Dropbox in MCECS – Usage, Security and Privacy concerns

Dropbox, an online file repository/backup service, has been gaining in popularity. Its ease of setup and use for personal systems has resulted in rapid adoption among people trying to sync and transfer data between home desktops, laptops and other mobile devices.

We are seeing increased use of this service among faculty, staff and student users. While Dropbox is a hit at home, it has had a rocky road trying to adapt to corporate and centrally driven IT environments – both at a technical and policy level. MCECS users face many of these same challenges.

Usage


Stationary Faculty/Staff with CAT supported desktops


By design, CAT supported computers are set up to deal with multiple users. Dropbox typically presumes a single user per system with local storage. It needs to cache (store) a copy of all shared data on each computer that it is configured on. Attempting to install Dropbox in our environment can result in improper storage of this cache, resulting in disk quota problems. If you sit at the same CAT supported computer all day, Dropbox can be configured to work properly. Contact us for details.


Users who move between CAT supported desktops


If you move between computers (as is the case of most student users), it is not possible to setup Dropbox for reliable use. We direct these users to using the web-based Dropbox service. It is less convenient but you can still access your shared data.

Tier 3 Users

If you are managing your own computer/laptop (ie: Tier 3 support), you can install Dropbox as you would at home and it should work properly.

Security of Shared Data


Confidential information on third-party servers


Some documents and data that you handle may be constrained by non-disclosure, confidentiality and security requirements. Make sure that documents of this nature are not stored and shared via services like Dropbox (or Google docs and other online services) UNLESS they are encrypted before they are stored and shared. While Dropbox may tout various security provisions, they do not have any agreements with PSU and your use of the service is as an individual and not as a PSU employee or student.

Sharing Data means risk is driven by the least secure link in the chain

Since the Dropbox sharing model requires the storage of ALL shared data at all the systems it is shared with, the security of this data will be driven by the system that is the least secure. Keep this in mind when determining what you share via Dropbox.

Known issues with the Dropbox security model


Recent public disclosures have indicated some concerns about the authentication model used by Dropbox when it is installed. (It uses an authentication model similar to saved cookies which can be copied and exploited by an attacker.)

Your own privacy


As Dropbox accounts are personal in nature, there is a tendency for users to mix both personal and work related data in it. Keep in mind that if you set up Dropbox on a computer at PSU, ALL the data in your Dropbox store (including personal information that you may be “storing” in the cloud) will also be replicated on the PSU system. This can include personal information you may be storing in Dropbox such as banking documents, tax forms, health info, etc.

In the event of a lawsuit or administrative action, PSU can sometimes mandate the gathering of snapshots of all the data on selected work computers. Your personal data, mirrored at PSU by Dropbox, can then end up collected and analyzed. If you are concerned about this, you may want to rethink your sharing strategy when you use Dropbox.

Recommendations


People are attracted to Dropbox because of its ease of use. This document attempts to illustrate some of the pitfalls so that you can avoid them. If you are comfortable with encrypting your files, that is often the best technique to mitigate some of the problems with storing and sharing confidential data, be it via Dropbox, E-mail or any other transfer system. If you find file/folder encryption problematic to use, we recommend you only use Dropbox for sharing material that is not of a confidential nature.