×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

IBM's Ban on Dropbox and iCloud Highlights Cloud Security Issues

Soulskill posted about 2 years ago | from the data-sovereignty dept.

IBM 115

IBM has forbidden its employees from using cloud-based services such as Siri, Dropbox and iCloud, according to reports. These products (along with many others) are presenting a challenge to IT administrators who want to keep their organizations secure, as well as to consumer-software developers who suddenly need to build features with both consumers and businesses in mind.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

115 comments

Self-Serving? (4, Interesting)

Marillion (33728) | about 2 years ago | (#40110021)

While I'm not discounting the security concerns, we should also recognize that this is self-serving to IBM because it sells IT security consulting services.

Re:Self-Serving? (5, Interesting)

NeutronCowboy (896098) | about 2 years ago | (#40110179)

Yes, of course. At the same time, what would have them do? Not ever mention anything about potential security holes, because it could be construed as a conflict interest?

Here's the real question you need to ask yourself before putting anything in the cloud: do you trust them to be more competent than yourself at backing things up, providing uptime and securing the data? If you answer no to any of these questions, you have a reason to keep stuff in-house. Note: beware of Dunning-Kruger effect. If you answer yes to all three, you have no reason to keep things in-house.

What IBM has done is to say that they can do a better job securing their data than Dropbox and iCloud. Considering the rather significant breaches that have occurred at Dropbox, and the completely unknown state of data security in iCloud, IBM is spot on with their assessment. I would only put encrypted stuff on either, or stuff where I have no problem if people are snooping through it. Want to take a gander at my weekend pictures? Knock yourself out. Want to find out what my truecrypt file is about? Good luck with that.

Re:Self-Serving? (3, Interesting)

Anonymous Coward | about 2 years ago | (#40110343)

I have a better question to ask. Am I paying for this or is it free and what do I expect of a free services. If I am paying for it what am I paying for? Convenience or Security, if I am paying for convenience its going to cost a lot less than if I am paying for a top secure cloud experience. If I going to put something on the cloud is it encrypted already as it should be and why am I putting important information on the cloud and not on my own companies backup server which should be how its done.

I see IBM looking to bring out a high level expensive cloud service soon for their employees and for sale to corporations which is not what most cloud based services are in the business of doing right now.

Re:Self-Serving? (1)

dimko (1166489) | about 2 years ago | (#40110991)

If you answer no to all of those - probably you are incompetent, and don't deserve your work place in the first place, if you are in IT.

Re:Self-Serving? (1)

Anonymous Coward | about 2 years ago | (#40111315)

Damn you to hell for referencing something I didn't know. An hour ago I looked up Dunning-Kruger on Wikipedia and just realized as I was reading about iridium that I had wasted my entire lunch hour.

Re:Self-Serving? (3, Insightful)

mbkennel (97636) | about 2 years ago | (#40115241)

"Here's the real question you need to ask yourself before putting anything in the cloud: do you trust them to be more competent than yourself at backing things up, providing uptime and securing the data?"

Generally it is, yes, yes, and yes.

The final question: "Can you trust them to work as diligently as your employees to recover from some cock-up whose effective and immediate resolution is critical to your business?" "Or, conversely, is holding your most critical data hostage for predatory consulting rates their business model?"

Re:Self-Serving? (1)

Anonymous Coward | about 2 years ago | (#40110183)

That may be, and this may have some marketing tones to it, but it is still a valid security concern.

The list just continues to grow though ... Skype, Dropbox, Siri, Flash ... All opt in services and features, that make you less secure than if you didn't use them. Environment dependent, of course ....

Sorry, but it's hard to argue IBM is wrong here.

Re:Self-Serving? (1)

DJRumpy (1345787) | about 2 years ago | (#40113265)

Can't agree more, but any IS Security shop would have concerns about any cloud service, or the ability for employees to easily port data 'outside' of the company LAN/WAN. This is a common sense move, and speaks less about those specific services but rather more about controlling ANY data leaving the company firewalls.

For example, Siri must convert spoken words to text for many queries, which is a concern, just as it would be a concern to allow employees access to social networks, 3rd party email services, and certainly any cloud based service should be a no-no.

Re:Self-Serving? (5, Insightful)

gstoddart (321705) | about 2 years ago | (#40110201)

we should also recognize that this is self-serving to IBM because it sells IT security consulting services

Maybe yes, maybe no.

But the company I work for has banned DropBox and other things for some time. The problem with "the cloud" is you really don't know where your data goes, and you can't really be guaranteed of who might be accessing it.

So there's definitely a perception that unless you're dropping in strongly encrypted files, it's no longer secure. So depending on what it is, something like DropBox is potentially a bad idea.

I'll use DropBox to move around stuff that isn't sensitive, but anything proprietary or confidential, I just move it via another mechanism.

Also, since I do some occasional work for the Canadian government, I couldn't use DropBox or anything which might end up on a US server (so not even gmail) ... because under the Patriot Act, we have no guarantee that this data wouldn't become visible to American law enforcement. Which means I could be running afoul of Canadian privacy laws -- so by policy any service ran by an US company, or in the cloud, is just something I can't use for work purposes.

Sadly, this is no different that the situation in which companies like Microsoft can either be in compliance with EU data laws, or in compliance with US Patriot Act -- but not both. From a professional perspective, the US has made themselves and many of their corporations untrusted parties -- I just assume that since the US has given themselves legal rights to snoop without disclosure, they do. So it's just easier to treat them as a hostile entity who isn't trustworthy. And, considering that EU financial and air passenger data is handed to the US, I find it hard to go against that stance.

