Dropbox issue not about encryption

I’ve been reading a lot of blogs and stories related to the dropbox security issue and am surprised at the amount of energy being spent on a different topic, file encrpytion.

A post at wired stated:

The bug was made possible because of the security architecture choice that Dropbox made, where encryption and decryption happen on Dropbox’s servers, rather than on individual’s computers.

Wuala’s blog states:

…problems like these wouldn’t be possible if the files were encrypted already on the client, like Wuala does.

The issue is not encryption, the issue is poor programming and even worse QA.

It is more likely that your computer is infected by spyware that has a keylogger builtin than for your SAAS host to get hacked.  Yes, if the SAAS storage host is hacked or broke their authentication it is a major widespread issue.  However, if your computer is hacked (again, more common) even that precious client-side security is broken.

Something else to think about, if you rely solely on client-side encryption then you will lose some great benefits like web-based access to files in the cloud, device sync (phones/tablets), collaboration, integration with a business network (active directory), etc.

Don’t get confused on the main issue that dropbox had. The issue with dropbox was a lack of mature protections on code updates.

June 21st, 2011 | Leave a Comment

Dropbox drops authentication

What a disaster for dropbox yesterday when their authentication system broke and allowed users to use any password to login.  I am shocked that a major SAAS host would have such a major bug that would allow complete access to any of their accounts.  This is a lot worse than the previous PR issue where they were promising things that they could not due to U.S. law.

This speaks to a very large issue with QA testing on new code.  As one of our network admins here pointed out, it is similar to an anti-virus vendor releasing an update that detects system files as a virus, thus rendering Windows unusable.  There is no excuse when you are that large to not have sufficient testing in place.  We need to expect better from the supposed mature SAAS companies out there.

It looks like Dropbox took a page from the Google PR team stating, “A very small number of users (much less than 1 percent) logged in during that period…”  That just speaks to arrogance and attempts to put some sort of positive spin on a big disaster.  Plus 1% of your customers is around 250,000 users.

This will also be another reason to be very cautious when picking your SAAS vendors.  Make sure you have a balance of security, flexibility, total cost, and recovery.  If your data needs to be secure you need to pick a vendor that matches that security.

Remember, nobody will care more about your data than you will.

June 21st, 2011 | Leave a Comment

Powered by WordPress | Blue Weed by Blog Oh! Blog | Entries (RSS) and Comments (RSS).