Leading cloud storage provider Dropbox is arguably having its worst month since launching back in 2007—but with over half a billion users, it's somewhat surprising that serious issues have only begun to surface between the ubiquitous service and the people trusting it with their files. First, in a recent announcement reminiscent of LinkedIn's latest data breach fiasco, Dropbox announced several weeks ago that over 68 million emails and passwords were compromised in a previously disclosed 2012 data breach. And now, security experts are criticizing the company for misleading OS X users into granting admin password access and root privileges to their systems. What recourse do consumers have when cloud services providers "drop the box" on security, or even worse—when their actions directly jeopardize the users they're supposed to protect?
Dropbox announced back in 2012 that a data breach involving the theft of user data was only limited to email addresses. However, recent revelations have prompted the company to disclose that over 68 million hashed and salted passwords—along with emails—were compromised.
Similar to the LinkedIn data breach, critics are blasting Dropbox for its late disclosure of the breach's extremity. But it seems the cloud storage provider has yet another fiasco on its hands—this time, regarding trust violations committed actively by the firm against its own users. On September 9th, sources from Hacker News and Twitter revealed that the Dropbox Mac desktop client is able to gain root system access via the Mac’s Accessibility permissions list—without first requesting permission from users.
These recent developments certainly raise questions about the security mechanisms instituted by cloud storage providers, as well as the degree of trust placed in the hands of cloud vendors. Do UpGuard CSTAR ratings offer clues regarding cloud storage providers' security fitness, trustworthiness, and enterprise resilience? Let's see how each respective vendors' website perimeter security mechanisms stack up.
Cloud Storage Provider Roundup
We start the comparison with the two largest competing cloud storage providers by market share, Dropbox and Box, followed by other leading offerings in the category—several of which are marketed as "secure" cloud storage providers, touting strong security/privacy as their primary differentiator.
Dropbox scores high when it comes to bolstering its website perimeter and email/web server security, with only a couple of existing security gaps: lack of HttpOnly Cookies for helping mitigate the risk of client side script attacks and the absence of DNSSEC for providing origin authority, data integrity, and authenticated denial of existence.
Box is Dropbox's biggest competitor and second in terms of market share, popular amongst business users and enterprises alike. When it comes to website perimeter and email/web server security, however, Box beats out Dropbox with its excellent CSTAR score. Aside from a lack of DNSSEC, no other serious security shortcomings exist.
Swiss secure encrypted file storage provider Tresorit (German for "secure" or "vault") boasts improved security and privacy over Dropbox and Box through highly robust client-side encryption methods. That said, its CSTAR score lags behind the two cloud storage leaders, with various security flaws including server information leakage and lack of DNSSEC, among others.
BackBlaze prides itself on being a true "set it and forget it" backup and storage solution—in fact, it claims to be the world's easiest and least expensive backup solution.
The company's offerings range from personal online backup products to enterprise-scale data storage solutions.
Its website scores 790 out of 950—respectable, but still lacking in several areas: server information leakage, lack of DMARC, and administration ports open to the public are some of its security shortcomings.
Carbonite's cloud-based backup solutions for individuals and businesses combines onsite archiving with backup/syncing to the cloud. Despite being the target of previous cyber attacks, the firm has yet to bolster its website perimeter security—several flaws including server header information leakage, lack of SPF and DMARC, and the absence of DNSSEC render its web presence vulnerable to attackers. Additionally, the company's CEO has an abysmal 49% employee approval rating—learn more about why this impacts the firm's security posture.
Like Carbonite, IDrive's online backup and cloud syncing service is a hybrid on-premise/cloud solution. Its portable storage device and wireless base station works in tandem with the cloud storage component to provide more features and versatility.
When it comes website perimeter security, however, IDrive beats out Carbonite (as well as behemoths Dropbox and Box) with its excellent CSTAR score of 930.
Leading cloud backup and file storage provider SugarSync is a popular offering for syncing files across multiple devices and platforms. Like others in its category, the firm has also left critical exposures in its website perimeter security unremediated: server information leakage, lack of secure cookies and DMARC, and disabled HTTP Strict Transport Security, among others.
SpiderOak is a secure cloud storage provider that ensures better security and privacy through Zero Knowledge privacy—not even it has knowledge or access to its customers' data. The company scores a decent CSTAR score of 846, with lack of HTTPOnly Cookies, secure cookies, and DNSSEC being its primary weaknesses.
In short, cloud storage providers seem to be generally competent when it comes to cyber resilience, as measured by website perimeter security and other external factors. Solid CSTAR ratings across the board for these leading cloud storage providers are certainly reassuring, but recent incidents such as Dropbox's latest trust issues underscore the difference between security and trustworthiness: while its security may be solid, various other less-than-scrupulous actions may nonetheless put users at risk. Security and trust—though correlated, are two different matters. Clearly, Dropbox's security failures and violations of user trust are both equally brand damaging, but the latter may prove to be more devastating if specialized malware taking advantage of the extended privileges is discovered later on.
At the end of the day, an organization's cyber risk posture is only as strong as its weakest IT assets—whether they be desktop clients, web servers, even IT security solutions. UpGuard's digital resilience platform ensures that privilege escalations and faulty configurations—planned or unplanned—never go unchecked. To find out what it can do for your organization, get a free UpGuard account today, or try out the CSTAR risk grader web application and chrome extension to instantly validate your website's security posture.
All the information needed to perform a CSTAR assessment is bundled into the UpGuard platform. Learn more about CSTAR.
Read Article >
The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
Read Article >