IBM's Ban on Dropbox and iCloud Highlights Cloud Security Issues 115
IBM has forbidden its employees from using cloud-based services such as Siri, Dropbox and iCloud, according to reports. These products (along with many others) are presenting a challenge to IT administrators who want to keep their organizations secure, as well as to consumer-software developers who suddenly need to build features with both consumers and businesses in mind.
Self-Serving? (Score:5, Interesting)
Re:Self-Serving? (Score:5, Interesting)
Yes, of course. At the same time, what would have them do? Not ever mention anything about potential security holes, because it could be construed as a conflict interest?
Here's the real question you need to ask yourself before putting anything in the cloud: do you trust them to be more competent than yourself at backing things up, providing uptime and securing the data? If you answer no to any of these questions, you have a reason to keep stuff in-house. Note: beware of Dunning-Kruger effect. If you answer yes to all three, you have no reason to keep things in-house.
What IBM has done is to say that they can do a better job securing their data than Dropbox and iCloud. Considering the rather significant breaches that have occurred at Dropbox, and the completely unknown state of data security in iCloud, IBM is spot on with their assessment. I would only put encrypted stuff on either, or stuff where I have no problem if people are snooping through it. Want to take a gander at my weekend pictures? Knock yourself out. Want to find out what my truecrypt file is about? Good luck with that.
Re: (Score:3, Interesting)
I have a better question to ask. Am I paying for this or is it free and what do I expect of a free services. If I am paying for it what am I paying for? Convenience or Security, if I am paying for convenience its going to cost a lot less than if I am paying for a top secure cloud experience. If I going to put something on the cloud is it encrypted already as it should be and why am I putting important information on the cloud and not on my own companies backup server which should be how its done.
I see IBM l
Re: (Score:1)
Damn you to hell for referencing something I didn't know. An hour ago I looked up Dunning-Kruger on Wikipedia and just realized as I was reading about iridium that I had wasted my entire lunch hour.
Re:Self-Serving? (Score:4, Insightful)
"Here's the real question you need to ask yourself before putting anything in the cloud: do you trust them to be more competent than yourself at backing things up, providing uptime and securing the data?"
Generally it is, yes, yes, and yes.
The final question: "Can you trust them to work as diligently as your employees to recover from some cock-up whose effective and immediate resolution is critical to your business?" "Or, conversely, is holding your most critical data hostage for predatory consulting rates their business model?"
Re: (Score:1)
That may be, and this may have some marketing tones to it, but it is still a valid security concern.
The list just continues to grow though ... Skype, Dropbox, Siri, Flash ... All opt in services and features, that make you less secure than if you didn't use them. Environment dependent, of course ....
Sorry, but it's hard to argue IBM is wrong here.
Re: (Score:2)
Can't agree more, but any IS Security shop would have concerns about any cloud service, or the ability for employees to easily port data 'outside' of the company LAN/WAN. This is a common sense move, and speaks less about those specific services but rather more about controlling ANY data leaving the company firewalls.
For example, Siri must convert spoken words to text for many queries, which is a concern, just as it would be a concern to allow employees access to social networks, 3rd party email services, a
Re:Self-Serving? (Score:5, Insightful)
Maybe yes, maybe no.
But the company I work for has banned DropBox and other things for some time. The problem with "the cloud" is you really don't know where your data goes, and you can't really be guaranteed of who might be accessing it.
So there's definitely a perception that unless you're dropping in strongly encrypted files, it's no longer secure. So depending on what it is, something like DropBox is potentially a bad idea.
I'll use DropBox to move around stuff that isn't sensitive, but anything proprietary or confidential, I just move it via another mechanism.
Also, since I do some occasional work for the Canadian government, I couldn't use DropBox or anything which might end up on a US server (so not even gmail) ... because under the Patriot Act, we have no guarantee that this data wouldn't become visible to American law enforcement. Which means I could be running afoul of Canadian privacy laws -- so by policy any service ran by an US company, or in the cloud, is just something I can't use for work purposes.
