Risk
5/24/2012
05:44 PM
Connect Directly
RSS
E-Mail
50%
50%

IBM Bans Dropbox: Should SMBs Follow Suit?

IBM's about-face on bring-your-own policy might be too draconian for small companies, but it serves as a reminder that some popular cloud services come with inherent risks.

9 Startups To Watch In 2012
9 Startups To Watch In 2012
(click image for larger view and for slideshow)
If the bring-your-own era makes a technology bellwether like IBM uncomfortable, what does that mean for the rest of us?

If you missed it, Big Blue recently banned its 400,000 employees from using Dropbox, Apple's Siri, and other well-known applications on the corporate network. Given that IBM's business is technology, the decision to restrict which technologies its people can use to do their jobs is an eyebrow-raiser. Should small and midsize businesses (SMBs) pursue a similar policy?

It depends on whom you ask. IBM obviously has a different set of needs and challenges--not to mention a different budget--than most SMBs. Still, IBM's revised approach does offer some reminders for any company that allows or even encourages employees to provision their own tools for activities such as backup or collaboration. Among IBM's reasons for the policy change: Security-related concerns. Intralinks CTO John Landy thinks the security risks of a bring-your-own-cloud (BYOC) approach are very real, no matter the size of the business.

[Read Box Improves Admin, Security Tools For Enterprises.]

"The risk of allowing BYOC is inherent in any organization that owns confidential or critical information, which I would assume is every corporation in existence," Landy said via an email interview. "Assuming that there is a risk associated with corporate documents, the best alternative is to follow IBM’s lead and find a solution that allows for compliance and governance, rather than allowing untethered access to Dropbox, Box, Google Drive, and other consumer-grade platforms."

Landy has a business interest at stake: IntraLinks, like Citrix's ShareFile and similar file-sharing and collaboration platforms, was built specifically with business users in mind, ignoring the consumer market. And when you're constantly asking employees to do more with less--standard operating procedure for many SMBs--restricting the tools they use to get things done can seem self-defeating. There's also that minor matter of enforcement. IBM has the wherewithal to practice what it preaches, but when IT and financial resources are already spread thin, trying to keep people from sending corporate files to their personal Gmail accounts might be an exercise in futility.

Or, as Analysys Mason principal analyst Steve Hilton put it via email: "As speakeasy owners during the U.S. Prohibition would likely tell you, it’s hard to prohibit something people really want."

Hilton ultimately thinks the Dropboxes and Google Drives of the world don't pose untenable problems for most SMBs: "I believe the underlying security of consumer-grade cloud solutions is fine for a SMB. It’s unlikely that some hacker is going to spend the time searching for top-secret SMB documents in Dropbox." Still, that doesn't mean he'd recommend them as business-critical applications. Like Landy of IntraLinks, Hilton sees clear risks in using consumer-oriented technologies for business. The first is a lack of control over the company's intellectual property (IP): "I don’t like the idea of allowing employees to put corporate IP in an account where I have no access to it," he said. The second is a lack of visibility: "I’d like to be able to see what employees are putting in cloud-based collaboration files whenever I wish."

Ask Techaisle CEO Anurag Agrawal whether smaller companies should follow IBM's lead, and you'll get a one-word answer: No. "It is like trying to say that SMBs should not use search because Google is tracking every request and storing it for future use," he said via email, adding that Techaisle itself uses Dropbox. (To boot, I'm working on this story in a Dropbox folder.) "Technologies like Dropbox are instrumental in supporting and driving new ways of working within SMBs."

It's not that Agrawal is cavalier about the potential risks of using public services such as YouTube, Skype, or Twitter in a corporate setting. Rather, he sees BYOC as an inevitable, positive shift involving risks that can be proactively managed with a mix of policy, education, and technology. Is there a downside in storing corporate data in a personal Dropbox account? Yep. But Agrawal thinks the upside of BYOC is greater for SMBs, most of which operate without even a small fraction of IBM's resources. "The widespread availability of cloud services has empowered individual workers to use services that would otherwise not be available or would take an enormous amount of time to be deployed," Agrawal said. "Next-generation cloud applications originally targeted for consumers are actually enabling SMB workers to collaborate in new ways that accelerate business productivity, growth, and innovation.

Analysys Mason's Hilton offers a bottom line: If you do restrict what tools and applications your employees use to do their jobs, you'd better provide an alternative. An SMB that followed IBM's lead and banned Dropbox, for instance, would be spitting into the wind without deploying another cloud collaboration platform; Hilton pointed to Microsoft's Sharepoint and Cisco's Hosted Collaboration Solution as examples of business-oriented alternatives.

"The best approach is the old carrot-and-stick," Hilton said. "Provide employees with a SMB-grade cloud collaboration solution and discourage the use of consumer-grade cloud."

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity Dark Reading supplement shows how to strengthen them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
QQ10
50%
50%
QQ10,
User Rank: Apprentice
7/8/2013 | 9:09:10 AM
re: IBM Bans Dropbox: Should SMBs Follow Suit?
In fact, IBM should bans Facebook, Baidu. Many information can be found there !
The New Fulcrum Point
50%
50%
The New Fulcrum Point,
User Rank: Apprentice
5/30/2012 | 7:08:31 AM
re: IBM Bans Dropbox: Should SMBs Follow Suit?
IBM bans Dropbox, not good!
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
5/25/2012 | 3:47:21 PM
re: IBM Bans Dropbox: Should SMBs Follow Suit?
In a world where saying "Follow me on Facebook" or "I'm on Twitter" are ends to themselves without a sound strategy to actually use the applications, it is refreshing to see a major company that understands information control is fundamental and vital to competitiveness and survivability. More so, that they are taking steps to control their internal information management when it would be easy to use the opportunity to attack others. Sound business strategy, kudos to IBM.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5619
Published: 2014-09-29
The Sleuth Kit (TSK) 4.0.1 does not properly handle "." (dotfile) file system entries in FAT file systems and other file systems for which . is not a reserved name, which allows local users to hide activities it more difficult to conduct forensics activities, as demonstrated by Flame.

CVE-2012-5621
Published: 2014-09-29
lib/engine/components/opal/opal-call.cpp in ekiga before 4.0.0 allows remote attackers to cause a denial of service (crash) via an OPAL connection with a party name that contains invalid UTF-8 strings.

CVE-2012-6107
Published: 2014-09-29
Apache Axis2/C does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2012-6110
Published: 2014-09-29
bcron-exec in bcron before 0.10 does not close file descriptors associated with temporary files when running a cron job, which allows local users to modify job files and send spam messages by accessing an open file descriptor.

CVE-2013-1874
Published: 2014-09-29
Untrusted search path vulnerability in csi in Chicken before 4.8.2 allows local users to execute arbitrary code via a Trojan horse .csirc in the current working directory.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.