From a legal perspective, once something hits the cloud, you lose a lot of safeguards and access controls to it unless you implement them yourself.

In many cases, what IBM is doing is just sound business.

Re:Self-Serving? (1)

Vancorps (746090) | about 2 years ago | (#40110359)

I'll agree with your general principle. With applications like Truecrypt out there though you can still use these services without the worry of some entity making a copy and rifling through your stuff. Just put up your truecrypt file and you get all the convenience and almost none of the worry. The only problem becomes how you send your passphrase or whether you know your passphrase from memory.

Re:Self-Serving? (0)

Anonymous Coward | about 2 years ago | (#40110411)

You miss the point. A truecrypt volume of the data on a US server is still the data on a US server - and you're out of a job. Goodbye.

Re:Self-Serving? (1)

gstoddart (321705) | about 2 years ago | (#40110459)

Just put up your truecrypt file and you get all the convenience and almost none of the worry

From a legal perspective, I will opt to not use the cloud for work purposes. They can't crack the encryption if they don't have the files in the first place.

In theory what you propose would probably work ... in practice, it's only theory. :-P

I'll stick with old fashioned access-based security. especially since it would be me who would take the risk for saying "oh, well this should work". Not using the cloud is less effort than trying to make it secure.

Re:Self-Serving? (0, Offtopic)

Anonymous Coward | about 2 years ago | (#40110439)

Whoa, wait a minute. Canada isn't a state?

Re:Self-Serving? (1)

Obfuscant (592200) | about 2 years ago | (#40110785)

... because under the Patriot Act, we have no guarantee that this data wouldn't become visible to American law enforcement.

Ummm. Asking a question here. What does the Patriot Act have to do with anything? Does a US citizen using a Canadian server have any guarantee that his data won't become visible to Canadian law enforcement? Do you not have search warrants in Canada? Can Canadian law enforcement not walk into a Canadian court and say "we have evidence of illegal activities on this server, we need a search warrant so we can look at everything..." and get access to whatever data I have on that server, whether or not it is illegal?

If you cannot guarantee that Canadian law enforcement won't get access to my data there, and you have a similar lack of guarantee for your data here, then just how does the Patriot Act (which you don't have there) play any part? A lack of guarantee is a lack of guarantee.

Now, I understand that your laws regarding search may (or may not) take into consideration your data privacy laws while our laws on search would, naturally, ignore them. But it would be all of our laws, not just the Patriot Act, that would ignore Canadian data privacy laws for data that is located on US-based servers. Again, if the Patriot Act is irrelevant to this, how is it relevant?

Re:Self-Serving? (4, Informative)

gstoddart (321705) | about 2 years ago | (#40111081)

Ummm. Asking a question here. What does the Patriot Act have to do with anything?

The difference being you'd need to go to court to get a warrant, and I believe there would be a legal opportunity to be notified of this. If Canadian law enforcement accessed your data, you could legally know about it.

The Patriot Act basically says they can demand it, with very little legal support, and it is against the law to tell someone that their data has been accessed from your servers under this request.

So, it comes down to the US having granted themselves access to any and all data from a US owned company or US hosted server ... and made it illegal to disclose that access has happened.

If that data access comes under the guise of secrecy and not going through the normal courts, you'll never know it happened.

As I said, those provisions of the Patriot Act give access that concerns a lot of people ... see here [zdnet.com] .

So, based on what I've read, and what I've been told by corporate policies ... for anybody who isn't in the US, America and American owned companies are completely untrustworthy since the law reads like it bypasses local laws when it comes to data security and privacy.

Now, for a bit of balance the other way, I see that people are starting to say the Patriot Act isn't so intrusive [pcworld.com] and this is all blown out of proportion.

But, until I see company and legal policies changing here in Canada, I will continue to treat data being put into a US server as a stupid idea, and I will continue to treat those entities as hostile and not trustworthy.

Since I'm not a lawyer, and I don't have anything to gain by suddenly trusting these entities, if I stick with this, I'm in compliance with company policy. I'll just err on the side of caution -- not trusting the US government is just a bonus at this point.

Re:Self-Serving? (1)

Obfuscant (592200) | about 2 years ago | (#40111805)

If Canadian law enforcement accessed your data, you could legally know about it.

After it happened. If you disclose to your target that you are seeking a search warrant, especially for a computer that can be accessed remotely, they'll just delete anything they don't want you to see. Much better to be charged with obstruction than posessing CP, isn't it?

But in neither country is there any guarantee that law enforcement will not have access to your data. Your only point is that in the US they won't tell you that they have gotten access, but that doesn't change the fact that they've accessed it.

I don't think the OP's issue was that he wouldn't be told about law enforcement access to his company's data, but that there could be access in the first place. The Patriot Act doesn't have anything to do with it, since in neither country is there any guarantee.

Car analogy? Well, if you are going to accuse Ford of being untrustworthy because they won't guarantee the tires on your new Ford car for 100,000 miles, then you should realize that this lack of trust should apply to Chevy, Fiat, Mercedes Benz, and every other car company. There is no guarantee.

I'll just err on the side of caution -- not trusting the US government is just a bonus at this point.

And you trust the Canadian government? What guarantee do you have that law enforcement will not get your data in Canada? Is your only real concern that they must tell you've they've copied your entire disk after they do it? Does that make it better?

