Box, Dropbox, or drop both?

"There are four critical questions every enterprise and IT administrator should ask when considering file sharing services," says Adam Gordon, author of "Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press)." These include: Where will the service store and share files? Who will view the files? How will the service protect the files? And, what types of files will the service permit in the storage system? If a service provider doesn't respond satisfactorily, CISOs should consider their options.

CSO decided to measure the security of Box and Dropbox using these questions. Does either meet enterprise security standards for cloud-based file sharing? Judge, dear reader, how each application stands up under scrutiny.

File storage requirements

File sharing services store data outside corporate IT where enterprises can lose control of it. Enterprises cannot ensure service up time, file availability, or even that the service will not shutdown altogether.

"This exact circumstance left customers of the Megaupload file sharing service virtually stranded, without access to files in the service's cloud environment, regardless of their legitimate and proper use of the service," says Gordon. These situations leave customers wondering who has access to their files and whether someone will delete them.

Box assures enterprise customers with an SLA guarantee of 99.9% uptime, maintaining that uptime in several ways and offering customer account credits where it fails. "First, we have a single infrastructure serving all our customers at all paid levels. We deploy the highest quality networking and services at a much bigger scale, which allows us to offer enterprise protection more efficiently," says Grant Shirk, group product marketing manager, enterprise, Box.

That infrastructure spans four geographically dispersed locations including three primary data centers. "We select colocation facilities with the highest levels of service bandwidth and disaster avoidance for these data centers," says Shirk. A fourth facility offers emergency backup storage for encrypted binaries so Box can restore from that location.

Dropbox offers uptime guarantees, but doesn't share them publicly. "We provide uptime or SLA guarantees in specific commercial contracts," says Cory Louie, Head of Trust, Safety, & Security, Dropbox. Dropbox stores customer data on Amazon S3 and mirrors encrypted file data in collocated data centers. Dropbox currently stores all customer data inside the U.S.

Who has access?

Cloud file sharing services must protect the access rights of individual accounts. But, Box enables account managers to roll employee's free accounts into the enterprise's business accounts.

"Businesses with a large number of employees who are currently using Box as free users will often formalize their relationship with Box and roll the free users into a corporate account to gain access to additional features," says Gordon. Sometimes these free users include external collaborators who are not employees. This scenario leads to a variety of undesirable complications.

A collaborator account that an enterprise should not manage could end up rolled in with the employees, according to Gordon. Collaborators can end up having their accounts managed by the enterprise without their knowledge or consent. Unauthorized people may end up sharing their data, and they may expose that data in any number of ways or delete it.

Though there was just such an incident, Box has taken measures to ensure that it will not repeat itself. "Our security and compliance teams walked through our processes for managing users and added controls to the system to ensure that this cannot happen again," says Shirk. "We added controls to make sure that no one rolls in accounts without the understanding and knowledge of both parties -- the account holder and the organization."

Cloud data services such as Dropbox offer an easy portal for data theft, according to Gordon. "Companies may want to keep an especially tight leash on contractors in restricting their access to future Dropbox business accounts," says Gordon.

But Dropbox guards against inappropriate access using two-factor authentication and identity and access management tools of the customer's preference, which Dropbox integrates into its application. "We have built integrations into the leading identity providers or federated identity providers like Okta, Ping Identity, OneLogin, and Centrify. It's all standards based so we can work with any kind of IAM tool that an enterprise uses," says Ross Piper, Vice President of Enterprise Strategy, Dropbox.

How they protect your files

Box transmits files using SSL encrypted sessions and encrypts files at rest using 256-bit AES encryption, according to Shirk. Box is ISO 27001 certified and offers its SSAE 16 SOC 2, Type 2 report, which replaces SAS 70 as evidence of meeting enterprise security and compliance standards. Box is working on industry-specific frameworks such as compliance with PCI and HIPAA. Box can help companies achieve compliance with HIPAA while using its service, according to Shirk.

Dropbox supports TLS 1.0 through 1.2 and SSL v3 for data in transit. "This creates a secure tunnel that up to 256-bit encryption protects," says Louie. The encryption level depends on the level negotiated with the client. Dropbox also uses a 256-bit AES cypher for data at rest. In addition, Dropbox splits the files. "We anonymize each of those file pieces or b-file blocks with a hash value. We then encrypt those hashed file blocks separately and store the encryption keys separate from the encrypted file blocks," says Louie.

"We have a current SOC 2/type 2 report available to our customers by request," says Louie; "we're going to maintain that and be subject to audit at least on an annual basis." The Dropbox compliance roadmap also includes plans to earn the ISO 27001 2013 certification this year, according to Piper.

If an enterprise customer wants to use Dropbox in compliance with regulations such as HIPAA and FIRPA, third-party developers offer applications that work with Dropbox and some of those applications help organizations to meet those specific regulatory requirements, according to Piper.

Kinds of data permitted

Hackers could create "floating" attack staging platforms inside these file sharing services. Due to the nature of these file sharing services, says Gordon, they heavily defend customer files from the outside in, but don't examine them as carefully from the inside out.

"Specifically, due to a desire to be all things to all customers, many of these vendors follow a guiding business principle to acquire ever larger shares of the customer segments that they target by allowing almost totally unrestricted content storage within their systems. Some of that content can be highly toxic and lethal," explains Gordon.

Hackers can easily store and share malware in these systems. "Since these systems are often used without the oversight and knowledge of IT and apart from compliance functions within the enterprise, the services can bypass the most basic elements of user awareness and oversight in favor of ease-of-use and flexibility," says Gordon.

But according to Box, its various controls make floating attack platforms inside the service highly unlikely. "While Box does not restrict the kinds of files customers can upload, Box is not a live, runtime environment. Scripts and executables cannot run within the platform," says Shirk. Further, Box enables customers to run A/V scans on Box content to mitigate any potential for infection. "And, we restrict file conversion and interpretation only to known file types (.doc, .txt, .xls, etc)," says Shirk.

Dropbox, however, doesn't take as many precautions as Box does. Though Dropbox can store any file type, Dropbox users agree to not misuse the service, according to Louie. "We review reports of abuse and violations of acceptable use policies and take appropriate action when necessary," says Louie.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about AES EnvironmentalAmazon Web ServicesCentrifyCSODropboxISOOktaSAS

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Geer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place