DropBox – Security Best Practices for External Sharing on Content Collaboration Platforms

The Security Best Practices for External Sharing on Content Collaboration Platforms blog series examines the state of security for external sharing on the leading Content Collaboration Platforms (CCP). Each week we’ll review a different platform and make security best practice recommendations.

Background

Dropbox was founded in 2007 by MIT student Drew Houston, because as the story goes, he had become frustrated with his USB stick storage solution. He created a simple online service that allowed consumers to store all their files while syncing them to their computers and smartphones. Today, Dropbox has over half a billion global users with 1.2 billion files uploaded everyday. Although Dropbox began life as a consumer platform it has gradually shifted its focus to the enterprise. In 2013 it launched Dropbox Business and now has over 150,000 paying enterprise customers, that represent two-thirds of its billion dollar annual revenue. Dropbox has also recently launched DropBox Paper a collaboration service that allows its customers to create documents and projects. It’s believed that Dropbox will continue adding features to Paper so that it can compete more effectively with Microsoft Office and Google G Suite. Dropbox is planning on going public in 2018 as a 10X “Unicorn” or higher.

Dropbox’s heritage as a consumer service has both helped and hindered it in the brutally competitive world of enterprise Content Collaboration Platforms (CCP). On the positive side Dropbox has always garnered high praise for its simple and intuitive UI. Its widespread adoption by consumers has also assisted it in penetrating the enterprise market. More negatively it has had to play catch-up with more enterprise-focused companies like Box because the original Dropbox solution was not architected around the concept of an all-controlling administrator. 

External Sharing Security Issues

As noted above DropBox has struggled with the perception that it was not originally intended for the enterprise. It certainly has had its fair share of security issues. In August 2016 Dropbox was forced to reset its members’ passwords because it was discovered that in 2012 over 68 million account passwords had been hacked. Many questioned why it took four years for Dropbox to take action. In another high-profile story former NSA contractor turned whistleblower, Edward Snowden, very publicly singled Dropbox out for criticism, saying that it was “hostile to privacy” and told users to “get rid of it” because of its readiness to turn over files to law enforcement. Finally, like other CCPs, Dropbox had the “unprotected shared link inadvertently indexed on Google” problem which led to exposed documents. These vulnerabilities underscore how collaborating particularly beyond the walled garden of your enterprise CCP can be risky. Mitigating this risk will continue to be a challenge since enterprises will never have the same level of control over external users as they do over their own users.

Four External Sharing and Collaboration Security Best Practices for Dropbox

1 – Structure your Team Folders and Groups carefully

Our first security recommendation is to spend time structuring your team folders since they offer a more secure and controlled way for your organization to collaborate. Note team folders are different from regular shared folders because they are created by your admin and they automatically appear in a member’s Dropbox. These folders are accessed by groups. Groups are created and managed by admins and include lists of members who need access to the same information. Group members are automatically added to all team folders that the group has been invited into. Note groups can be created and managed either by admins or users. We recommend that groups be managed by admins so that you can keep a tight lid on who joins and leaves each group. The other key ability of a group admin is the ability to assign one of two roles (editor or view-only) to each member of a group.  Since only editors can share content with collaborators outside of your group you should be highly selective as to who becomes an editor. All the team folder and groups settings can be accessed in the Admin Console (see below).

2 – Understand your sharing options

Shared files and links are the Dropbox solution to email attachments. The main difference between them is that only people you invite to a shared file can view the file, while anyone with a link can view your files, no Dropbox account required. Because of this shared links should never be used for sensitive files since they only have “security by obscurity” and in today’s breach-prone world, one can never bet on maintaining obscurity for the long haul.  We recommend the shared file approach because it has easy-to-use security tools available, including permission levels (don’t make everyone an editor if you don’t need to), passwords and expiration options, but tools only work if you train your users to use them. For the most part we recommend that admins are conservative with their security options. It’s best to force users to seek permission to share externally rather than make it the default. All the shared files and sharing links  settings can be accessed in the Admin Console (see below).

3 – Monitor the sharing activity of your members

Dropbox has spent considerable resources improving their admin reporting capability with the result that their “Activity” area now offers very flexible and comprehensive reports. It is good practice to regularly monitor the sharing activities of your members. You can generate reports of activity across your Business account for a specific period by clicking Activity from within the Admin Console (See below). Dropbox currently has 149 sharing-focused reports. Reports such as “Added non-team members to a shared folder” or “Downloaded a file/folder from a link (non-team member)” are a good place to start when monitoring external sharing.

4 – Consider managing the identities of your external users

Shared links and folders are convenient ways for external collaboration but unfortunately the security is ultimately left up to the recipient of the data, since they control their Dropbox account not you. For many organizations with sensitive data this situation is unacceptable. This leaves them with two options:

  1. Provide their outside user with one of their own corporate Dropbox accounts so that they can impose their enterprise security policies on the external user. This however, for many organizations, is not all that appealing for both cost and security reasons.
  2. A better option is for your organization to manage the identities of your external users itself. Resilient Access™ was built to accomplish this. By provisioning all external users Resilient is able to maintain full control over who and how each external user sees your data. Also with this approach your organization has complete flexibility to go beyond Dropbox’s own native security and add any type of MFA or other security measures. You can schedule a demo here to learn more about how we extend an enterprise’s security control to external users.