News

David Gildeh speaks out over Dropbox security scare

MSPs
David Gildeh, Director of Cloud Services at Alfresco Software:

There has always been a concern about cloud security in the enterprise space and there always will be, but I don't think it will slow down the momentum of enterprises adopting cloud services. Dropbox is very much a consumer service without many of the security controls that enterprise services offer. There are a lot more assurances vendors in the enterprise file-sharing space can give in helping organizations secure their data. This is a good lesson on the importance of using enterprise-proven solutions when it comes to the security of your organization's content.

Users should not use the same password across all sites on the Internet because they have no idea how secure they are. Hackers know that users are lazy and will exploit this on popular services once they get emails and passwords from a compromised site. Enterprises can prevent some of these issues by implementing tougher password control such as two-factor authentication and SAML SSO to connect their existing security infrastructure to cloud services they use. With SAML SSO they can ensure they provide a consistent security policy across all their applications regardless of where they're hosted.

How can users ensure they stay secure?

Use a password management service that allows you to easily generate random, strong passwords for all your sites and store them securely with their browser plugin. That way if one of your accounts is compromised hackers can't use the same details to access all your sites because they share the same password.

Be aware of who you're sharing data with and how well they manage their own security. You can do as much as you can to secure your own account, but that's pointless if one of the other users you're sharing data with isn't taking the same precautions and gets hacked.

If you're using a cloud service for business critical data look at enterprise services such as Alfresco. This will give you more control over your data and also who else has access to it. You can't get this with consumer cloud services meaning each user you share data with is a potential security hole.

What questions should users ask their providers about security?

Have they been audited by a third party to a certification like SOC2? If so, you should ask for a copy of the report.

Do they provide SAML SSO so you can integrate your existing user directory with the cloud service and ensure users are respecting the same password and security policies your company has already?

Does the provider provide auditing of access to their services so you can easily trace and identify security breaches should you suspect your data has been compromised?

What notification policy do they have in place to alert their customers if there has been a security breach so they can take the appropriate action?