I am a heavy (and paying) user of Dropbox, using it both for business and personal storage and synchronization. Although I find the service incredibly useful, Dropbox is far from perfect, especially for business users. So I thought I would take a few moments to talk about what I’d like to see Dropbox improve.
The Ultimate Honeypot
I often wonder why Dropbox hasn’t yet had a major security breach. Considering the number of people I know who use the service and the incredibly personal and valuable data I know they store there, Dropbox must be one of the richest targets on the Internet!
I must assume that their employees are doing a decent job of keeping on top of the inevitable and continuing hack attempts, but eventually they must fail. After all, it is obvious that user data is not accessible to the company. I hear everything is protected with a single encryption key…
One of the signature elements of Dropbox is global deduplication of data. All uploads are “hashed” with a digital signature which is checked against all the data from every other user. If I upload a file that Dropbox has already “seen”, I’ll get a pointer to their chunks rather than my own. This would be impossible without universal access to the data itself.
This means that the Dropbox software, and thus their staff, can access any user’s data. So hackers probably spend a good amount of time trying to convince the staff to let them in using social engineering, spear phishing, and similar tricks. Plus, if they found a hole in the software and got into the Dropbox servers, hackers could likely access all the data everywhere.
More Than Single Sign-On
Dropbox for Teams sucked. Sure it added a unified control panel for accounts associated with a business, but was ridiculously limited: There was no Active Directory or LDAP integration for single-sign-on. Now that Dropbox has revved Teams into “Dropbox for Business” and added Active Directory and Single Sign-On, they’re set, right? Not exactly.
There’s still no content audit or control mechanism, so users can use “unlimited” online Business storage for whatever they want, be it personal or sensitive (see “Security”). About the only thing an admin can do is see who’s sharing what outside the Business and the last thing they did. That’s not much functionality.
Dropbox really needs to step up their game to appeal to corporate IT folks. But it doesn’t seem that they have any idea what these customers might want. Yes, they added AD support. But what about everything else?
Dropbox really reminds me of Apple: They don’t know anything about enterprise IT and don’t seem to care.
The Single Account Limit
The worst aspect of Dropbox in business environments is the fact that it’s absolutely useless for existing Dropbox users! See, the Dropbox client software (be it PC, Mac, iOS, etc) can only access one account. So each device can be associated with either a user’s own personal Dropbox account or the Business account, but not both.
Considering that Dropbox for Business is supposed to allow companies to wrestle a bit of control back from “rogue” Dropbox users, this sucks. The very people you’re trying to attract will rebel and complain that they can’t access their personal data anymore! They’ll resist this just as much as any third-party product.
Dropbox’s answer to me when I asked this question resulted in a massive face palm: “Share data between a user’s Business and personal account!” Seriously? There’s no way I want to give my employer access to my personal data or vice versa!
The only real solution is for the Dropbox client to support multiple accounts, but the company is reluctant to do this. I suspect that they fear users would just create multiple free accounts instead of paying for the service!
Note: There are hacks to access multiple Dropbox accounts on PC or Mac, but these are not a complete, appropriate, or advisable alternative for businesses.
Drowning In Sync Updates
Another serious challenge for Business users of Dropbox is that the service is “all or nothing” when it comes to syncing. Once more than a few users are actively using a Business account, file updates start coming fast and furious! But users that turn this off with Selective Sync lose all local access to those files!
Selective Sync allows a Dropbox user to turn off syncing of certain folders on certain clients. This helps reduce the amount of data downloaded and could also reduce the flood of syncs for a folder actively used by others.
But Selective Sync is all or nothing: Turn off a folder and it disappears from your Mac or PC with no offline access or even any indication it was ever there! Users have to re-enable an entire folder to see anything in it, resulting in a potentially-large download before they can get to work. And you can’t “Selective Sync” a file, just a folder.
The phone, tablet, and web clients work differently, showing the entire share but only downloading on demand. This is useful if you need to download something from a rarely-used folder, but it’s not useful if you’re on the go and lack connectivity!
Plus, Selective Sync is buried under “Advanced” preferences. I imagine most users don’t even know it’s there.
Stephen’s Stance
Although Dropbox for Business is an improvement over the nearly-useless Teams product, Dropbox needs to do a lot:
- Integrate client-side encryption of data, even as an option, so we don’t have to go “third-party”
- Share more security information so we feel better about trusting it with our data
- Create a real “Enterprise Dropbox” offering with real IT integration and content controls
- Add multi-account support to all clients
- Improve Selective Sync and allow on-demand downloading for Mac and PC clients
- Improve offline access for phone and tablet users
Until we see these, I will not recommend Dropbox for use with corporate or sensitive personal data. Although I am a (paying) customer, I am not completely happy with the product!
Image credit: peptic_ulcer
Anon says
Spot on. Another of the qualms we had trying to appease the users that had valid business justification was the complete lack of control given to admins for SSL interception (for DLP purposes, etc.). While the web ver was simple enough to do, there was no way we could mitm the client because we had no access to that apps cert store.
Len Srinivasan says
Great article. We have heard his use case multiple times where an IT – Director or CIO says he uses Dropbox for himself but doesn’t allow their employees to use it, primarily because of the lack of security. I work for Vembu Technologies and we have hence designed a solution called – SyncBlaze, which is more like Dropbox for businesses but with enhanced security features. It comes with mobile apps for Android, iOS etc.. and has all consumerish features of DropBox, but the businesses can have their data securely stored either on-premise or in an offsite location.
larstr says
Good points, Stephen! These topics needs to be brought up more often, maybe it in the end will get the attention needed. I still suspect that somebody will gain access to all files before attention to the single key problem is highlighted as it’s saves Dropbox quite a bit on the storage side.
FreeWorld says
the problem with dropbox is that it make duplicates of your files on your harddisk… we need a solution to storage our files on the web and no cloud around is doing it (if you mention box… it’s a shitty option since it has no value do to slow upload speed, it remembers me the early years of internet 94-95)
amn says
” If I upload a file that Dropbox has already “seen”, I’ll get a pointer to their chunks rather than my own. This would be impossible without universal access to the data itself.” Really? Impossible? Are you sure? How about hashing encrypted data? If files A and B are identical, their encrypted equivalents will be identical, and hashes of these identical encrypted products? Identical.
steve says
Things have changed somewhat since this review. Are you now happy?
Jacques Gauthier says
Dropbox had a major security breach in 2012.
I find their support to be useless. Had an issue with a shared folder using accented characters (using two different unicode tables) dropbox support dit not resolve it. Anytime we tried to delete the directory, it would be re-created via a sync.
Whenever I sent an email to support I get some copy-pasted cookie cutter answer which does not address my questions.