As cloud computing becomes easier to understand and use, many employees across campus, and in the Division of Academic & Student Affairs, are investigating the use of Dropbox and other cloud-based storage services such as Box.net and SkyDrive. Technology units across campus are being asked to support these services, including the DASA Tech team.
There are many concerns about the security of Dropbox and similar services. Those are outlined below. In particular, OIT, DASA Tech and other college/division tech units have discussed the potential for significant harm resulting from the use of these services for storing and sharing data that is protected by university policy, state law (such as personnel records) and/or federal law (such as FERPA or HIPAA protected student data).
OIT Security & Compliance is actively researching this issue; techies from across campus are engaged in those discussions. Pending any limitations on the use of Dropbox or other decisions that may result from that review, DASA Tech has implemented the protocol outlined below. In summary, we are significantly limiting the use of Dropbox and similar services. Alternative methods for file sharing are available and are supported by DASA Tech and OIT. Current users are “grandfathered in” and may continue to use Dropbox but only if sensitive files are removed and users agree to certain limitations.
What we intend to accomplish for now is the removal (and further prevention) of any sensitive data from Dropbox accounts, move current users to alternative methods when possible, and prevent new usage of Dropbox unless truly compelling reasons exist.
Please contact your local tech support if you have any questions, or would like assistance in using any of the alternative methods described below.
DASA Tech Protocol for Dropbox and Other File Sharing Services
- DASA Tech will not install Dropbox or similar software on any computer, laptop or mobile device from this point forward.
- Exceptions include only those situations where a staff member must share documents with individuals outside of NC State University for work purposes, such as work associated with a professional organization.
- DASA employees can use NCSU Drive and Google Drive as alternatives for storing and/or sharing files, as well as Remote Desktop for accessing files; DASA Tech and OIT already provide support for these alternative resources.
- Anyone currently using Dropbox may continue to do so but must comply with Dropbox protocols and security restrictions.
- Any protected data must be immediately removed.
- The user must agree not to store any confidential or protected data on their account in the future.
- Users are strongly encouraged to use dual authentication measures where those are available.
- Users are strongly encouraged to follow OIT’s recommended practices for Dropbox.
- Violation of that agreement will result in the removal of Dropbox.
- Anyone storing FERPA, HIPAA , personnel, budget or other confidential information must discontinue their use of Dropbox for this data. DASA Tech will assist in moving this data to Google Drive or other shared drive options.
- The possibility for data leakage is magnified. It is easy to inadvertently publish information publicly through Dropbox. Some Dropbox data is stored outside of the US.
- Communication with Dropbox through mobile devices is not secure.
- Installing Dropbox creates an additional opportunity for hackers to access your computer during the installation process.
- It is very easy to copy configuration files from one PC to another, enabling unauthorized access to your Dropbox account.
- Access to Dropbox via third-party APIs does not protect users from unwanted access to your account.
- Dropbox has had a series of high-profile security breaches.
- Dropbox does not require strong passwords. If you re-use password across multiple accounts, your Dropbox files could be easily compromised.
- N.C. State has no contractual agreement with Dropbox and therefore cannot retrieve files or transfer ownership, nor guarantee the stability or reliability of services.
- Dropbox authentication: insecure by design, Derek Newton, independent security researcher, April 7, 2011
- Dropbox Lack of Security, Miguel de Icaza, software expert, April 19, 2011
- Dropbox Accused Of Misleading Customers On Security, InformationWeek, May 16, 2011
- Dropbox’s password nightmare highlights cloud risks, CNNMoney, June 22, 2011
- IBM Bans DropBox, TechnologyReviews (MIT), May 21, 2012
- Dropbox Users Targeted By Spam, Possible Address Leak To Blame?, TechCrunch, July 17, 2012
- Dropbox confirms it got hacked, will offer two-factor authentication, arstechnica, July 31, 2012
- Dropbox has become “problem child” of cloud security, VentureBeat, August 1, 2012
- Is two-factor authentication Dropbox’s security answer?, ZDNet, August 2, 2012
- 5 Dropbox Security Warnings For Businesses, InformationWeek, August 14, 2012
- Comprehensive overview for EDU: Cloud Data Storage Solutions: Dropbox Security & Privacy Considerations
- Best Practices for Data Security in Google Apps @ NC State