An interesting thing came to my attention last week when I was using a thumb drive to transport files back and forth between secure environments.  The thumb corrupted.  Fortunately, I only use thumbs for transport (not for storage), and I had the files available elsewhere for retrieval.  (For that matter, I was able to repair the thumb and its contents with a freeware utility – I had nothing to lose by trying).

But in relaying my experience to a Fortune 500 IT colleague and good friend, he mentioned something that concerned me – and I believe the concern may apply to a very wide audience.  When he travels for business, he relies on a site called Dropbox.com.  Basic Dropbox services are free:  That is, you can store up to 2 Gb of data for retrieval and swap.  However, a quick review of terms reveals this:

You acknowledge and agree that you should not rely on the Site, Content, Files and Services for any reason. You further acknowledge and agree that you are solely responsible for maintaining and protecting all data and information that is stored, retrieved or otherwise processed by the Site, Content, Files or Services.  Without limiting the foregoing, you will be responsible for all costs and expenses that you or others may incur with respect to backing up, and restoring and/or recreating any data and information that is lost or corrupted as a result of your use of the Site, Content, Files and/or Services.

He, like many others employing sites like this, has not apprised his organization of his method for “transporting” files.  He travels to a city, retrieves critical files, and then flies on.  His content is on Dropbox, thus far readily accessible and ready for use in any city.  But… what if the Dropbox site is down someday?  What if Dropbox corrupts his files… or otherwise suffers a breach?  It would be awfully embarrassing to show up with the expectation by others that you “have the goods” – and you don’t.

Does his Fortune 500 employer know about, or even have a policy to preclude the reliance on, sites such as this?  Do other organizations have policies in place to define and either allow, or deny, use of these sites?  You must recognize that these sites don’t adhere to your organization’s standards of data control and security – unless by sheer coincidence:  And no responsible IT or business person/endeavor relies on coincidence. 

What of Dropbox’s own good faith and the good faith of its employees?  Who can know who might access corporate secrets and make exposure?  Here is Dropbox’s Security posture, from their Privacy Policy:

Security –

Dropbox is very concerned with safeguarding your information. We employ reasonable measures designed to protect your information from unauthorized access.

“Reasonable measures.”  In my mind, that is paltry and thin.  This is not to belabor a specific criticism of Dropbox (and there are many similar services out there).  The service they provide is a good one – but understand the limitations, the liabilities, and your own organization’s posture for relying on any outside services over which you have no real control – and by which you have no specific agreements regarding service levels, standards, and business recoveries. 

If you are using services such as these, outside the direct knowledge and permission of your organization, you should stop and either get clearance – or guidance for a sanctioned solution. 

If you are responsible for security postures within your organization, you must address situations like this immediately if you have not already.  You must make definitions of services – and what is allowable and what is not. 

Do it very soon.