Is Cloud Storage Compromising Your School's Security?

Most faculty are well aware of the free and low-cost storage and sharing services like Dropbox, Box, Google Drive, Sky Drive, and others, and are inclined to make use of them in their day-to-day work. These services provide a simple way to share with colleagues everything from course materials to exams to research and lab notes. Since they're free and easy to use, why not take advantage of them?

The majority of faculty are unaware of the potential security risks involved in using these services, and don't understand how to protect themselves and their content within that environment. Many do not realize the dangers of weak passwords, password re-use on multiple sites, or mobile downloads using public or unencrypted connections.

More troubling is the fact that university IT departments are often unaware that their clients are using these services. Given the incidences of credential theft and information leakage involving these services that has occurred in the recent past, security-conscious IT departments are now making a concerted effort to minimize their organizational exposure to these services. Some are even attempting to create their own Dropbox-like services.

The security risk of Dropbox and other like services for educational units is very real. For example, in response to a number of publically embarrassing attacks in 2011 and 2012, Dropbox implemented a healthy set of security policies. The company encrypts users' data on their servers using the AES-256 standard, and all transmissions travel from the desktop to Dropbox via 256-bit SSL secure connections. More recently they recently implemented two-factor authentication to help users protect their login credentials. These are all Good Things. However, there are still several problems with Dropbox that prevent it from being secure enough.

Users' encryption keys are stored on Dropbox's servers, along with their data. That opens up the potential for a rogue employee to potentially decrypt and expropriate users' data, and represents a risk simply not worth taking when dealing with sensitive data. A better alternative is for the user to hold the key rather than the vendor.

The two-factor authentication option, while highly effective, is not yet mandatory, leaving it to users to decide whether to turn on this often inconvenient feature. While the company's Dropbox for Teams product allows an administrator to see who is using two-factor and who isn't, the starting price of $800 per year for five users makes that administration an expensive option.

Finally, data that is stored only on Dropbox is typically not available to IT or administration under most circumstances, especially in the case of small personal accounts established by a faculty member. So when that individual moves on to greener pastures, it is possible that access to that information will simply be lost. Most of the commercial storage/sharing products suffer from one of more of the same issues as does Dropbox; some suffer from all of these and still more.

Recently I was asked to help prepare a questionnaire regarding faculty use of off-site cloud storage, in an effort to discover which vendors' services are used, how the data is being used, and whether university information is being stored and shared off-campus. The results of this survey will help define the depth and breadth of the problem, and should suggest some possible solutions. The rumor is that the IT department is considering an outright ban on the use of these services, and given the increasing number of IT-oriented attacks it would be foolish not to do so.

At the same time, it should be possible (and well worthwhile) to consider building an in-house storage and sharing solution that could provide the same services, but would allow IT access and oversight. Given the occasionally secretive nature of faculty when it comes to their research and course materials, I expect some feathers may be ruffled along the way.