"There are four critical questions every enterprise and IT administrator should ask when considering file sharing services," says Adam Gordon, author of "Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press)." These include: Where will the service store and share files? Who will view the files? How will the service protect the files? And, what types of files will the service permit in the storage system? If a service provider doesn't respond satisfactorily, CISOs should consider their options.
CSO decided to measure the security of Box and Dropbox using these questions. Does either meet enterprise security standards for cloud-based file sharing? Judge, dear reader, how each application stands up under scrutiny.
File storage requirements
File sharing services store data outside corporate IT where enterprises can lose control of it. Enterprises cannot ensure service up time, file availability, or even that the service will not shutdown altogether.
"This exact circumstance left customers of the Megaupload file sharing service virtually stranded, without access to files in the service's cloud environment, regardless of their legitimate and proper use of the service," says Gordon. These situations leave customers wondering who has access to their files and whether someone will delete them.
Box assures enterprise customers with an SLA guarantee of 99.9% uptime, maintaining that uptime in several ways and offering customer account credits where it fails. "First, we have a single infrastructure serving all our customers at all paid levels. We deploy the highest quality networking and services at a much bigger scale, which allows us to offer enterprise protection more efficiently," says Grant Shirk, group product marketing manager, enterprise, Box.
That infrastructure spans four geographically dispersed locations including three primary data centers. "We select colocation facilities with the highest levels of service bandwidth and disaster avoidance for these data centers," says Shirk. A fourth facility offers emergency backup storage for encrypted binaries so Box can restore from that location.
Dropbox offers uptime guarantees, but doesn't share them publicly. "We provide uptime or SLA guarantees in specific commercial contracts," says Cory Louie, Head of Trust, Safety, & Security, Dropbox. Dropbox stores customer data on Amazon S3 and mirrors encrypted file data in collocated data centers. Dropbox currently stores all customer data inside the U.S.
Who has access?
Cloud file sharing services must protect the access rights of individual accounts. But, Box enables account managers to roll employee's free accounts into the enterprise's business accounts.
"Businesses with a large number of employees who are currently using Box as free users will often formalize their relationship with Box and roll the free users into a corporate account to gain access to additional features," says Gordon. Sometimes these free users include external collaborators who are not employees. This scenario leads to a variety of undesirable complications.