Over the last 5 years, the volume of information that is shared and/or stored in the public cloud due to the increased use of social media platforms such as Facebook, Twitter, and LinkedIn has soared.  According to a report called “The Growth of Social Media“, compiled by Search Engine Journal:

  • Facebook has in excess of 640 million registered users with over 7 billion pieces of content shared weekly.
  • Twitter has in excess of 299 million registered users with over 95 million tweets per day.
  • LinkedIn has in excess of 100 million registered users

The risks associated with these popular social media platforms are well documented.  Fortunately, businesses worldwide are quickly evolving their understanding of the risks of what information should and should not be communicated or shared by employees via the various social media platforms. However, these same businesses may be at an even greater risk of exposing proprietary and confidential information by their employees through the use of public cloud storage platforms such as Dropbox.

At the Carmel Valley eDiscovery Retreat (CVeDR) held July 22-25, 2012 in Monterey, California, I had the pleasure of moderating several panel discussions on cloud computing featuring industry experts in eDiscovery, Internet security and the legal risks associated with storing data in a public cloud.  The consensus from the panels was that storing any data in the public cloud poised both a security and a legal risk. 

The recommendations from these experts regarding what data businesses should put in the public cloud varied from “don’t put any data in the public cloud” to “don’t put any proprietary or confidential data in the public cloud.”  However, regardless of what the experts say, the operational efficiencies and financial incentives of cloud computing are just too great for businesses to ignore.  But, that doesn’t mean that business owners should ignore the facts.

The Experts are Cautious

The consensus among the CVeDR cloud panel experts was that there was probably more data stored in Dropbox than most businesses realized and that it was a potential source of risk. Several of the lawyers on the CVeDR panels indicated that a business could potentially lose its claims to properly protecting trade secrets and other proprietary information by merely storing data in storage technologies like Dropbox.  The security experts on the CVeDR panel contended that there were still some very worrisome security issues with storage technologies like Dropbox.

What DropBox Says

According to its website, Dropbox contends that they use modern encryption methods to both transfer and store your data such as Secure Sockets Layer (SSL) and AES-256 bit encryption.  In addition Dropbox contends that the Dropbox website and client software have been hardened against attacks from hackers, that public folders are not browsable or searchable and public files are only viewable by people who have a link to the file(s).

What Can Happen

However, Dropbox actually uses Amazon’s Simple Storage Service (S3) for storage and therefore they really don’t even have direct control over the security of the files that you store.   The potential problems with Cloud Service Providers (CSPs) such as Aamazon S3 was very evident this summer as a severe storm that rumbled across the Eastern U.S, leaving nine people dead and millions without power, also disrupted an Amazon Web Services data center, affecting service for social media sites like Pinterest, Instagram and Netflix, which host their services at Amazon’s data centers.

In regards to these cloud storage vendors being able to keep data secure. Dropbox confirmed Tuesday, July 31, 2012 that its users had been experiencing a spam onslaught, and reported that the issue was tracked to employee. “Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts,” said Aditya Agarwal, VP of engineering at Dropbox, Tuesday in a blog post.

However, many of the spam attacks were ultimately traced to a password-reuse problem that existed within Dropbox itself. “A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses,” said Agarwal. “We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.” Those controls will include a page that lets users review the login history related to their account, mechanisms for identifying suspicious activity, as well as two-factor authentication.

There is no doubt that weather related issues have knocked out corporate data centers and passwords have been compromised behind the firewalls of even the largest corporations in the world.   However, when this happens, the corporate stakeholders at least have someone to hold accountable.  When these types of things happen with a cloud storage provider such as DropBox, the DropBox Service Level Agreement (SLA) protects DropBox from any direct responsibility or damages.

Recommendation

Moving data to the public cloud is already happening at an accelerating rate.  And, the operational efficiencies and financial benefits are just too great for this trend to slow down.  Therefore, even though it is a fair question to ask if it is safe to move your data to a public cloud, a more realistic question might be, “What do I need to know and what do I need to do to ensure that my data will be safe once I move it to the public cloud?

With input and guidance from the CVeDR cloud panel experts, my recommendations are as follows:

  1. Don’t move any business data to the public cloud that is confidential, proprietary or is the essence of valuable corporate Intellectual Property (IP).
  2. Have your legal department read the providers Service Level Agreement (SLA).
  3. Develop and/or follow corporate data retention policies in regards to the data you store in the public cloud.
  4. Develop and/or follow corporate password and other security policies in regards to the data you store in the public cloud.
  5. Talk to the cloud storage provider about eDiscovery and develop a joint plan for how it is going to be accomplished and how much it is going to cost.

Storing data in the public cloud is inexpensive and very efficient.  Just be aware that there are risks that need to be mitigated and addressed.