Cloud-based file sharing and storage applications have become an integral part of the modern, digital organisation. In the aftermath of the pandemic, workers have (for the most part) remained remote and there is increased demand for ubiquitous access to business-critical data and applications.
Platforms such as Google Drive, DropBox, OneDrive and SharePoint have become increasingly popular amongst organisations of all sizes. The promise of easy access to, and collaboration on, everyday documents, spreadsheets and presentation files is a compelling one, but it doesn’t come without risk.
There is a lot to like about these consumer-oriented cloud services: ease of access, flexible pricing, familiarity. However, one area where almost all of them fall short is security. You see, these are applications that were built from a convenience-first standpoint – designed to be as user-friendly as possible. What’s wrong with that you ask! Well, the problem is the nature of the information that is being stored and shared. In many cases it is either confidential, sensitive, or personally identifiable. As such it demands a security-first approach.
Take OneDrive for example. A very popular platform but it lacks end-to-end encryption. Microsoft, being Microsoft, also likes to gather meta data to “improve the user experience”. In essence, this means Microsoft knows what files you’re storing. And they may even share this data with third parties in particular instances. The same goes for DropBox. The company reserves the right to access your information and does not feature client-side encryption.
For a solution that has over 600 million users, DropBox has had a chequered past when it comes to data security. Early in its tenure it suffered a couple of well-publicised incidents, one of which saw a data breach expose the emails and passwords of over 60 million users. Further incidents occurred in 2014 and 2017, with another data breach confirmed as recently as November 2022, as the result of a phishing attack.
The popularity of services like SharePoint and One Drive also makes them targets for “threat actors”. Whilst OneDrive does come with ransomware protection (if you have a Microsoft 365 subscription), virus scanning is reactive (via Windows Defender) and relies on threats being known.
There have been several high-profile instances of cybercriminals and state sponsored cyber-attackers targeting cloud apps this year. In August, Microsoft acknowledged that a Russia-based threat actor was exploiting OneDrive to compromise accounts and steal data.
An even more recent instance was reported by Trend Micro in November, where it observed the cyber-threat group known as Mustang Panda using files stored in Google Drive and DropBox to distribute malware.
Whilst researching this article we came across a cloud vendor advocating users to “choose convenience first, security comes later”. We couldn’t disagree more. We strongly believe that cloud-based file sharing and storage solutions should be secure by design, adopt a zero-trust approach and then deliver a familiar and intuitive user experience.