Re:Self-Serving? (1)

Anonymous Coward | about 2 years ago | (#40111261)

Canadian law enforcement certainly can obtain data from servers, however the following has to be met:

A warrant is required. The filing of the warrant also requires a limitation to what is being searched, and how the data is to be destroyed after use (or, at the very least, the retention policy).

The US Patriot Act (as far as I can tell - I'm a dipshit Canadian) simply allows the FBI to request access to any (or all) electronic records without oversight. The mention of receiving a national security letter is illegal, while the warrant process has a paper trail and full disclosure to what was being searched.

The PIPEDA act in Canada has very strong personal protections in place, and isn't a joke act. There have been several examples (I'm too lazy to look them up) of Canadian companies changing their privacy statements because they use hosting services in the US, or rent server storage from a US company.

Re:Self-Serving? (1)

Obfuscant (592200) | about 2 years ago | (#40114145)

The US Patriot Act (as far as I can tell - I'm a dipshit Canadian) simply allows the FBI to request access to any (or all) electronic records without oversight. The mention of receiving a national security letter is illegal, while the warrant process has a paper trail and full disclosure to what was being searched.

According to the fount of all knowledge, the venerable Wikipedia, the NSL part of the Patriot Act was ruled by a court as unconstitutional and the amended version was also struck down.

The PIPEDA act in Canada has very strong personal protections in place, and isn't a joke act.

That may be, but it has no standing in any country outside Canada. If your fear of loss of data control is based on the foreign county not obeying PIPEDA, then you must fear them all, not just the US. The Patriot Act has no relevance to whether PIPEDA is obeyed in the US or not.

This appears to be more scare mongering trying to pin the big bad tail on a donkey that doesn't live in the US alone, but applies to all countries. There are no guarantees in any country that your Canadian data will not be seen by law enforcement. Not even in Canada itself.

Re:Self-Serving? (1)

Anonymous Coward | about 2 years ago | (#40110301)

You can view the announcement as self-serving, but to be fair, the ban is for their employees. I'm sure many other workplaces have policies on what data (if any) can be uploaded to which clouds (if any).

Re:Self-Serving? (4, Informative)

CannonballHead (842625) | about 2 years ago | (#40110323)

How is it self-serving? Keeping your employees from using non-internal storage services for confidential data... I guess that's self-serving in the "protect your assets/intellectual property" way, but forbidding your employees from using external companies for storage of confidential data is hardly self-serving. It's right up there with making your employees password and/or encrypt their work laptops... :)

Not the first or only (5, Informative)

Anonymous Coward | about 2 years ago | (#40110035)

My company deals with financial services. We are not allowed to access Dropbox either. Nothing like sharing personal identifiable client data across someone else's network. This is a violation of all sorts of laws, so yeah, it makes sense to deny employees access to shared drives outside the company's purview.

Re:Not the first or only (3, Informative)

Hatta (162192) | about 2 years ago | (#40110113)

Nothing like sharing personal identifiable client data across someone else's network.

Have you ever used a VPN? Then you've done exactly that. It's just encrypted. Dropbox is similarly secure if you store an encrypted container.

Re:Not the first or only (4, Insightful)

betterunixthanunix (980855) | about 2 years ago | (#40110225)

Dropbox is similarly secure if you store an encrypted container.

This is not officially supported by Dropbox, however, and is very much ad-hoc. It also requires the user to take the time to configure such a system, unless your IT staff is going to do it for you, and even then you have the problem of users trying to use Dropbox for things that IT did not set up for them. Anything that adds hurdles to people doing their work is a potential security problem; it is easier to simply ban dropbox entirely than to have a policy that requires people to try to do things manually.

Re:Not the first or only (2)

mcwop (31034) | about 2 years ago | (#40110313)

That is key, IT has not set up easy to use file sharing, so people turn to Dropbox. IBM should implement an official one that works well. It could be a different provider like Box, or another. But give EEs the ability to use things to do their job easier, while maintaining security.

Re:Not the first or only (1)

Attila Dimedici (1036002) | about 2 years ago | (#40112419)

How do you know that IBM has not implemented an official file sharing system? As to whether or not it is easy is another question. However, my experience is that easy and secure rarely go together. That is not to say that a secure file sharing system has to be hard, but knowing the way most people think, I doubt you could make one they think of as "easy" that was secure because in order for it to be secure it requires the user sharing out the file to give information to the parties receiving the shared file some information about accessing the secured file outside of the file sharing system and only to those parties entitled to see this particular file. The way an easy system would work is that I would give you the access information once and then every time I upload a file you can access it. The problem with that is that most people would not bother to change the access information when they are uploading information that should not be accessed by some of the people they had been sharing with on the last project they worked on.

Re:Not the first or only (1)

roundscimitar (2475882) | about 2 years ago | (#40111737)

if you're concerned about encryption in the cloud check out truefriender [truefriender.com] . Full disclosure, I created truefriender specifically for this purpose and the way I've implemented the algorithms I can't see your data without your private key.

Re:Not the first or only (1)

betterunixthanunix (980855) | about 2 years ago | (#40113817)

Is there a no-javascript version, or some way to read over the technical details without needing to go through layers of javascript?

Re:Not the first or only (2, Insightful)

Anonymous Coward | about 2 years ago | (#40110327)

Nothing like sharing personal identifiable client data across someone else's network.

Have you ever used a VPN? Then you've done exactly that. It's just encrypted. Dropbox is similarly secure if you store an encrypted container.

No, Dropbox is *nothing* like a vpn with an outsourced storage provider. And they wont ever be, unless they start signing NDA's and confidentiality agreements with companies.