Sadly, this is no different that the situation in which companies like Microsoft can either be in compliance with EU data laws, or in compliance with US Patriot Act -- but not both. From a professional perspective, the US has made themselves and many of their corporations untrusted parties -- I just assume that since the US has given themselves legal rights to snoop without disclosure, they do. So it's just easier to treat them as a hostile entity who isn't trustworthy. And, considering that EU financial and air passenger data is handed to the US, I find it hard to go against that stance.
From a legal perspective, once something hits the cloud, you lose a lot of safeguards and access controls to it unless you implement them yourself.
In many cases, what IBM is doing is just sound business.
Re: (Score:2)
I'll agree with your general principle. With applications like Truecrypt out there though you can still use these services without the worry of some entity making a copy and rifling through your stuff. Just put up your truecrypt file and you get all the convenience and almost none of the worry. The only problem becomes how you send your passphrase or whether you know your passphrase from memory.
Re: (Score:2)
From a legal perspective, I will opt to not use the cloud for work purposes. They can't crack the encryption if they don't have the files in the first place.
In theory what you propose would probably work ... in practice, it's only theory. :-P
I'll stick with old fashioned access-based security. especially since it would be me who would take the risk for saying "oh, well this should work". Not using the cloud is les
Re: (Score:2)
Assuming, of course, that not only is the underlying encryption algorithm that TrueCrypt uses secure (it probably is), but that the implementation is 100% bug free. Given the complexity of the code, I would hate to bet anything too important on that.
Re: (Score:2)
Re: (Score:2)
... because under the Patriot Act, we have no guarantee that this data wouldn't become visible to American law enforcement.
Ummm. Asking a question here. What does the Patriot Act have to do with anything? Does a US citizen using a Canadian server have any guarantee that his data won't become visible to Canadian law enforcement? Do you not have search warrants in Canada? Can Canadian law enforcement not walk into a Canadian court and say "we have evidence of illegal activities on this server, we need a search warrant so we can look at everything..." and get access to whatever data I have on that server, whether or not it is il
Re:Self-Serving? (Score:5, Informative)
The difference being you'd need to go to court to get a warrant, and I believe there would be a legal opportunity to be notified of this. If Canadian law enforcement accessed your data, you could legally know about it.
The Patriot Act basically says they can demand it, with very little legal support, and it is against the law to tell someone that their data has been accessed from your servers under this request.
So, it comes down to the US having granted themselves access to any and all data from a US owned company or US hosted server ... and made it illegal to disclose that access has happened.
If that data access comes under the guise of secrecy and not going through the normal courts, you'll never know it happened.
As I said, those provisions of the Patriot Act give access that concerns a lot of people ... see here [zdnet.com].
So, based on what I've read, and what I've been told by corporate policies ... for anybody who isn't in the US, America and American owned companies are completely untrustworthy since the law reads like it bypasses local laws when it comes to data security and privacy.
Now, for a bit of balance the other way, I see that people are starting to say the Patriot Act isn't so intrusive [pcworld.com] and this is all blown out of proportion.
But, until I see company and legal policies changing here in Canada, I will continue to treat data being put into a US server as a stupid idea, and I will continue to treat those entities as hostile and not trustworthy.
Since I'm not a lawyer, and I don't have anything to gain by suddenly trusting these entities, if I stick with this, I'm in compliance with company policy. I'll just err on the side of caution -- not trusting the US government is just a bonus at this point.
Re: (Score:2)
If Canadian law enforcement accessed your data, you could legally know about it.
After it happened. If you disclose to your target that you are seeking a search warrant, especially for a computer that can be accessed remotely, they'll just delete anything they don't want you to see. Much better to be charged with obstruction than posessing CP, isn't it?
But in neither country is there any guarantee that law enforcement will not have access to your data. Your only point is that in the US they won't tell you that they have gotten access, but that doesn't change the fact that they've acce
Re: (Score:1)
Canadian law enforcement certainly can obtain data from servers, however the following has to be met:
A warrant is required. The filing of the warrant also requires a limitation to what is being searched, and how the data is to be destroyed after use (or, at the very least, the retention policy).
