we should also recognize that this is self-serving to IBM because it sells IT security consulting services

Maybe yes, maybe no.

But the company I work for has banned DropBox and other things for some time. The problem with "the cloud" is you really don't know where your data goes, and you can't really be guaranteed of who might be accessing it.

So there's definitely a perception that unless you're dropping in strongly encrypted files, it's no longer secure. So depending on what it is, something like DropBox is potentially a bad idea.

I'll use DropBox to move around stuff that isn't sensitive, but anything proprietary or confidential, I just move it via another mechanism.

Also, since I do some occasional work for the Canadian government, I couldn't use DropBox or anything which might end up on a US server (so not even gmail) ... because under the Patriot Act, we have no guarantee that this data wouldn't become visible to American law enforcement. Which means I could be running afoul of Canadian privacy laws -- so by policy any service ran by an US company, or in the cloud, is just something I can't use for work purposes.

Sadly, this is no different that the situation in which companies like Microsoft can either be in compliance with EU data laws, or in compliance with US Patriot Act -- but not both. From a professional perspective, the US has made themselves and many of their corporations untrusted parties -- I just assume that since the US has given themselves legal rights to snoop without disclosure, they do. So it's just easier to treat them as a hostile entity who isn't trustworthy. And, considering that EU financial and air passenger data is handed to the US, I find it hard to go against that stance.

From a legal perspective, once something hits the cloud, you lose a lot of safeguards and access controls to it unless you implement them yourself.

In many cases, what IBM is doing is just sound business.

This is not officially supported by Dropbox, however, and is very much ad-hoc. It also requires the user to take the time to configure such a system, unless your IT staff is going to do it for you, and even then you have the problem of users trying to use Dropbox for things that IT did not set up for them. Anything that adds hurdles to people doing their work is a potential security problem; it is easier to simply ban dropbox entirely than to have a policy that requires people to try to do things manually.

Ironically, IBM is probably providing a lot of the hardware and software that run these farms. Of course, it still comes down to trusting another company with access to your vital information. This has been the obvious Achilles heel in "cloud computing" since day one. It's one thing to pass encrypted data through an untrusted party, but it's another thing entirely when the untrusted party is an endpoint with access to the plain text. Not only do you have to trust that the endpoint has properly implemented security, but also that every individual with access to the data has uncompromising integrity.

No, Dropbox is *nothing* like a vpn with an outsourced storage provider. And they wont ever be, unless they start signing NDA's and confidentiality agreements with companies.

You are missing the point. This is just part of a policy for protection of internal assets. "Don't put confidential data where outsiders can get to it" is a perfectly reasonable policy. Implementing that policy means rules like "no data on DropBox" and "no confidential data on internet-facing servers" and "no services on internet-facing servers that would allow access to the internal network". Having been informed of those rules, if information is leaked because you violated the rules, you will be held personally responsible (fired and/or sued).

Of course it is always possible that some dope will intentionally leak information. These rules are not about that. These rules are in place to so people don't make faulty assumptions about what is secure and what is not.

"Here's the real question you need to ask yourself before putting anything in the cloud: do you trust them to be more competent than yourself at backing things up, providing uptime and securing the data?"

Generally it is, yes, yes, and yes.

The final question: "Can you trust them to work as diligently as your employees to recover from some cock-up whose effective and immediate resolution is critical to your business?" "Or, conversely, is holding your most critical data hostage for predatory consulting rates their business model?"