Is Shadow IT in your crosshairs? As a network security professional, do you recognize the implications of people taking IT into their own hands and implementing solutions without corporate approval? Let's examine one area that I believe is a huge data security risk in terms of shadow IT: file sharing. Sure, solutions like Box, Dropbox, iCloud, and so on, make sharing files between users and locations very easy, but there’s an inherent problem with these solutions that users don’t think about, which is that once you start using one of these services outside of corporate control, you lose control. How so? Let’s have a look.
Let’s pick on Dropbox first to get a sense for what could happen. Now, I'll openly admit that in a pinch I’ve used Dropbox to share a link so I could open a file on another machine. This activity may seem to be benign, but in an age where data exfiltration is rampant, this can be something detrimental to business. Furthermore, what happens if the link you generate is accidentally shared via social media? I once read of someone taking some photos, emailing a link to a folder in Dropbox, but mistyping the recipient address. Whoops! Now someone has access to these pictures, and they are hopefully not of a personal nature. But this is common practice these days. In fact, many organizations enforce a limit to the attachment size. Users can subvert this by sending Dropbox links. It was recently reported that a health care provider leaked user data inadvertently through an email error. I'm not sure that we will ever know if this was done using a Dropbox link or the like, but there's always the possibility that it could have been.
But what else can go wrong? Let's also consider the installation of the Dropbox application on a local system. In 2016, it was reported that Dropbox was giving itself permissions to control your computer without gaining user permissions. This was eventually sorted out and Apple began blocking this in MacOS Sierra. However, it reveals an underlying issue. When a user installs an application and doesn’t fully know how it operates, they are quite possibly exposing the organization to attack. In this case, if someone were to expose a flaw in Dropbox programming, they could effectively control your computer. While this is hypothetical, it could still happen, and it should be considered. This is one of the reasons IT organizations are a bit slower to approve applications for use internally. There is usually a vetting process that takes place in which these things are considered. I know that most of you will probably agree.
But let's stop picking on Dropbox. Several other services and applications allow users to share files that come with similar concerns. Google is known for scouring your data and using it for advertising purposes among other things. What if a user were to sign up for a free Gmail account, and use the free Google drive service to share files. Could Google be scanning and analyzing the files you store there? What can they do with that data? Who could they sell it to? What would they do with it? The list of questions goes on.
I must say that I'm not making the statement that these popular file-sharing services are bad. If an organization has reviewed the product, agrees to the EULA and it is approved internally, then have at it! But what if it's not approved? That's the gray area I'm fishing in here. I mean, just think about it. There are peer-to-peer sharing and torrent sites, instant messengers, desktop sharing and control apps, and more. These all have a slew of concerns that follow. Let's also not forget that it's pretty easy these days to throw up an ad hoc FTP server that lacks security and allows connectivity and data transfer in clear text. Again, these all have the potential to become a means of data exfiltration as well as an attack vector for malware delivery, command and control connections, and the like.
So back to the problem at hand. Users will find their own solutions when we don't provide a satisfactory one for them. Sometimes this comes in the form of installing Dropbox or using some other form of file transfer to share data. While it may not be their intent to cause a security issue or share data with people they shouldn't, the fact is that it can happen. Are you as concerned as I am about this? What’s your take on this behavior, and what do you see being the happy medium between a well-vetted system for sharing data that is still user-friendly and friction-free in a users daily life?