The US Patriot Act (as far as I can tell - I'm a dipshit Canadian) simply allows the FBI to request access to any (or all) electronic records without oversight. The mention of receiving a national security letter i
Re: (Score:2)
The US Patriot Act (as far as I can tell - I'm a dipshit Canadian) simply allows the FBI to request access to any (or all) electronic records without oversight. The mention of receiving a national security letter is illegal, while the warrant process has a paper trail and full disclosure to what was being searched.
According to the fount of all knowledge, the venerable Wikipedia, the NSL part of the Patriot Act was ruled by a court as unconstitutional and the amended version was also struck down.
The PIPEDA act in Canada has very strong personal protections in place, and isn't a joke act.
That may be, but it has no standing in any country outside Canada. If your fear of loss of data control is based on the foreign county not obeying PIPEDA, then you must fear them all, not just the US. The Patriot Act has no relevance to whether PIPEDA is obeyed in the US or not.
This appears to be more scare mongering trying
Re: (Score:2)
Our Canadian laws don't prevent access from any legitimate law enforcement agency, including US or any others.
It DOES say that such access MUST BE granted by a Canadian court. If the FBI or anyone else wants to look at my Canadian data stored on a Canadian server then they can go through the appropriate process in a Canadian court.
This makes sense, as presumably if I'm located in Canada then I am subject to the Laws of Canada and not of any other country. You want me you need to convince a Canadian court th
Re: (Score:2)
Re: (Score:2)
The point is that if Canadian data is stored on a US server then US law enforcement can access it.
The opposite is also true for US data stored on a Canadian server, it can be accessed by Canadian law enforcement.
I'll note that a) not many services have data farms in Canada and b) Canadian laws make it slightly harder.
The end result is that if you have data that must be stored and be accessible ONLY under Canadian privacy laws (i.e. safe from US law enforcement eyes, e.g. personal data stored by government o
Re: (Score:1)
You can view the announcement as self-serving, but to be fair, the ban is for their employees. I'm sure many other workplaces have policies on what data (if any) can be uploaded to which clouds (if any).
Re:Self-Serving? (Score:5, Informative)
Re: (Score:1)
Not the first or only (Score:5, Informative)
My company deals with financial services. We are not allowed to access Dropbox either. Nothing like sharing personal identifiable client data across someone else's network. This is a violation of all sorts of laws, so yeah, it makes sense to deny employees access to shared drives outside the company's purview.
Re:Not the first or only (Score:4, Informative)
Nothing like sharing personal identifiable client data across someone else's network.
Have you ever used a VPN? Then you've done exactly that. It's just encrypted. Dropbox is similarly secure if you store an encrypted container.
Re:Not the first or only (Score:5, Insightful)
Dropbox is similarly secure if you store an encrypted container.
This is not officially supported by Dropbox, however, and is very much ad-hoc. It also requires the user to take the time to configure such a system, unless your IT staff is going to do it for you, and even then you have the problem of users trying to use Dropbox for things that IT did not set up for them. Anything that adds hurdles to people doing their work is a potential security problem; it is easier to simply ban dropbox entirely than to have a policy that requires people to try to do things manually.
Re: (Score:3)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2, Insightful)
Nothing like sharing personal identifiable client data across someone else's network.
Have you ever used a VPN? Then you've done exactly that. It's just encrypted. Dropbox is similarly secure if you store an encrypted container.
No, Dropbox is *nothing* like a vpn with an outsourced storage provider. And they wont ever be, unless they start signing NDA's and confidentiality agreements with companies.
Re: (Score:2)
I think he's saying payload over dropbox is analagous to vpn over at&t. In the VPN case, you don't trust AT&T and use whatever VPN technology you want at either end to render the passing traffic undecipherable by at&t. Similarly, one could gpg a file, drop it on dropbox, and another could retrieve it, and un-gpg it. In this case, even if dropbox is a risk, the risk is greatly mitigated by the encryption that is performed outside of their framework.
