ISG Position Paper: Use of Dropbox

Date: June 5, 2012
To: All Members of the Brown University Community
Re: ISG Position Paper – Use of Dropbox *

The increased use of the cloud for storage, sharing and synchronization has led to many questions to the Information Security group about the use of Dropbox as a secure solution. With this in mind, the following ISG position paper has been developed to provide the standard message and posture of the University relative to the use of Dropbox, and to maintain the risk posture of the University.

The Information Security Group Review and the Position of the University on Dropbox:

The official posture of the University is that Dropbox should be used only as a tool of convenience for sharing and storing files that do not contain Brown information which is regulated, restricted, confidential, or personally identifiable. All information that falls in those categories must be maintained in a system that is owned and managed by Brown, or is under strict legal contracts with the university to do so (e.g., Google Drive. Please see the Policy on Handling Brown Restricted Information for specifics.). Dropbox does not fall into this category.

It should be noted, and the entire Brown community be warned, that Dropbox has had (and continues to have) serious security deficiencies. Of major concern is the lack of encryption in storage, leading to all files being stored in clear text and available to the administrators of Dropbox (and someone who can exploit their login process). Not only is their model built for convenience and low levels of security, they have been found guilty of mis-informing the public of their security posture by the Security and Exchange Committee. Calendar year 2011 was not a good year for them relative to many security concerns that went public, and the company indicates that they are comfortable with their security posture as it pertains to their current business model and practices. The security community who has been watching Dropbox for improvement has seen little to no progress in their security posture.

While ISG understands the need for sharing and collaboration of large files across the Internet, the security of Brown data must always be paramount in our approach. Dropbox has serious deficiencies in the area of security, and should only be used for convenience, and never for Brown restricted information. ISG will continue to observe the progress of Dropbox, and also be seeking a secure alternative solution. This position paper provides balance to the needs of Brown and cloud storage of Brown restricted information, while more importantly focusing on the continuing security of the University and reducing its overall risk.

David Sherry
Chief Information Security Officer
Brown University

* This position paper refers to the public Dropbox and not the Brown solution.

Questions or comments to:

Last Reviewed: May, 2014