Re:Not the first or only (1)

Junta (36770) | about 2 years ago | (#40112397)

I think he's saying payload over dropbox is analagous to vpn over at&t. In the VPN case, you don't trust AT&T and use whatever VPN technology you want at either end to render the passing traffic undecipherable by at&t. Similarly, one could gpg a file, drop it on dropbox, and another could retrieve it, and un-gpg it. In this case, even if dropbox is a risk, the risk is greatly mitigated by the encryption that is performed outside of their framework.

Re:Not the first or only (1)

ThunderBird89 (1293256) | about 2 years ago | (#40110665)

When using VPN, you're likely in control of both endpoints. With Dropbox, you're in control of your end, but you can't say the same about Dropbox's end, so they may potentially do anything to your data. [tinfoil=1] Like discard the key, act like they encrypted the data, and return a bogus success message, keeping your data in the clear.[tinfoil=0]

So yes, this is a valid, though aggravating move.

Re:Not the first or only (1)

Hatta (162192) | about 2 years ago | (#40111233)

Like discard the key

Why would you give dropbox the key to the encrypted container with contents which you wish to keep secret from dropbox?

Re:Not the first or only (1)

ThunderBird89 (1293256) | about 2 years ago | (#40112347)

Um, my knowledge of encryption may be a little rusty. Don't you send the public key to Dropbox to have them encrypt the data you upload, and later use the private key decrypt it?

Or am I misunderstanding you?

Re:Not the first or only (1)

Hatta (162192) | about 2 years ago | (#40112461)

No, you encrypt the archive on your own computer, and send the encrypted archive to dropbox. All they ever see is the encrypted archive. You can even use a symmetrical encryption method, since you won't be distributing your keys.

Re:Not the first or only (1)

ThunderBird89 (1293256) | about 2 years ago | (#40112639)

No fears in that case, then.

I never used Dropbox, so I assumed when people were talking about encryption that Dropbox automatically encrypts uploaded data, either with a self-supplied key or with one generated from your account password, and decrypts it for you upon later download. Which would be a potential data security breach. But uploading an already-encrypted file should be safe, since only the cyphertext may be stolen, and current encryption schemes can guarantee unbreakable security (unbreakable by the original definition of indechiffrable, that is unable to be read by an unauthorized party before its significance expires).

Re:Not the first or only (1)

Junta (36770) | about 2 years ago | (#40112467)

If you are trying to apply VPN logic to dropbox, you're likely to be in control of all 'ends'. If you want to upload to some dropxox space intended for osmeone, you use their public key to encrypt it, before it ever leaves your machine. Dropbox servers see an opaque, encrypted blob. The holder of the private key later comes along and retrieves it, decrypting it on their box. That would be analagous to the VPN case.

Re:Not the first or only (1)

noh8rz3 (2593935) | about 2 years ago | (#40110289)

my company blocked the ports for dropbox so it won't sync while i'm at work. nothing special in terms of data; the it dept are *****.

Re:Not the first or only (4, Funny)

Anonymous Coward | about 2 years ago | (#40110341)

I give my IT department a 5-star rating, too!

Re:Not the first or only (0)

Anonymous Coward | about 2 years ago | (#40112083)

Out of a total possible 10 stars.

Re:Not the first or only (0)

Anonymous Coward | about 2 years ago | (#40112729)

I give my IT department a 5-star rating, too!

A+++++++++++++++++! Would ask for computer help again!

Re:Not the first or only (0)

Anonymous Coward | about 2 years ago | (#40110435)

Defense contractor - Dropbox (and all similar services) have been blocked for as long as I can remember.

Since before Dropbox existed, however, we have had an internal-only service called dropbox.

What Happened There (-1, Offtopic)

swanzilla (1458281) | about 2 years ago | (#40110069)

Did we just get fed a slashdot slashvertizement? Subtle...I was expecting "Timmy Visits Slashdot Business Intelligence."

Re:What Happened There (-1)

Anonymous Coward | about 2 years ago | (#40110705)

Posting anonymously. The slashdot janitors were told to push slash-bi (as in curious) and slash-cloud stories to the front page. If you threw /., the huffington post, and some PHBs in a blender... that's what the geek.net suits are shooting for. The slashdot janitors don't like it but they like being paid. I've been told this is the reason Rob Malda left.

Banned here too (1)

P-niiice (1703362) | about 2 years ago | (#40110123)

I work for a major provider of Bank software and services, and cloud services are banned here too. All data is encrypted here, and control of customer data is strictly kept.

Unrealistic (5, Interesting)

Anonymous Coward | about 2 years ago | (#40110135)

We have a similar ban in my company (Alcatel-Lucent). Of course, I can carry out gigabytes of information on a thumb drive or the laptop I take home every night, but while I'm at work I can't connect to DropBox. I hope IBM also jams cell signals because all someone has to do is plug an LTE dongle into their laptop and they are outside the corporate firewall. This is the Maginot Line of security.

Re:Unrealistic (1)

Anonymous Coward | about 2 years ago | (#40110245)

We have a similar ban in my company (Alcatel-Lucent). Of course, I can carry out gigabytes of information on a thumb drive or the laptop I take home every night, but while I'm at work I can't connect to DropBox. I hope IBM also jams cell signals because all someone has to do is plug an LTE dongle into their laptop and they are outside the corporate firewall. This is the Maginot Line of security.

You are missing the point entirely. The point is that those services leave the data sitting out user control...no guarantee of encryption, the level of encryption or control of access. Once you give up access control it only a matter of time before all defenses fall.