Re: (Score:2)
When using VPN, you're likely in control of both endpoints. With Dropbox, you're in control of your end, but you can't say the same about Dropbox's end, so they may potentially do anything to your data. [tinfoil=1] Like discard the key, act like they encrypted the data, and return a bogus success message, keeping your data in the clear.[tinfoil=0]
So yes, this is a valid, though aggravating move.
Re: (Score:2)
Like discard the key
Why would you give dropbox the key to the encrypted container with contents which you wish to keep secret from dropbox?
Re: (Score:2)
Um, my knowledge of encryption may be a little rusty. Don't you send the public key to Dropbox to have them encrypt the data you upload, and later use the private key decrypt it?
Or am I misunderstanding you?
Re: (Score:2)
No, you encrypt the archive on your own computer, and send the encrypted archive to dropbox. All they ever see is the encrypted archive. You can even use a symmetrical encryption method, since you won't be distributing your keys.
Re: (Score:2)
No fears in that case, then.
I never used Dropbox, so I assumed when people were talking about encryption that Dropbox automatically encrypts uploaded data, either with a self-supplied key or with one generated from your account password, and decrypts it for you upon later download. Which would be a potential data security breach. But uploading an already-encrypted file should be safe, since only the cyphertext may be stolen, and current encryption schemes can guarantee unbreakable security (unbreakable by t
Re: (Score:2)
If you are trying to apply VPN logic to dropbox, you're likely to be in control of all 'ends'. If you want to upload to some dropxox space intended for osmeone, you use their public key to encrypt it, before it ever leaves your machine. Dropbox servers see an opaque, encrypted blob. The holder of the private key later comes along and retrieves it, decrypting it on their box. That would be analagous to the VPN case.
Re: (Score:2)
Re:Not the first or only (Score:4, Funny)
I give my IT department a 5-star rating, too!
Re: (Score:2)
I give my IT department a 5-star rating, too!
As a contractor, I have worked in a lot IT departments, mostly Windows shops (because they need the most help, thats where most of the contracts appear). It never fails that the department arrogantly gives itself such a rating: "our shop is tight... we run such and such." At the last gig, one guy spent all evening tracking down a "key logger," and came out of the hole near the end of the evening (to find me finishing his work), proudly claiming success. It took me all of 10 seconds to tell him he just spent
Banned here too (Score:2)
Unrealistic (Score:5, Interesting)
We have a similar ban in my company (Alcatel-Lucent). Of course, I can carry out gigabytes of information on a thumb drive or the laptop I take home every night, but while I'm at work I can't connect to DropBox. I hope IBM also jams cell signals because all someone has to do is plug an LTE dongle into their laptop and they are outside the corporate firewall. This is the Maginot Line of security.
Re: (Score:1)
We have a similar ban in my company (Alcatel-Lucent). Of course, I can carry out gigabytes of information on a thumb drive or the laptop I take home every night, but while I'm at work I can't connect to DropBox. I hope IBM also jams cell signals because all someone has to do is plug an LTE dongle into their laptop and they are outside the corporate firewall. This is the Maginot Line of security.
You are missing the point entirely. The point is that those services leave the data sitting out user control...no guarantee of encryption, the level of encryption or control of access. Once you give up access control it only a matter of time before all defenses fall.
Yes, in this day and age you could walk out with gigabytes per trip of sensitive information, but it would be vary easily tracked back to you. Going into the cloud,
makes it vary difficult to track back to an individual, not mention significa
Re: (Score:2)
Your company has decided that you, as an individual, are trusted with their data (not sure I would but I don't perform security background checks). So yeah, you could easily walk out with gigs of data. But they trust you. Now, if the data is place up on someone else's servers, the company has no way of knowing who has access to that data.
Re: (Score:2)
A Faraday cage maybe? Dropbox and similar is for someone real small that can't afford servers.
