Risk
5/24/2012
05:44 PM
Connect Directly
RSS
E-Mail
50%
50%

IBM Bans Dropbox: Should SMBs Follow Suit?

IBM's about-face on bring-your-own policy might be too draconian for small companies, but it serves as a reminder that some popular cloud services come with inherent risks.

9 Startups To Watch In 2012
9 Startups To Watch In 2012
(click image for larger view and for slideshow)
If the bring-your-own era makes a technology bellwether like IBM uncomfortable, what does that mean for the rest of us?

If you missed it, Big Blue recently banned its 400,000 employees from using Dropbox, Apple's Siri, and other well-known applications on the corporate network. Given that IBM's business is technology, the decision to restrict which technologies its people can use to do their jobs is an eyebrow-raiser. Should small and midsize businesses (SMBs) pursue a similar policy?

It depends on whom you ask. IBM obviously has a different set of needs and challenges--not to mention a different budget--than most SMBs. Still, IBM's revised approach does offer some reminders for any company that allows or even encourages employees to provision their own tools for activities such as backup or collaboration. Among IBM's reasons for the policy change: Security-related concerns. Intralinks CTO John Landy thinks the security risks of a bring-your-own-cloud (BYOC) approach are very real, no matter the size of the business.

[Read Box Improves Admin, Security Tools For Enterprises.]

"The risk of allowing BYOC is inherent in any organization that owns confidential or critical information, which I would assume is every corporation in existence," Landy said via an email interview. "Assuming that there is a risk associated with corporate documents, the best alternative is to follow IBM’s lead and find a solution that allows for compliance and governance, rather than allowing untethered access to Dropbox, Box, Google Drive, and other consumer-grade platforms."

Landy has a business interest at stake: IntraLinks, like Citrix's ShareFile and similar file-sharing and collaboration platforms, was built specifically with business users in mind, ignoring the consumer market. And when you're constantly asking employees to do more with less--standard operating procedure for many SMBs--restricting the tools they use to get things done can seem self-defeating. There's also that minor matter of enforcement. IBM has the wherewithal to practice what it preaches, but when IT and financial resources are already spread thin, trying to keep people from sending corporate files to their personal Gmail accounts might be an exercise in futility.

Or, as Analysys Mason principal analyst Steve Hilton put it via email: "As speakeasy owners during the U.S. Prohibition would likely tell you, it’s hard to prohibit something people really want."

Hilton ultimately thinks the Dropboxes and Google Drives of the world don't pose untenable problems for most SMBs: "I believe the underlying security of consumer-grade cloud solutions is fine for a SMB. It’s unlikely that some hacker is going to spend the time searching for top-secret SMB documents in Dropbox." Still, that doesn't mean he'd recommend them as business-critical applications. Like Landy of IntraLinks, Hilton sees clear risks in using consumer-oriented technologies for business. The first is a lack of control over the company's intellectual property (IP): "I don’t like the idea of allowing employees to put corporate IP in an account where I have no access to it," he said. The second is a lack of visibility: "I’d like to be able to see what employees are putting in cloud-based collaboration files whenever I wish."

Ask Techaisle CEO Anurag Agrawal whether smaller companies should follow IBM's lead, and you'll get a one-word answer: No. "It is like trying to say that SMBs should not use search because Google is tracking every request and storing it for future use," he said via email, adding that Techaisle itself uses Dropbox. (To boot, I'm working on this story in a Dropbox folder.) "Technologies like Dropbox are instrumental in supporting and driving new ways of working within SMBs."

It's not that Agrawal is cavalier about the potential risks of using public services such as YouTube, Skype, or Twitter in a corporate setting. Rather, he sees BYOC as an inevitable, positive shift involving risks that can be proactively managed with a mix of policy, education, and technology. Is there a downside in storing corporate data in a personal Dropbox account? Yep. But Agrawal thinks the upside of BYOC is greater for SMBs, most of which operate without even a small fraction of IBM's resources. "The widespread availability of cloud services has empowered individual workers to use services that would otherwise not be available or would take an enormous amount of time to be deployed," Agrawal said. "Next-generation cloud applications originally targeted for consumers are actually enabling SMB workers to collaborate in new ways that accelerate business productivity, growth, and innovation.

Analysys Mason's Hilton offers a bottom line: If you do restrict what tools and applications your employees use to do their jobs, you'd better provide an alternative. An SMB that followed IBM's lead and banned Dropbox, for instance, would be spitting into the wind without deploying another cloud collaboration platform; Hilton pointed to Microsoft's Sharepoint and Cisco's Hosted Collaboration Solution as examples of business-oriented alternatives.

"The best approach is the old carrot-and-stick," Hilton said. "Provide employees with a SMB-grade cloud collaboration solution and discourage the use of consumer-grade cloud."

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity Dark Reading supplement shows how to strengthen them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
QQ10
50%
50%
QQ10,
User Rank: Apprentice
7/8/2013 | 9:09:10 AM
re: IBM Bans Dropbox: Should SMBs Follow Suit?
In fact, IBM should bans Facebook, Baidu. Many information can be found there !
The New Fulcrum Point
50%
50%
The New Fulcrum Point,
User Rank: Apprentice
5/30/2012 | 7:08:31 AM
re: IBM Bans Dropbox: Should SMBs Follow Suit?
IBM bans Dropbox, not good!
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
5/25/2012 | 3:47:21 PM
re: IBM Bans Dropbox: Should SMBs Follow Suit?
In a world where saying "Follow me on Facebook" or "I'm on Twitter" are ends to themselves without a sound strategy to actually use the applications, it is refreshing to see a major company that understands information control is fundamental and vital to competitiveness and survivability. More so, that they are taking steps to control their internal information management when it would be easy to use the opportunity to attack others. Sound business strategy, kudos to IBM.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3345
Published: 2014-08-28
The web framework in Cisco Transport Gateway for Smart Call Home (aka TG-SCH or Transport Gateway Installation Software) 4.0 does not properly check authorization for administrative web pages, which allows remote attackers to modify the product via a crafted URL, aka Bug ID CSCuq31503.

CVE-2014-3347
Published: 2014-08-28
Cisco IOS 15.1(4)M2 on Cisco 1800 ISR devices, when the ISDN Basic Rate Interface is enabled, allows remote attackers to cause a denial of service (device hang) by leveraging knowledge of the ISDN phone number to trigger an interrupt timer collision during entropy collection, leading to an invalid s...

CVE-2014-4199
Published: 2014-08-28
vm-support 0.88 in VMware Tools, as distributed with VMware Workstation through 10.0.3 and other products, allows local users to write to arbitrary files via a symlink attack on a file in /tmp.

CVE-2014-4200
Published: 2014-08-28
vm-support 0.88 in VMware Tools, as distributed with VMware Workstation through 10.0.3 and other products, uses 0644 permissions for the vm-support archive, which allows local users to obtain sensitive information by extracting files from this archive.

CVE-2014-0761
Published: 2014-08-27
The DNP3 driver in CG Automation ePAQ-9410 Substation Gateway allows remote attackers to cause a denial of service (infinite loop or process crash) via a crafted TCP packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.