Yes, in this day and age you could walk out with gigabytes per trip of sensitive information, but it would be vary easily tracked back to you. Going into the cloud,
makes it vary difficult to track back to an individual, not mention significantly more time consuming and expensive (court orders, search warrants, etc).

Re:Unrealistic (0)

Anonymous Coward | about 2 years ago | (#40110347)

Sure it's a Maginot Line but if they did not have the policy it could not be enforced with termination and / or legal action. Now they can point to this policy and say this is the reason you are being let go and if there was data that was compromised sue the ex-employee for the damages. So just by having the policy it makes it not worth using DropBox etc on the part of the employee. Realistically IBM wouldn't need to even block anything on their network, just monitor it for compliance. That said they could just only give thin client acces to any important data and make sure that access is only granted via their internal network. On the other hand I think I saw a couple weeks ago that VMware is coming out with a DropBox clone that you can run in-house so maybe IBM is doing the same thing and this is just what has been made public so far. At the end of the day though it's IBM's data so they can decide where it is stored. If they want their employees to be less effective because they took away a tool that they needed its their money that is being wasted.

- anon

Re:Unrealistic (0)

Anonymous Coward | about 2 years ago | (#40110477)

I think you are confusing policy with enforcement strategies here. Yes, you physically can carry all the data out of the company, but that would (rightfully) be you violating company policy and subject you to being fired and sued. The problem with the likes of DropBox is that people don't really think they are doing something wrong, so the company is making it clear by saying "Dropbox is bad". That is the main point. Any actual technical enforcement is just icing on the cake, and besides the point.

Re:Unrealistic (0)

Anonymous Coward | about 2 years ago | (#40116937)

Let me dig up the quote from someone high-up ad IBM (saw it on TheRegister.co.uk). /quote/
An internal survey of IBM workers discovered they were "blissfully unaware" about the security risks from popular apps, according to Horan. /quote/
Jeanette Horan, IBM’s chief information officer.

Basically, if your employees are morons, your data is toast.

Re:Unrealistic (0)

Anonymous Coward | about 2 years ago | (#40117001)

...someone high-up AT IBM...
Sorry, can't type.

Re:Unrealistic (1)

Gilmoure (18428) | about 2 years ago | (#40110639)

Your company has decided that you, as an individual, are trusted with their data (not sure I would but I don't perform security background checks). So yeah, you could easily walk out with gigs of data. But they trust you. Now, if the data is place up on someone else's servers, the company has no way of knowing who has access to that data.

Re:Unrealistic (0)

Anonymous Coward | about 2 years ago | (#40110647)

Cant ban cell phone signals. Its illegal due to emergency needs. Thats why youll get arrested if youre caught using a cell phone jammer.

Re:Unrealistic (0)

Anonymous Coward | about 2 years ago | (#40110999)

Uh, no. You get arrested using a cell phone jammer because you do not have an FCC license to operate that transmitter. Just like you get arrested for operating any unlicensed transmitter in a licensed band.

Re:Unrealistic (0)

Anonymous Coward | about 2 years ago | (#40112657)

There are other (including Telecomms) companies that apply their security much more rigorously, e.g. restricting Internet access to machines not containing any confidential data, forcing employees to submit all mobile communications devices to security before entering the building and locking down access to USB ports. No system is 100% secure but the risk and the cost/effort are judged against each other based on how secure the data needs to be and how productive the employees need to be.

Ban the cloud? (4, Interesting)

tverbeek (457094) | about 2 years ago | (#40110177)

Since someone suggested Dropbox as a good place to put our disaster recovery documentation, my employer has started "raising questions" about it from a data-security perspective. After years of buying computers without floppies or optical drives, and locking down USB ports, he wonders if we ought to start blocking these services as well. He argues that with our corporate e-mail we at least have a record of it (and a chance to block it) if someone sends confidential information off-site, but not so with cloud storage. Personally, I think it's impossible to effectively secure against this without crippling legitimate business-related web access. I can think of several trivial ways to get information from a computer on our network to an outside host using just innocuous must-allow protocols, and without needing to install software on the secured machine... starting with any webmail or forum site that allows uploads of file attachments, to them newfangled "cloud drives", to setting up an FTP server that listens on port 80.

Re:Ban the cloud? (2)

Gilmoure (18428) | about 2 years ago | (#40110683)

Basic connectivity to such services can be blocked and policy of no use can be published but ultimately, there's no real way to keep a trusted employee from walking out the door with a butt-load of data.

Re:Ban the cloud? (3, Insightful)

bws111 (1216812) | about 2 years ago | (#40110865)

You are missing the point. This is just part of a policy for protection of internal assets. "Don't put confidential data where outsiders can get to it" is a perfectly reasonable policy. Implementing that policy means rules like "no data on DropBox" and "no confidential data on internet-facing servers" and "no services on internet-facing servers that would allow access to the internal network". Having been informed of those rules, if information is leaked because you violated the rules, you will be held personally responsible (fired and/or sued).

Of course it is always possible that some dope will intentionally leak information. These rules are not about that. These rules are in place to so people don't make faulty assumptions about what is secure and what is not.

Re:Ban the cloud? (1)

TheTrueScotsman (1191887) | about 2 years ago | (#40111929)

A port is not a protocol. It's trivial to monitor port 80 (or 443, etc) and detect if FTP or SCP headers are passing through. You could, of course, come up with a completely encrypted customized protocol, but this can be flagged as well.

Re:Ban the cloud? (0)

Anonymous Coward | about 2 years ago | (#40112853)

OK: 1 method down, 372 to go.

