Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/24/2012
05:44 PM
50%
50%

IBM Bans Dropbox: Should SMBs Follow Suit?

IBM's about-face on bring-your-own policy might be too draconian for small companies, but it serves as a reminder that some popular cloud services come with inherent risks.

9 Startups To Watch In 2012
9 Startups To Watch In 2012
(click image for larger view and for slideshow)
If the bring-your-own era makes a technology bellwether like IBM uncomfortable, what does that mean for the rest of us?

If you missed it, Big Blue recently banned its 400,000 employees from using Dropbox, Apple's Siri, and other well-known applications on the corporate network. Given that IBM's business is technology, the decision to restrict which technologies its people can use to do their jobs is an eyebrow-raiser. Should small and midsize businesses (SMBs) pursue a similar policy?

It depends on whom you ask. IBM obviously has a different set of needs and challenges--not to mention a different budget--than most SMBs. Still, IBM's revised approach does offer some reminders for any company that allows or even encourages employees to provision their own tools for activities such as backup or collaboration. Among IBM's reasons for the policy change: Security-related concerns. Intralinks CTO John Landy thinks the security risks of a bring-your-own-cloud (BYOC) approach are very real, no matter the size of the business.

[Read Box Improves Admin, Security Tools For Enterprises.]

"The risk of allowing BYOC is inherent in any organization that owns confidential or critical information, which I would assume is every corporation in existence," Landy said via an email interview. "Assuming that there is a risk associated with corporate documents, the best alternative is to follow IBM’s lead and find a solution that allows for compliance and governance, rather than allowing untethered access to Dropbox, Box, Google Drive, and other consumer-grade platforms."

Landy has a business interest at stake: IntraLinks, like Citrix's ShareFile and similar file-sharing and collaboration platforms, was built specifically with business users in mind, ignoring the consumer market. And when you're constantly asking employees to do more with less--standard operating procedure for many SMBs--restricting the tools they use to get things done can seem self-defeating. There's also that minor matter of enforcement. IBM has the wherewithal to practice what it preaches, but when IT and financial resources are already spread thin, trying to keep people from sending corporate files to their personal Gmail accounts might be an exercise in futility.

Or, as Analysys Mason principal analyst Steve Hilton put it via email: "As speakeasy owners during the U.S. Prohibition would likely tell you, it’s hard to prohibit something people really want."

Hilton ultimately thinks the Dropboxes and Google Drives of the world don't pose untenable problems for most SMBs: "I believe the underlying security of consumer-grade cloud solutions is fine for a SMB. It’s unlikely that some hacker is going to spend the time searching for top-secret SMB documents in Dropbox." Still, that doesn't mean he'd recommend them as business-critical applications. Like Landy of IntraLinks, Hilton sees clear risks in using consumer-oriented technologies for business. The first is a lack of control over the company's intellectual property (IP): "I don’t like the idea of allowing employees to put corporate IP in an account where I have no access to it," he said. The second is a lack of visibility: "I’d like to be able to see what employees are putting in cloud-based collaboration files whenever I wish."

Ask Techaisle CEO Anurag Agrawal whether smaller companies should follow IBM's lead, and you'll get a one-word answer: No. "It is like trying to say that SMBs should not use search because Google is tracking every request and storing it for future use," he said via email, adding that Techaisle itself uses Dropbox. (To boot, I'm working on this story in a Dropbox folder.) "Technologies like Dropbox are instrumental in supporting and driving new ways of working within SMBs."

It's not that Agrawal is cavalier about the potential risks of using public services such as YouTube, Skype, or Twitter in a corporate setting. Rather, he sees BYOC as an inevitable, positive shift involving risks that can be proactively managed with a mix of policy, education, and technology. Is there a downside in storing corporate data in a personal Dropbox account? Yep. But Agrawal thinks the upside of BYOC is greater for SMBs, most of which operate without even a small fraction of IBM's resources. "The widespread availability of cloud services has empowered individual workers to use services that would otherwise not be available or would take an enormous amount of time to be deployed," Agrawal said. "Next-generation cloud applications originally targeted for consumers are actually enabling SMB workers to collaborate in new ways that accelerate business productivity, growth, and innovation.

Analysys Mason's Hilton offers a bottom line: If you do restrict what tools and applications your employees use to do their jobs, you'd better provide an alternative. An SMB that followed IBM's lead and banned Dropbox, for instance, would be spitting into the wind without deploying another cloud collaboration platform; Hilton pointed to Microsoft's Sharepoint and Cisco's Hosted Collaboration Solution as examples of business-oriented alternatives.

"The best approach is the old carrot-and-stick," Hilton said. "Provide employees with a SMB-grade cloud collaboration solution and discourage the use of consumer-grade cloud."

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity Dark Reading supplement shows how to strengthen them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
QQ10
50%
50%
QQ10,
User Rank: Apprentice
7/8/2013 | 9:09:10 AM
re: IBM Bans Dropbox: Should SMBs Follow Suit?
In fact, IBM should bans Facebook, Baidu. Many information can be found there !
The New Fulcrum Point
50%
50%
The New Fulcrum Point,
User Rank: Apprentice
5/30/2012 | 7:08:31 AM
re: IBM Bans Dropbox: Should SMBs Follow Suit?
IBM bans Dropbox, not good!
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
5/25/2012 | 3:47:21 PM
re: IBM Bans Dropbox: Should SMBs Follow Suit?
In a world where saying "Follow me on Facebook" or "I'm on Twitter" are ends to themselves without a sound strategy to actually use the applications, it is refreshing to see a major company that understands information control is fundamental and vital to competitiveness and survivability. More so, that they are taking steps to control their internal information management when it would be easy to use the opportunity to attack others. Sound business strategy, kudos to IBM.
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27132
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
CVE-2021-3144
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
CVE-2021-3148
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
CVE-2021-3151
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...