some way to read over the technical details without needing to go through layers of javascript?
      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Nothing like sharing personal identifiable client data across someone else's network.

        Have you ever used a VPN? Then you've done exactly that. It's just encrypted. Dropbox is similarly secure if you store an encrypted container.

        No, Dropbox is *nothing* like a vpn with an outsourced storage provider. And they wont ever be, unless they start signing NDA's and confidentiality agreements with companies.

        • by Junta (36770)

          I think he's saying payload over dropbox is analagous to vpn over at&t. In the VPN case, you don't trust AT&T and use whatever VPN technology you want at either end to render the passing traffic undecipherable by at&t. Similarly, one could gpg a file, drop it on dropbox, and another could retrieve it, and un-gpg it. In this case, even if dropbox is a risk, the risk is greatly mitigated by the encryption that is performed outside of their framework.

      • When using VPN, you're likely in control of both endpoints. With Dropbox, you're in control of your end, but you can't say the same about Dropbox's end, so they may potentially do anything to your data. [tinfoil=1] Like discard the key, act like they encrypted the data, and return a bogus success message, keeping your data in the clear.[tinfoil=0]

        So yes, this is a valid, though aggravating move.

        • by Hatta (162192)

          Like discard the key

          Why would you give dropbox the key to the encrypted container with contents which you wish to keep secret from dropbox?

          • Um, my knowledge of encryption may be a little rusty. Don't you send the public key to Dropbox to have them encrypt the data you upload, and later use the private key decrypt it?

            Or am I misunderstanding you?

            • by Hatta (162192)

              No, you encrypt the archive on your own computer, and send the encrypted archive to dropbox. All they ever see is the encrypted archive. You can even use a symmetrical encryption method, since you won't be distributing your keys.

              • No fears in that case, then.

                I never used Dropbox, so I assumed when people were talking about encryption that Dropbox automatically encrypts uploaded data, either with a self-supplied key or with one generated from your account password, and decrypts it for you upon later download. Which would be a potential data security breach. But uploading an already-encrypted file should be safe, since only the cyphertext may be stolen, and current encryption schemes can guarantee unbreakable security (unbreakable by t

        • by Junta (36770)

          If you are trying to apply VPN logic to dropbox, you're likely to be in control of all 'ends'. If you want to upload to some dropxox space intended for osmeone, you use their public key to encrypt it, before it ever leaves your machine. Dropbox servers see an opaque, encrypted blob. The holder of the private key later comes along and retrieves it, decrypting it on their box. That would be analagous to the VPN case.

    • by noh8rz3 (2593935)
      my company blocked the ports for dropbox so it won't sync while i'm at work. nothing special in terms of data; the it dept are *****.
      • by Anonymous Coward on Friday May 25, 2012 @01:13PM (#40110341)

        I give my IT department a 5-star rating, too!

        • I give my IT department a 5-star rating, too!

          As a contractor, I have worked in a lot IT departments, mostly Windows shops (because they need the most help, thats where most of the contracts appear). It never fails that the department arrogantly gives itself such a rating: "our shop is tight... we run such and such." At the last gig, one guy spent all evening tracking down a "key logger," and came out of the hole near the end of the evening (to find me finishing his work), proudly claiming success. It took me all of 10 seconds to tell him he just spent

  • I work for a major provider of Bank software and services, and cloud services are banned here too. All data is encrypted here, and control of customer data is strictly kept.
  • Unrealistic (Score:5, Interesting)

    by Anonymous Coward on Friday May 25, 2012 @12:54PM (#40110135)

    We have a similar ban in my company (Alcatel-Lucent). Of course, I can carry out gigabytes of information on a thumb drive or the laptop I take home every night, but while I'm at work I can't connect to DropBox. I hope IBM also jams cell signals because all someone has to do is plug an LTE dongle into their laptop and they are outside the corporate firewall. This is the Maginot Line of security.

    • by Anonymous Coward

      We have a similar ban in my company (Alcatel-Lucent). Of course, I can carry out gigabytes of information on a thumb drive or the laptop I take home every night, but while I'm at work I can't connect to DropBox. I hope IBM also jams cell signals because all someone has to do is plug an LTE dongle into their laptop and they are outside the corporate firewall. This is the Maginot Line of security.

      You are missing the point entirely. The point is that those services leave the data sitting out user control...no guarantee of encryption, the level of encryption or control of access. Once you give up access control it only a matter of time before all defenses fall.

      Yes, in this day and age you could walk out with gigabytes per trip of sensitive information, but it would be vary easily tracked back to you. Going into the cloud,
      makes it vary difficult to track back to an individual, not mention significa

    • by Gilmoure (18428)

      Your company has decided that you, as an individual, are trusted with their data (not sure I would but I don't perform security background checks). So yeah, you could easily walk out with gigs of data. But they trust you. Now, if the data is place up on someone else's servers, the company has no way of knowing who has access to that data.