Ban the cloud? (Score:5, Interesting)
Since someone suggested Dropbox as a good place to put our disaster recovery documentation, my employer has started "raising questions" about it from a data-security perspective. After years of buying computers without floppies or optical drives, and locking down USB ports, he wonders if we ought to start blocking these services as well. He argues that with our corporate e-mail we at least have a record of it (and a chance to block it) if someone sends confidential information off-site, but not so with cloud storage. Personally, I think it's impossible to effectively secure against this without crippling legitimate business-related web access. I can think of several trivial ways to get information from a computer on our network to an outside host using just innocuous must-allow protocols, and without needing to install software on the secured machine... starting with any webmail or forum site that allows uploads of file attachments, to them newfangled "cloud drives", to setting up an FTP server that listens on port 80.
Re: (Score:3)
Basic connectivity to such services can be blocked and policy of no use can be published but ultimately, there's no real way to keep a trusted employee from walking out the door with a butt-load of data.
Re:Ban the cloud? (Score:4, Insightful)
You are missing the point. This is just part of a policy for protection of internal assets. "Don't put confidential data where outsiders can get to it" is a perfectly reasonable policy. Implementing that policy means rules like "no data on DropBox" and "no confidential data on internet-facing servers" and "no services on internet-facing servers that would allow access to the internal network". Having been informed of those rules, if information is leaked because you violated the rules, you will be held personally responsible (fired and/or sued).
Of course it is always possible that some dope will intentionally leak information. These rules are not about that. These rules are in place to so people don't make faulty assumptions about what is secure and what is not.
Re: (Score:1)
Basic security principal. (Score:1)
So, they're saying not to leave possibly sensitive information in the hands of 3rd parties where they have no real way of guaranteeing security?
Not exactly rocket science, guys.
If it were my job to set data security policy I sure as hell would not let my employees use dropbox. Especially in an organization that has a hit squad of lawyers commonly known as the 'Nazgul'.
Standard in Secure Environments (Score:2)
I work in IT in a (UK) hospital. We are extremely "enthusiastic" about security. We were thinking about this sort of thing some time ago and then it was decided at the top that we would ban Skydrive immediately and other clouds have been added to our list since.
This is not always well received but this is the nice thing about policies. They apply to everyone and the higher they come from, the less can some manager make an "exception" where they see the need.
What Happens If It Rains? (Score:2)
this is the biggest question of any "Cloud" service phrased in a PHB friendly way. Now of course the details are a lot longer but IBM has basically said "Lets stay Inside and make sure we stay dry".
Does anybody know of a "CloudStack" that allows for a business to run a relay/inside server??
Of course, they never ask why EEs use these (Score:5, Insightful)
Re: (Score:2)
A lot of times IT hasn't provided a solution because it hasn't been a business priority......or falls so low on the cost to benefit ratio. Show a valid business need with measurable benefits and get your executives to sponsor a project to develop a solution.
Re: (Score:2)
I'm thinking about the quote from the Jurassic Park: "No, I'm, I'm simply saying that life, uh... finds a way. " People will find a way around perceived road blocks, much to the consternation of IT. Absolute control fails absolutely.
Re: (Score:1)
"IT does not provide their employees with good USABLE solutions"
Also can be translated as
"IT cannot provide their employees with good USABLE solutions".
Not all of us are elitist-gold-plated-my-way-or-the-highway IT guys. Don't let a lack of resources and/or funding get in the way of the rant that all IT departments are incompetent, lazy and completely against user productivity.
Re:Of course, they never ask why EEs use these (Score:4, Insightful)
Trust (Score:4, Insightful)
Ironically, IBM is probably providing a lot of the hardware and software that run these farms. Of course, it still comes down to trusting another company with access to your vital information. This has been the obvious Achilles heel in "cloud computing" since day one. It's one thing to pass encrypted data through an untrusted party, but it's another thing entirely when the untrusted party is an endpoint with access to the plain text. Not only do you have to trust that the endpoint has properly implemented security, but also that every individual with access to the data has uncompromising integrity.
Re: (Score:2)
Re: (Score:2)
1) It may well be more secure, but large collections of data are also a bigger target. Your data could conceivably be a victim of collateral damage even if you weren't the initial target, or ever a target at all.
2) Two people can keep a secret. If one of them is dead. From a purely statistical standpoint, all else being equal, the more people who have access, the bigger the risk.
