Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/24/2012
05:44 PM
50%
50%

IBM Bans Dropbox: Should SMBs Follow Suit?

IBM's about-face on bring-your-own policy might be too draconian for small companies, but it serves as a reminder that some popular cloud services come with inherent risks.

9 Startups To Watch In 2012
9 Startups To Watch In 2012
(click image for larger view and for slideshow)
If the bring-your-own era makes a technology bellwether like IBM uncomfortable, what does that mean for the rest of us?

If you missed it, Big Blue recently banned its 400,000 employees from using Dropbox, Apple's Siri, and other well-known applications on the corporate network. Given that IBM's business is technology, the decision to restrict which technologies its people can use to do their jobs is an eyebrow-raiser. Should small and midsize businesses (SMBs) pursue a similar policy?

It depends on whom you ask. IBM obviously has a different set of needs and challenges--not to mention a different budget--than most SMBs. Still, IBM's revised approach does offer some reminders for any company that allows or even encourages employees to provision their own tools for activities such as backup or collaboration. Among IBM's reasons for the policy change: Security-related concerns. Intralinks CTO John Landy thinks the security risks of a bring-your-own-cloud (BYOC) approach are very real, no matter the size of the business.

[Read Box Improves Admin, Security Tools For Enterprises.]

"The risk of allowing BYOC is inherent in any organization that owns confidential or critical information, which I would assume is every corporation in existence," Landy said via an email interview. "Assuming that there is a risk associated with corporate documents, the best alternative is to follow IBM’s lead and find a solution that allows for compliance and governance, rather than allowing untethered access to Dropbox, Box, Google Drive, and other consumer-grade platforms."

Landy has a business interest at stake: IntraLinks, like Citrix's ShareFile and similar file-sharing and collaboration platforms, was built specifically with business users in mind, ignoring the consumer market. And when you're constantly asking employees to do more with less--standard operating procedure for many SMBs--restricting the tools they use to get things done can seem self-defeating. There's also that minor matter of enforcement. IBM has the wherewithal to practice what it preaches, but when IT and financial resources are already spread thin, trying to keep people from sending corporate files to their personal Gmail accounts might be an exercise in futility.

Or, as Analysys Mason principal analyst Steve Hilton put it via email: "As speakeasy owners during the U.S. Prohibition would likely tell you, it’s hard to prohibit something people really want."

Hilton ultimately thinks the Dropboxes and Google Drives of the world don't pose untenable problems for most SMBs: "I believe the underlying security of consumer-grade cloud solutions is fine for a SMB. It’s unlikely that some hacker is going to spend the time searching for top-secret SMB documents in Dropbox." Still, that doesn't mean he'd recommend them as business-critical applications. Like Landy of IntraLinks, Hilton sees clear risks in using consumer-oriented technologies for business. The first is a lack of control over the company's intellectual property (IP): "I don’t like the idea of allowing employees to put corporate IP in an account where I have no access to it," he said. The second is a lack of visibility: "I’d like to be able to see what employees are putting in cloud-based collaboration files whenever I wish."

Ask Techaisle CEO Anurag Agrawal whether smaller companies should follow IBM's lead, and you'll get a one-word answer: No. "It is like trying to say that SMBs should not use search because Google is tracking every request and storing it for future use," he said via email, adding that Techaisle itself uses Dropbox. (To boot, I'm working on this story in a Dropbox folder.) "Technologies like Dropbox are instrumental in supporting and driving new ways of working within SMBs."

It's not that Agrawal is cavalier about the potential risks of using public services such as YouTube, Skype, or Twitter in a corporate setting. Rather, he sees BYOC as an inevitable, positive shift involving risks that can be proactively managed with a mix of policy, education, and technology. Is there a downside in storing corporate data in a personal Dropbox account? Yep. But Agrawal thinks the upside of BYOC is greater for SMBs, most of which operate without even a small fraction of IBM's resources. "The widespread availability of cloud services has empowered individual workers to use services that would otherwise not be available or would take an enormous amount of time to be deployed," Agrawal said. "Next-generation cloud applications originally targeted for consumers are actually enabling SMB workers to collaborate in new ways that accelerate business productivity, growth, and innovation.

Analysys Mason's Hilton offers a bottom line: If you do restrict what tools and applications your employees use to do their jobs, you'd better provide an alternative. An SMB that followed IBM's lead and banned Dropbox, for instance, would be spitting into the wind without deploying another cloud collaboration platform; Hilton pointed to Microsoft's Sharepoint and Cisco's Hosted Collaboration Solution as examples of business-oriented alternatives.

"The best approach is the old carrot-and-stick," Hilton said. "Provide employees with a SMB-grade cloud collaboration solution and discourage the use of consumer-grade cloud."

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity Dark Reading supplement shows how to strengthen them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
QQ10
50%
50%
QQ10,
User Rank: Apprentice
7/8/2013 | 9:09:10 AM
re: IBM Bans Dropbox: Should SMBs Follow Suit?
In fact, IBM should bans Facebook, Baidu. Many information can be found there !
The New Fulcrum Point
50%
50%
The New Fulcrum Point,
User Rank: Apprentice
5/30/2012 | 7:08:31 AM
re: IBM Bans Dropbox: Should SMBs Follow Suit?
IBM bans Dropbox, not good!
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
5/25/2012 | 3:47:21 PM
re: IBM Bans Dropbox: Should SMBs Follow Suit?
In a world where saying "Follow me on Facebook" or "I'm on Twitter" are ends to themselves without a sound strategy to actually use the applications, it is refreshing to see a major company that understands information control is fundamental and vital to competitiveness and survivability. More so, that they are taking steps to control their internal information management when it would be easy to use the opportunity to attack others. Sound business strategy, kudos to IBM.
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.