Really, Slashdot? (-1, Offtopic)

Aphonia (1315785) | about 2 years ago | (#40110185)

Why is on front page slashdot when it just re-iterates a previous front page slashdot?

Basic security principal. (1)

Anonymous Coward | about 2 years ago | (#40110199)

So, they're saying not to leave possibly sensitive information in the hands of 3rd parties where they have no real way of guaranteeing security?
Not exactly rocket science, guys.

If it were my job to set data security policy I sure as hell would not let my employees use dropbox. Especially in an organization that has a hit squad of lawyers commonly known as the 'Nazgul'.

Standard in Secure Environments (1)

Gonoff (88518) | about 2 years ago | (#40110209)

I work in IT in a (UK) hospital. We are extremely "enthusiastic" about security. We were thinking about this sort of thing some time ago and then it was decided at the top that we would ban Skydrive immediately and other clouds have been added to our list since.

This is not always well received but this is the nice thing about policies. They apply to everyone and the higher they come from, the less can some manager make an "exception" where they see the need.

What Happens If It Rains? (1)

RobertLTux (260313) | about 2 years ago | (#40110857)

this is the biggest question of any "Cloud" service phrased in a PHB friendly way. Now of course the details are a lot longer but IBM has basically said "Lets stay Inside and make sure we stay dry".

Does anybody know of a "CloudStack" that allows for a business to run a relay/inside server??

Re:Standard in Secure Environments (0)

Anonymous Coward | about 2 years ago | (#40114271)

"Enthusiastic". But not necessarily competent.

I've read, understood, and am bound by the Caldicott principles. And I've spent the last 25 years working with patients in a UK hospital. Try abiding by the principles and actually doing your job when you have patients to work with. And might just want to tell others legitimately concerned with the care of said patient. If it goes over a phone line, let alone any other method of communication, it isn't happening. And this was the case 25 years ago. I've had a lot of grief over this, but there is a lot of stuff I won't talk about over a(n internal|) phone.

All cloud stuff, webmail, installation of anything, etc. etc. is banned. But I can receive (unencrypted) work email remotely. I may be careful about what I send, Others aren't.

Then look at the Knowledge and Skills Framework stuff and where it is processed. This is heading for the Information Commissioner - and not the lickspittle UK one.

Of course, they never ask why EEs use these (4, Insightful)

mcwop (31034) | about 2 years ago | (#40110231)

Employees often times use these tools because IT does not provide their employees with good USABLE solutions. When IT's answer to everything requested by employees is SharePoint, then EEs turn to other solutions. I can Citrix in which is a lame experience, or use something like Zoho, which is an awesome experience from a user perspective. Obviously, any solution needs to be vetted, but employees want things that work great, like many of the consumer products they use personally.

Re:Of course, they never ask why EEs use these (1)

SQLGuru (980662) | about 2 years ago | (#40110533)

A lot of times IT hasn't provided a solution because it hasn't been a business priority......or falls so low on the cost to benefit ratio. Show a valid business need with measurable benefits and get your executives to sponsor a project to develop a solution.

Re:Of course, they never ask why EEs use these (1)

joebagodonuts (561066) | about 2 years ago | (#40111353)

I know your response if the "correct" one, but people realistically don't have that much time. Ideally their time is supposed to be spent productively, not bureaucratically.

I'm thinking about the quote from the Jurassic Park: "No, I'm, I'm simply saying that life, uh... finds a way. " People will find a way around perceived road blocks, much to the consternation of IT. Absolute control fails absolutely.

Re:Of course, they never ask why EEs use these (1)

bensode (203634) | about 2 years ago | (#40110649)

"IT does not provide their employees with good USABLE solutions"

Also can be translated as

"IT cannot provide their employees with good USABLE solutions".

Not all of us are elitist-gold-plated-my-way-or-the-highway IT guys. Don't let a lack of resources and/or funding get in the way of the rant that all IT departments are incompetent, lazy and completely against user productivity.

Re:Of course, they never ask why EEs use these (3, Insightful)

mcwop (31034) | about 2 years ago | (#40110879)

It has nothing to do with lazy or incompetence, lack of funding, lack of resources, and it has nothing to do with being against productivity, it is the biases in solutions. One example is the anti-mac thing that still exists, however the iPhone really upset that apple-cart. However, I would say this is all changing and cloud and consumerization of enterprise solutions is forcing the change.

Re:Of course, they never ask why EEs use these (0)

Anonymous Coward | about 2 years ago | (#40111845)

I have never come across an internal IT department that isn't useless anywhere I have worked.

Maybe they do exist.

(I would say I am a UNIX guy primarily but I have done Windows stuff).

It seem like internal IT just doesn't do anything properly.

I did an IIS project and learnt vbscript from scratch / how to use the IIS objects and ntfs ACL's

(My goal was to be able to setup extra boxes automatically and integrate with existing perl webshop etc etc)

This was ages ago. (Windows 2000 Server).

The I love you virus it took internal IT weeks to get it off the Exchange server.

Whereas it took me less than half an hour to clear all our dial up customers mailboxes.

(I have also come across ace Windows contractors (Who can use UNIX pretty well as well))

Permanent internal IT staff seem to universally suck though.

(Could be the powers that be telling them what to do - if I was in their position and someone wanted something legal (e.g OSS or Freeware) and it could be of any use I would let them have it. (And I would have a way of keeping track of it all and making sure if their machine was reimaged it was put back etc - without any fancy management software if they have that then there really is no excuse for being so lame).

