Here’s what businesses and consumers can do to protect themselves from a security breach like the latest one at Dropbox.

Cloud security dos and don’ts after the latest Dropbox breach

The bottom line with free cloud-based storage services like Dropbox is that you get the type of security you pay for with them, a Toronto security expert warns.

And since those services are absolutely free, users shouldn’t expectthem to be secure – even though they’re popular, easy to use and lookincredibly secure, said Stephen Perciballi, security practice lead atToronto cloud services provider Softchoice.

“There’s a perception out there that (these free services) are securebecause people see the slick branding of the product and see that itworks very well on their computers,” Perciballi said. “Then they seethis company has created an Android app or an iPhone app. So the factthat this company has made this service so easy to use and is offeringso much for free, well it must be (secure), right?”

Dropbox acknowledged this week that thousands of its users had spamsent to other accounts that were linked to their Dropboxaccounts.  An investigation found that a Dropbox employee hadhis password stolen for a non-Dropbox account. The thieves then usedthat password to hack into his Dropbox account, which contained adocument with Dropbox user email addresses in it. Those email addresseswere used to send massive spam messages to accounts owned by Dropboxusers.

It was the second serious security breach reported at Dropbox. Justover a year ago, the company accidentally turned off its passwordauthentication system, allowing anyone to access Dropbox user fileswithout a password.

After the latest breach, Dropbox said it will adopt three main securitymeasures to prevent future incidents: create a page that lets userstrack their login history for suspicious activity, put in place furtherunspecified mechanisms to spot suspicious account activity, andimplement a two-factor password authentication process for all itsemployees to use internally. The latter process usually involves usersputting in their password, plus a second step to verify their identity,such as a fingerprint or retinal scan sample or a random numbergenerated on their smartphones for each login, Perciballi said.

Of those initiatives, Perciballi said the two-factor authentication isthe most secure option, but suggested Dropbox could have gone furtherby requiring it for all Dropbox account users, not just its ownemployees.

“I’d love to see more of this,” Perciballi said. “The only (company)I’ve seen do that is Google, they offer two-factor authentication (freefor all users). Dropbox is saying they’ll offer it, but onlyinternally.”

There are steps users can take on their own to bolster security fortheir accounts with Dropbox or other free cloud storage services.Perciballi said enterprise users should adopt a company-wide data lossprevention solution that encrypts all sensitive information orautomatically prevents it from being stored in a Dropbox-type ofservice all together.

Consumers without access to encryption have fewer options, he said,other than trying to manage the passwords for all their differentaccounts as safely as possible. With so many passwords these days,that’s getting tougher to do, he said.

Password overload
“We have way too many user names and passwords. Now I probably have 30of them. So we get into this situation where these customers are usingthe same user name and password on everything or on multiple sites andif it gets stolen once, it gets stolen everywhere. So two-factorauthentication is really the key thing.”

With few free service providers offering two-factor sign-ins aside fromGoogle, consumers are basically stuck to fend for themselves. Thoughmany people are using services like LastPass to automatically generateand manage multiple passwords, those systems are “even worse” thanmanaging passwords yourself because all of your passwords can becompromised at once rather than separately over time, Perciballi said.

“What if LastPass gets hacked? It’s super convenient but I don’t knowwhat they’re doing to secure that data. So why would I store all mypasswords there?”

As free services continue to grow in popularity, people are actuallypaying less heed to security risks because all those freemium servicesare just so easy to sign up for and use, he added.

“Data is the sole reason that you spend so much money on IT and ITsecurity. So the fact that you’re now giving up a lot of those rightsto properly secure, transmit and store that data, you’re giving thatall up to use this app – that is what’s so shocking to me. We spendmillions of dollars on IT and then we go and give it all away.”

Christine WongChristineWong is a Staff Writer at ITBusiness.ca and CDN. E-mail her at cwong@itbusiness.ca,connect on Google+,follow her on Twitter,and join in the conversation on the IT BusinessFacebook Page.
Share on LinkedIn Comment on this article Share with Google+