A collaborator account that an enterprise should not manage could end up rolled in with the employees, according to Gordon. Collaborators can end up having their accounts managed by the enterprise without their knowledge or consent. Unauthorized people may end up sharing their data, and they may expose that data in any number of ways or delete it.
Though there was just such an incident, Box has taken measures to ensure that it will not repeat itself. "Our security and compliance teams walked through our processes for managing users and added controls to the system to ensure that this cannot happen again," says Shirk. "We added controls to make sure that no one rolls in accounts without the understanding and knowledge of both parties — the account holder and the organization."
Cloud data services such as Dropbox offer an easy portal for data theft, according to Gordon. "Companies may want to keep an especially tight leash on contractors in restricting their access to future Dropbox business accounts," says Gordon.
But Dropbox guards against inappropriate access using two-factor authentication and identity and access management tools of the customer's preference, which Dropbox integrates into its application. "We have built integrations into the leading identity providers or federated identity providers like Okta, Ping Identity, OneLogin, and Centrify. It's all standards based so we can work with any kind of IAM tool that an enterprise uses," says Ross Piper, Vice President of Enterprise Strategy, Dropbox.
How they protect your files
Box transmits files using SSL encrypted sessions and encrypts files at rest using 256-bit AES encryption, according to Shirk. Box is ISO 27001 certified and offers its SSAE 16 SOC 2, Type 2 report, which replaces SAS 70 as evidence of meeting enterprise security and compliance standards. Box is working on industry-specific frameworks such as compliance with PCI and HIPAA. Box can help companies achieve compliance with HIPAA while using its service, according to Shirk.
Dropbox supports TLS 1.0 through 1.2 and SSL v3 for data in transit. "This creates a secure tunnel that up to 256-bit encryption protects," says Louie. The encryption level depends on the level negotiated with the client. Dropbox also uses a 256-bit AES cypher for data at rest. In addition, Dropbox splits the files. "We anonymize each of those file pieces or b-file blocks with a hash value. We then encrypt those hashed file blocks separately and store the encryption keys separate from the encrypted file blocks," says Louie.
"We have a current SOC 2/type 2 report available to our customers by request," says Louie; "we're going to maintain that and be subject to audit at least on an annual basis." The Dropbox compliance roadmap also includes plans to earn the ISO 27001 2013 certification this year, according to Piper.