Trust (3, Insightful)

StikyPad (445176) | about 2 years ago | (#40110241)

Ironically, IBM is probably providing a lot of the hardware and software that run these farms. Of course, it still comes down to trusting another company with access to your vital information. This has been the obvious Achilles heel in "cloud computing" since day one. It's one thing to pass encrypted data through an untrusted party, but it's another thing entirely when the untrusted party is an endpoint with access to the plain text. Not only do you have to trust that the endpoint has properly implemented security, but also that every individual with access to the data has uncompromising integrity.

Re:Trust (1)

mcwop (31034) | about 2 years ago | (#40110451)

What if the end point's security is better than yours? Why does everyone assume their security is better than a cloud service's? In some cases it is and some cases its not.

Re:Trust (1)

StikyPad (445176) | about 2 years ago | (#40110945)

1) It may well be more secure, but large collections of data are also a bigger target. Your data could conceivably be a victim of collateral damage even if you weren't the initial target, or ever a target at all.

2) Two people can keep a secret. If one of them is dead. From a purely statistical standpoint, all else being equal, the more people who have access, the bigger the risk.

Re:Trust (0)

Anonymous Coward | about 2 years ago | (#40110555)

It's not ironic. IBM could make laptops aimed at teenage girls, and quite sensibly tell their engineers to choose something better specced for their work. This is IBM being sensible. It would be ironic if IBM touted the Barbie book as being great for developers, yet told their ken developers it was indeed unsuitable to use internally for the same purpose they sell it.

Re:Trust (1)

StikyPad (445176) | about 2 years ago | (#40110883)

Yes, but these aren't laptops aimed at teenage girls. It's IBM saying "our systems are perfect for your enterprise applications that we would never trust with our data. But have fun, everyone else."

Re:Trust (1)

bws111 (1216812) | about 2 years ago | (#40111167)

That is complete nonsense. They are saying no such thing. They are saying they have a problem with SERVICES that provide absolutely no guarantee of data security, zero auditability, crappy terms of service that basically say 'we can do whatever we want with your data', etc. None of that has anything to do with any IBM hardware or software.

If IBM was saying "Don't use IBM cloud services" then you would have a point. They are not saying anything close to that.

Re:Trust (0)

Anonymous Coward | about 2 years ago | (#40112957)

IBM probably trusts the IBM Blade Server that powers SuperCloud Inc just fine. It's the people who work at SuperCloud Inc that they don't trust.

Re:Trust (1)

ZombieBraintrust (1685608) | about 2 years ago | (#40112463)

Less to do with trusting dropbox and more to do with trusting your employees. My firm blocks all kind of things. GMail, Facebook, Twitter, and Usb drives. It also restricts other things. Can't use cell phone cameras on premise. Can't use your own mouse or headphones. Can't leave any papers on desk or in trash. Can't install anything without permission. I carry two cellphones because I can't mix personal and buisness email. This is a non story. I have no idea why slashdot isn't blocked.

What about search engines? (3, Insightful)

hsmith (818216) | about 2 years ago | (#40110283)

anything you google, type into bing, yahoo, are all captured somewhere. Seems that they are fighting a losing war of data leakage protection.

Re:What about search engines? (1)

nine-times (778537) | about 2 years ago | (#40112173)

You have a point, but this isn't the right way to think about it either. It's all about assessing the treats and liabilities that you're dealing with, and making good risk/benefit decisions. Yes, everything you type into Google goes somewhere, but what are you likely to be searching about? What is the likelihood of someone going through your search history to find those things? I would guess that if someone went through each of my search queries individually, they wouldn't find anything remotely interesting. If they went through my entire search history and tied it to me specifically, it could be embarrassing, but not terrible.

On the other hand, I know people using dropbox to store *all* of their documents. Of the documents on my hard drive, there are documents that contain some very sensitive information, much worse than anything in my search history. Just to give a few examples, I have a personal journal (i.e. a diary) with a lot of personal thoughts. I have my tax returns, and other documents which contain my name, SSN, date of birth, mother's maiden name, and a bunch of other stuff. If someone got ahold of all of that in an unencrypted form, it could be really bad.

Now I'm not saying you can't trust dropbox, but security is not an all-or-nothing proposition. It's not "either things are secure or they're not." It's about balancing the need to prevent unauthorized access with the need to make authorized access easy and robust.

Lets be for real (0)

Anonymous Coward | about 2 years ago | (#40110287)

Can anyone say IBM coming out with their own iCloud in the forceable future. Oh yes we can say it.

Re:Lets be for real (1)

Tsunayoshi (789351) | about 2 years ago | (#40110355)

Bingo...they are forbidden to using cloud services from competitors...I'm sure once IBM joins the cloud service provider party, that will be allowed.

Re:Lets be for real (1)

bws111 (1216812) | about 2 years ago | (#40110591)

IBM has been providing 'cloud' services for more than 50 years. They just don't call it that. Originally it was 'service bureaus', where company could rent time on IBM systems. Now it is more of IBM running all of a companies IT operations.

Why is IBM moving to SugarCRM? (0)

Anonymous Coward | about 2 years ago | (#40110749)

If they hate the cloud, isn't that the opposite of what they should be doing? I've read several articles about them moving away from Siebel towards SugarCRM over the past few weeks, this totally flies in the face of them hating on the cloud. Which is it?

Re:Why is IBM moving to SugarCRM? (1)

bws111 (1216812) | about 2 years ago | (#40110961)

IBM does not hate "the cloud". IBM does not want its own data stored on services that do not have contracts stating exactly how that data may be accessed and by whom, and with no penalties for intentional or inadvertent disclosure of that data.

