With relatively recent high profile breaches like the iCloud affair still in our minds, it's time to take a long hard look at the risks posed by SaaS file sync and share (FSS) solutions. It's been said many times that such solutions are not secure – but let's go beyond the slogans, dissect what exactly they are doing that's so unseemly, and what conclusions businesses should draw from all this.
In order to understand the pattern, I've gone back over the past year or so to examine various incidents, and magically ended up with seven of them – and so I bring you the seven deadly sins of file syncing and sharing.
Hackers are lusting after your FSS data: As reported by a Google study early last year, and demonstrated also by a Dropbox disclosure in 2012, account hijacking is a common threat.
The possibilities for hackers are endless – in many cases they simply used the accounts to target users with spam, but given that FSS services sync files to your computer, access to accounts can easily be used to insert malware into users' PCs, or indeed for anything from keylogging to infiltrating enterprise systems. Naturally, the more widely used services are more likely to be targeted by hackers.
Your penance: There are ways to mitigate such risks, including user authentication using Active Directory integration, frequent password changes, as well as two-factor or multi-factor authentication methods, can all do a lot to prevent account hijacking.
Big Brother will gobble up your data: As was revealed by Edward Snowden, the National Security Agency's PRISM program taps into user data from a variety of US-based service providers including Apple, Google, and others. Dropbox has also been receiving requests for disclosure, and one can only guess how much data is collected by other means that don't involve the NSA asking nicely.
Your penance: If you want to make your files less appetising and less accessible to intelligence agencies, you can either go completely private on your own infrastructure, or use a cloud service that allows you to encrypt your data at the source and be the sole owner of the encryption keys.
Global encryption key, de-duplication across all accounts equals more money: Look at any FSS provider and they will tell you that your data is encrypted with military-grade encryption. That's about as useful as knowing that your house has a door and it's locked. But who holds the key? And how many other doors use the same key?
Dropbox was sued in 2011 for misleading users on security, and changed their security statement as a result. But the truth remains that they (and many other providers) continue to de-duplicate all files across user accounts to increase storage space utilisation and optimize their profit margins – pure and simple.
With companies like Box losing nearly $170 million (around £110 million, AU$220 million) in only 12 months, it's no surprise that SaaS vendors are feeling the pressure to make profits at the expense of your security. That may be okay for consumers – who cares if their photo of the Eiffel Tower is de-duplicated against the almost identical variations that millions of other people uploaded – but for enterprises this is unacceptable in terms of security and privacy standards, and could also raise serious compliance issues.
Your penance: Verify that your provider gives you control of the encryption keys.
Comfort trumps security: This one is on us, folks – the users. Almost all FSS providers have options for two-factor authentication and strong passwords that would have prevented breaches like the iCloud celebrity photo leak, but usually they don't enforce them. Therefore users take the path of least resistance and leave themselves vulnerable to breaches.