    • A Faraday cage maybe? Dropbox and similar is for someone real small that can't afford servers.

  • Ban the cloud? (Score:5, Interesting)

    by tverbeek (457094) on Friday May 25, 2012 @12:58PM (#40110177) Homepage

    Since someone suggested Dropbox as a good place to put our disaster recovery documentation, my employer has started "raising questions" about it from a data-security perspective. After years of buying computers without floppies or optical drives, and locking down USB ports, he wonders if we ought to start blocking these services as well. He argues that with our corporate e-mail we at least have a record of it (and a chance to block it) if someone sends confidential information off-site, but not so with cloud storage. Personally, I think it's impossible to effectively secure against this without crippling legitimate business-related web access. I can think of several trivial ways to get information from a computer on our network to an outside host using just innocuous must-allow protocols, and without needing to install software on the secured machine... starting with any webmail or forum site that allows uploads of file attachments, to them newfangled "cloud drives", to setting up an FTP server that listens on port 80.

    • by Gilmoure (18428)

      Basic connectivity to such services can be blocked and policy of no use can be published but ultimately, there's no real way to keep a trusted employee from walking out the door with a butt-load of data.

    • Re:Ban the cloud? (Score:4, Insightful)

      by bws111 (1216812) on Friday May 25, 2012 @01:53PM (#40110865)

      You are missing the point. This is just part of a policy for protection of internal assets. "Don't put confidential data where outsiders can get to it" is a perfectly reasonable policy. Implementing that policy means rules like "no data on DropBox" and "no confidential data on internet-facing servers" and "no services on internet-facing servers that would allow access to the internal network". Having been informed of those rules, if information is leaked because you violated the rules, you will be held personally responsible (fired and/or sued).

      Of course it is always possible that some dope will intentionally leak information. These rules are not about that. These rules are in place to so people don't make faulty assumptions about what is secure and what is not.

    • A port is not a protocol. It's trivial to monitor port 80 (or 443, etc) and detect if FTP or SCP headers are passing through. You could, of course, come up with a completely encrypted customized protocol, but this can be flagged as well.
  • by Anonymous Coward

    So, they're saying not to leave possibly sensitive information in the hands of 3rd parties where they have no real way of guaranteeing security?
    Not exactly rocket science, guys.

    If it were my job to set data security policy I sure as hell would not let my employees use dropbox. Especially in an organization that has a hit squad of lawyers commonly known as the 'Nazgul'.

  • I work in IT in a (UK) hospital. We are extremely "enthusiastic" about security. We were thinking about this sort of thing some time ago and then it was decided at the top that we would ban Skydrive immediately and other clouds have been added to our list since.

    This is not always well received but this is the nice thing about policies. They apply to everyone and the higher they come from, the less can some manager make an "exception" where they see the need.

    • this is the biggest question of any "Cloud" service phrased in a PHB friendly way. Now of course the details are a lot longer but IBM has basically said "Lets stay Inside and make sure we stay dry".

      Does anybody know of a "CloudStack" that allows for a business to run a relay/inside server??

  • by mcwop (31034) on Friday May 25, 2012 @01:02PM (#40110231) Homepage
    Employees often times use these tools because IT does not provide their employees with good USABLE solutions. When IT's answer to everything requested by employees is SharePoint, then EEs turn to other solutions. I can Citrix in which is a lame experience, or use something like Zoho, which is an awesome experience from a user perspective. Obviously, any solution needs to be vetted, but employees want things that work great, like many of the consumer products they use personally.
    • by SQLGuru (980662)

      A lot of times IT hasn't provided a solution because it hasn't been a business priority......or falls so low on the cost to benefit ratio. Show a valid business need with measurable benefits and get your executives to sponsor a project to develop a solution.

      • I know your response if the "correct" one, but people realistically don't have that much time. Ideally their time is supposed to be spent productively, not bureaucratically.

        I'm thinking about the quote from the Jurassic Park: "No, I'm, I'm simply saying that life, uh... finds a way. " People will find a way around perceived road blocks, much to the consternation of IT. Absolute control fails absolutely.

    • by bensode (203634)

      "IT does not provide their employees with good USABLE solutions"

      Also can be translated as

      "IT cannot provide their employees with good USABLE solutions".

      Not all of us are elitist-gold-plated-my-way-or-the-highway IT guys. Don't let a lack of resources and/or funding get in the way of the rant that all IT departments are incompetent, lazy and completely against user productivity.

