Jump to content
Hak5 Forums
Sign in to follow this  
andrewb007

Dropbox for business Secure, alternatives?

Recommended Posts

I am an IT administrator/support for a small Organisation and we have dropbox users storing and sharing data (some of it could be confidential or sensitive). I was wondering if any one should be storing confidential or sensitive information in Dropbox. I have heard there are many security holes in it.

tell me what you think?

alternative? onedrive for business?

Share this post


Link to post
Share on other sites

If you absolutely have to use a cloud based storage solution I'd highly recommend Google Team Drive. Not only is it the same price as Dropbox but they also provide you with company email addresses ($10/u/m). They have a full suite of tools to protect your information and you can control all aspects of your data. You can lock types of files, restrict access based on domain, and even restrict the downloading/copying of documents. 

My company used to utilize dropbox but it's FARRRRRRR too easy for a user to mess everything up for everyone.

-PsyNeu

Share this post


Link to post
Share on other sites

I do not trust cloud storages at all. I think there is always the possibility that someone will steal your data, but nobody would like that.

Share this post


Link to post
Share on other sites

(Taking on the tinfoil hat)

Maybe it's just me being paranoid here, but storing confidential data offsite (3rd party provider), and no encryption. No way, no matter who it is.

For a small organisation, I would say, privately owned and run server, LUKS drives, and SSHFS, with gpg as an extra layer for individual file encryption.
Some realtime monitoring for file read/write (Inotify), and you're on your way :)

 Depending on the workstations, LUKS and LUKS-Nuke option, maybe try looking into luks-TPM or opengpg smartcards and luks, and you're well on your way to something secure :)

(Taking off the tinfoil hat again)

 

Share this post


Link to post
Share on other sites

Dropbox and Google are cloud storage providers that can do what they want with your data as I've experienced with companies I work for.  They also do not assist with investigations resulting to misuse of user log-in too.

Share this post


Link to post
Share on other sites

I also agree with building a personal cloud for your organization. It's a little more costly up front but there are many advantages. First you won't be forced to comply with another companies terms of service. One MAJOR issue with using any vendor cloud storage option is knowing where your data is physically stored. My manager and I were tasked with this project at my job. Realize that many vendors have written in their agreement that once the data is on their server that they own it.  This is a major legal issue. It's crazy actually. Depending on where they are storing your info is extr6 important, and there are a crap ton of lawsuits against major cloud service providers right now due to lack of transparency. Wherever your data is stored you're forced to comply with local law. So different states, even counties within the states need to be researched. What if it's stored overseas? We are a finance management company for multiple companies. Obviously we have full personal financial information on the customers of the vendors whom we support. You can imagine why our law department requires vary detailed info on the physical storage location.  Read this. 

 

https://www.greenhousedata.com/blog/legal-battles-over-local-data-why-your-cloud-location-matters

It's not very well known, but it's a major issue. An example is Facebook. A lawsuit against them storing all users info I believe it was in San Fran meant they owned anything posted. They addressed the issue by moving their server to a different country so this is no longer true. They are probably the best example as the lawsuits are many, and unlike Google, Amazon and Microsoft; Facebook has become transparent. 

 

Another situation to take into account. Ransomware attacks are growing in numbers. What if the server location is attacked? It's happened with insurance agencies. Billing info client accounts, any info like policies were held for ransom.  One company had to push all their customers payment to the next month causing double charge for that month and the previous. So what happens if where your data is stored is attacked? Suddenly you can't access any of that info. How long will you be down? What's the companies disaster recovery plan for this? 

Lots to think about until standards are set, but currently there are none. Go local for now. 

 

Bookmark this page. In my opinion everyone should have this page bookmarked for recovery situations.

 

https://www.nomoreransom.org/en/decryption-tools.html

It's updated very quickly, but obviously the newest needs to be cracked before they can provide fixes.  But it's a priceless resource I feel. 

 

Good luck. 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×