Re: (Score:2)
Yes, but these aren't laptops aimed at teenage girls. It's IBM saying "our systems are perfect for your enterprise applications that we would never trust with our data. But have fun, everyone else."
Re: (Score:2)
That is complete nonsense. They are saying no such thing. They are saying they have a problem with SERVICES that provide absolutely no guarantee of data security, zero auditability, crappy terms of service that basically say 'we can do whatever we want with your data', etc. None of that has anything to do with any IBM hardware or software.
If IBM was saying "Don't use IBM cloud services" then you would have a point. They are not saying anything close to that.
Re: (Score:2)
Re: (Score:2)
What about search engines? (Score:4, Insightful)
Re: (Score:2)
You have a point, but this isn't the right way to think about it either. It's all about assessing the treats and liabilities that you're dealing with, and making good risk/benefit decisions. Yes, everything you type into Google goes somewhere, but what are you likely to be searching about? What is the likelihood of someone going through your search history to find those things? I would guess that if someone went through each of my search queries individually, they wouldn't find anything remotely interes
Re: (Score:2)
Bingo...they are forbidden to using cloud services from competitors...I'm sure once IBM joins the cloud service provider party, that will be allowed.
Re: (Score:2)
IBM has been providing 'cloud' services for more than 50 years. They just don't call it that. Originally it was 'service bureaus', where company could rent time on IBM systems. Now it is more of IBM running all of a companies IT operations.
Re: (Score:2)
IBM does not hate "the cloud". IBM does not want its own data stored on services that do not have contracts stating exactly how that data may be accessed and by whom, and with no penalties for intentional or inadvertent disclosure of that data.
Umm... how is IBM enforcing this again? (Score:2)
Can someone who works for IBM care to explain how they're planning on enforcing these rules?
Sure, I could see them scanning their employee's laptops to make sure that Dropbox isn't installed, but how are they going to stop you from using iCloud or Siri on your cell phone? I know that IBM certainly didn't pay for MY cell phone or cell phone plan when I worked there, and I sure as hell wouldn't let them install their bloatware security lockdown tools on my personal property.
Re: (Score:2)
Very simple. It is your (the employee) responsibility to protect data you are trusted with. These rules are in place to make sure you understand that some things are not considered secure by IBM. If you use those services anyway, and information leaks out because of it, YOU are personally responsible and will be fired and/or have legal action taken against you.
Dropbox needs client side encryption. (Score:2)
I hope this shames Dropbox into implementing proper client side encryption.
I like many others have become dependent on Dropbox for my work because it is so darn convenient but I know in the back of my mind that it poses a security risk. I would feel much more comfortable if everything was encrypted on my PC (and under my control) before it was transmitted.
Re: (Score:2)
Since it's all about trust anyway, a Dropbox client would be the last place I'd put my trust before storing data in their cloud. If their client knows my key, how do I know they aren't sending it up to the mothership as well?
Integrated security simply means a larger attack surface and more parts in which you have to invest 100% trust. It's much safer to trust a single tool that only does security (encryption) than to trust their entire ecosystem.
Why would IBM employees NEED Dropbox et al? (Score:2)
I don't see why an employee would need a service like Dropbox while working for a large corporation like IBM.
They already have all kinds of subversion, document, and content servers in-house, readily available by logging in to the VPN (securely!)
External services like Dropbox are fine for consumers whose employers don't already provide intranet "cloud" storage for data, but employees of large companies? What kind of employee shoot-myself-in-the-foot insanity would place cricital corporate information
This has always been the issue with the "cloud" (Score:2)
This has always been the issue with the "cloud." Oh, sure, it sounds great to be able to pull up documents from wherever, to collaborate, to do all sorts of things, but if that server is hosted by an outside company, then all of your trade secrets, business plans, legal documents and briefs, personnel documents, marketing plans, and whatever confidential corporate information you have is under somebody else's control. How well do you trust the host company? How well do you trust the other other companies
Old news...I work at a bank (Score:2)
If not Dropbox, then Infinit (Score:1)
Re: (Score:1)