      • by mcwop (31034) on Friday May 25, 2012 @01:53PM (#40110879) Homepage
        It has nothing to do with lazy or incompetence, lack of funding, lack of resources, and it has nothing to do with being against productivity, it is the biases in solutions. One example is the anti-mac thing that still exists, however the iPhone really upset that apple-cart. However, I would say this is all changing and cloud and consumerization of enterprise solutions is forcing the change.
  • Trust (Score:4, Insightful)

    by StikyPad (445176) on Friday May 25, 2012 @01:04PM (#40110241) Homepage

    Ironically, IBM is probably providing a lot of the hardware and software that run these farms. Of course, it still comes down to trusting another company with access to your vital information. This has been the obvious Achilles heel in "cloud computing" since day one. It's one thing to pass encrypted data through an untrusted party, but it's another thing entirely when the untrusted party is an endpoint with access to the plain text. Not only do you have to trust that the endpoint has properly implemented security, but also that every individual with access to the data has uncompromising integrity.

    • by mcwop (31034)
      What if the end point's security is better than yours? Why does everyone assume their security is better than a cloud service's? In some cases it is and some cases its not.
      • by StikyPad (445176)

        1) It may well be more secure, but large collections of data are also a bigger target. Your data could conceivably be a victim of collateral damage even if you weren't the initial target, or ever a target at all.

        2) Two people can keep a secret. If one of them is dead. From a purely statistical standpoint, all else being equal, the more people who have access, the bigger the risk.

    • Less to do with trusting dropbox and more to do with trusting your employees. My firm blocks all kind of things. GMail, Facebook, Twitter, and Usb drives. It also restricts other things. Can't use cell phone cameras on premise. Can't use your own mouse or headphones. Can't leave any papers on desk or in trash. Can't install anything without permission. I carry two cellphones because I can't mix personal and buisness email. This is a non story. I have no idea why slashdot isn't blocked.
  • by hsmith (818216) on Friday May 25, 2012 @01:08PM (#40110283)
    anything you google, type into bing, yahoo, are all captured somewhere. Seems that they are fighting a losing war of data leakage protection.
    • You have a point, but this isn't the right way to think about it either. It's all about assessing the treats and liabilities that you're dealing with, and making good risk/benefit decisions. Yes, everything you type into Google goes somewhere, but what are you likely to be searching about? What is the likelihood of someone going through your search history to find those things? I would guess that if someone went through each of my search queries individually, they wouldn't find anything remotely interes

  • Can someone who works for IBM care to explain how they're planning on enforcing these rules?

    Sure, I could see them scanning their employee's laptops to make sure that Dropbox isn't installed, but how are they going to stop you from using iCloud or Siri on your cell phone? I know that IBM certainly didn't pay for MY cell phone or cell phone plan when I worked there, and I sure as hell wouldn't let them install their bloatware security lockdown tools on my personal property.

    • by bws111 (1216812)

      Very simple. It is your (the employee) responsibility to protect data you are trusted with. These rules are in place to make sure you understand that some things are not considered secure by IBM. If you use those services anyway, and information leaks out because of it, YOU are personally responsible and will be fired and/or have legal action taken against you.

  • I hope this shames Dropbox into implementing proper client side encryption.

    I like many others have become dependent on Dropbox for my work because it is so darn convenient but I know in the back of my mind that it poses a security risk. I would feel much more comfortable if everything was encrypted on my PC (and under my control) before it was transmitted.

    • by plover (150551) *

      Since it's all about trust anyway, a Dropbox client would be the last place I'd put my trust before storing data in their cloud. If their client knows my key, how do I know they aren't sending it up to the mothership as well?

      Integrated security simply means a larger attack surface and more parts in which you have to invest 100% trust. It's much safer to trust a single tool that only does security (encryption) than to trust their entire ecosystem.

  • I don't see why an employee would need a service like Dropbox while working for a large corporation like IBM.

    They already have all kinds of subversion, document, and content servers in-house, readily available by logging in to the VPN (securely!)

    External services like Dropbox are fine for consumers whose employers don't already provide intranet "cloud" storage for data, but employees of large companies? What kind of employee shoot-myself-in-the-foot insanity would place cricital corporate information

  • This has always been the issue with the "cloud." Oh, sure, it sounds great to be able to pull up documents from wherever, to collaborate, to do all sorts of things, but if that server is hosted by an outside company, then all of your trade secrets, business plans, legal documents and briefs, personnel documents, marketing plans, and whatever confidential corporate information you have is under somebody else's control. How well do you trust the host company? How well do you trust the other other companies

  • I work at a small bank (assets around $1B). We have been banned from using cloud-based services like iCloud since they were .Mac. This is no surprise. However, I wonder how businesses like mine will cope with the cloud as it becomes more popular. I already wish we could use Google Docs and DropBox...but alas, we cannot.
  • These services are key to businesses operating fluidly and for internal organization to be both transparent and collaborative. Accessing files and folders from common directories saves time and storage space. My company, Infinit, is currently working on a solution that offers Dropbox-like features to individuals and organizations via an encrypted infrastructure maintained on local devices. So... same functionalities as a cloud, better UI and the security a large organization needs without ever relying on th

Possessions increase to fill the space available for their storage. -- Ryan

Working...