My organization has always been wary of allowing employees to use Dropbox, but I heard that it is coming out with some new enterprise-grade security features. Is Dropbox safe now? What are the new security features and do they actually improve Dropbox security? Should they affect how we assess Dropbox risk?
Ask the Expert
SearchSecurity expert Michael Cobb is ready to answer your security questions – submit them now! (All questions are anonymous)
Cloud and collaboration services are a mixed blessing for enterprises. While many of them result in productivity gains, putting enterprise data in the hands of third parties always opens up the possibility of data leakage. Many organizations resist the use of information-sharing services such as Dropbox because it lacks permissions and security controls that would allow administrators to retain control over company data. In an effort to make its service acceptable for business use and to compete in the lucrative enterprise market, Dropbox Inc. has announced a variety of new security features for IT administrators.
The key change in "Dropbox for Business" is that both a personal and a corporate account can be used on one device. While all of a user's folders are combined into one account for convenience, they're divided into two containers: A personal folder for private data and a business folder controlled by the user's IT department. This allows administrators to remove an employee's access to certain files should they leave the company or change jobs within the organization. A user's business folder can also easily be moved to another user through an account-transfer feature, which can be useful in certain scenarios (for example, moving an existing folder to the replacement for an employee who is leaving). Dropbox for Business also integrates with Active Directory, making it possible to quickly add or remove Dropbox users across a company. The product's Remote Wipe function protects data if a device is stolen and makes sure employees can't still access old business files on their device once they leave the company.
Dropbox for Business also offers a new Sharing Audit Logs tool that provides audit capabilities and allows administrators to see exactly who is sharing what with whom and when. This makes it easier to keep track of the apps linked to the account, check user permissions and revoke access remotely if necessary. Admins can also block the sharing of certain files outside of specific teams or prevent employees from having their personal files accessible on their work computer.
The new Dropbox for Business client will be rolled out in early 2014. If employees already have separate business and personal accounts, they will be able to combine them with the new app.
The extensive redesign of how Dropbox works means it may now meet many enterprises' data protection and compliance requirements. However, as with any third-party service, a full risk assessment should be carried out and all service level agreements should be reviewed before adopting Dropbox. Rivals in this space include Box, Amazon WorkSpaces and Google Drive, which includes secure remote collaboration, a feature absent in Dropbox.
I would suggest taking each possible product for a test drive with a group of security-minded employees to see which best fits enterprise needs. Organizations must ensure a security policy is in place that covers data in the cloud and clearly communicate this policy to employees who will be using the service. Also note that not every employee will need a cloud storage account.
This was first published in February 2014