Umm... how is IBM enforcing this again? (1)

supremebob (574732) | about 2 years ago | (#40110981)

Can someone who works for IBM care to explain how they're planning on enforcing these rules?

Sure, I could see them scanning their employee's laptops to make sure that Dropbox isn't installed, but how are they going to stop you from using iCloud or Siri on your cell phone? I know that IBM certainly didn't pay for MY cell phone or cell phone plan when I worked there, and I sure as hell wouldn't let them install their bloatware security lockdown tools on my personal property.

Re:Umm... how is IBM enforcing this again? (1)

bws111 (1216812) | about 2 years ago | (#40111265)

Very simple. It is your (the employee) responsibility to protect data you are trusted with. These rules are in place to make sure you understand that some things are not considered secure by IBM. If you use those services anyway, and information leaks out because of it, YOU are personally responsible and will be fired and/or have legal action taken against you.

Dropbox needs client side encryption. (1)

Liambp (1565081) | about 2 years ago | (#40110983)

I hope this shames Dropbox into implementing proper client side encryption.

I like many others have become dependent on Dropbox for my work because it is so darn convenient but I know in the back of my mind that it poses a security risk. I would feel much more comfortable if everything was encrypted on my PC (and under my control) before it was transmitted.

Re:Dropbox needs client side encryption. (0)

Anonymous Coward | about 2 years ago | (#40111347)

If your serious then switch to SpiderOak or Wuala. They already have client side encryption. Or 7Zip your files before you copy them to your Dropbox folder.

Re:Dropbox needs client side encryption. (1)

plover (150551) | about 2 years ago | (#40111369)

Since it's all about trust anyway, a Dropbox client would be the last place I'd put my trust before storing data in their cloud. If their client knows my key, how do I know they aren't sending it up to the mothership as well?

Integrated security simply means a larger attack surface and more parts in which you have to invest 100% trust. It's much safer to trust a single tool that only does security (encryption) than to trust their entire ecosystem.

why is IBM the only company? (0)

Anonymous Coward | about 2 years ago | (#40111247)

Why is IBM the only company bright enough to notice this obvious problem? Shouldn't we all be worried about this? The cloud is just becoming another form of spyware.

Why would IBM employees NEED Dropbox et al? (1)

msobkow (48369) | about 2 years ago | (#40111629)

I don't see why an employee would need a service like Dropbox while working for a large corporation like IBM.

They already have all kinds of subversion, document, and content servers in-house, readily available by logging in to the VPN (securely!)

External services like Dropbox are fine for consumers whose employers don't already provide intranet "cloud" storage for data, but employees of large companies? What kind of employee shoot-myself-in-the-foot insanity would place cricital corporate information on a public cloud service instead of securely within the intranet cloud?

Re:Why would IBM employees NEED Dropbox et al? (0)

Anonymous Coward | about 2 years ago | (#40113571)

People are lazy/careless. Why use the well functioning and easy to set-up secure chat system when you already have your MSN account running, and the guy you need to send confidential details to is in there. Never mind that this information should never leave the company network and can be slurped up by someone along the way. Nah, it's easier. I see people putting confidential client information and correspondence in to fucking Google translate. In my place we have excellent and easy to use software for encrypting laptop drives. Practically transparent and easy to setup, yet most people have to be repeatedly badgered before they'll do it. In the end I had to tell them the story of a colleague who was fired because his laptop was lost, and security were less than impressed on hearing that he hadn't following corporate advice to encrypt all laptop drives.

This has always been the issue with the "cloud" (1)

Dcnjoe60 (682885) | about 2 years ago | (#40113143)

This has always been the issue with the "cloud." Oh, sure, it sounds great to be able to pull up documents from wherever, to collaborate, to do all sorts of things, but if that server is hosted by an outside company, then all of your trade secrets, business plans, legal documents and briefs, personnel documents, marketing plans, and whatever confidential corporate information you have is under somebody else's control. How well do you trust the host company? How well do you trust the other other companies that the host company services?

Public clouds are about as useful as facebook. Only store things there you wouldn't mind your mother or in the case of businesses, your competition seeing. Private clouds are where the real benefit is at. It's not foolproof, but it is certainly more secure than relying on somebody whose server may reside in who knows what country with who knows what legal system protecting it, or not.

The first rule in securing data is preventing access. Putting data on a public network violates the first rule of securing data.

Wrong! (0)

Anonymous Coward | about 2 years ago | (#40116767)

IBM has banned storing Sensitive Private Information on unencrypted storage, either locally or in the cloud. It's nearly impossible to segregate SPI / non-SPI, so it's easier to make a blanket statement that it all must be encrypted. Dropbox isn't encrypted, as well as most of the public cloud storage companies out there. The message was that if you want to use a public cloud, you need your 1st line manager approval, for which they will ask you what you want to store there, is it encrypted, and why you want to store it there (sharing with customers / business partners). We also have to encrypt all of our hard drives, as part of the new security policies. I'm not seeing how this is a big deal. It sucks, but the necessity is real.

Dropbox a great way to sync files with co-workers, customers, and business partners. It makes version tracking among many users really neat, and instant. Very much easier than email. For what dropbox charges, knowing that the cost of storage drops year over year and that Dropbox hasn't had any price drops lately, they should have had encryption a long time ago. Instead Dropbox releases a neat picture plugin instead.

Encryption requirements are going to rule every data center in less than 6 years.

These are my views, and not the views of my employer.

BR

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...