Jon Honeyball is shocked at the lack of security in Dropbox for Teams. Click to read why.
Dropbox is one of those products that can get under your skin. Once you start using it in anger you’ll find its combination of “just enough power” coupled with an “invisible in daily use” UI is entirely compelling. It’s one of those rare products that just works.
Some maintain that its lack of user-created encryption means it shouldn’t be used for anything remotely confidential. I’d certainly prefer to be able to generate my own encryption keys and feed them into Dropbox’s client to ensure end-to-end encryption. I’d be happier still if I could use the excellent 1Password
to help me do this. Maybe one day.
Dropbox for Teams
Now for my problem. Dropbox has a Teams version of the product. Instead of providing the 200GB of storage I had in my original account, the Teams version comes with 1TB of storage and up to five accounts. You can migrate your existing users and they magically join the team, bringing all their data with them. Obviously, their data stays private unless they want to share it.
Teams are controlled and managed via the Team button on the website. Here I can see the list of accounts, monitor how much storage each is consuming, and set up two-stage verification if necessary.
My jaw dropped
A critical part of sharing in a business environment is controlling who shares what with whom. When I saw what had been implemented, my jaw dropped and bounced three times off the floor.
Basically, there’s very little difference between ordinary Dropbox and Dropbox for Teams as far as sharing goes. I’d hoped the Teams version would make it possible to lock down Dropbox to the whole team so that only team members could be added to a share, but no – you can share with anyone, regardless of whether they’re in your team or not.
I’d also hoped it would be possible to set different levels of permission on a share so that I could set up, say, a management group that is read/write and then have a sales force group that’s read-only. But no. You can’t create any such groups and you can’t even set different levels of access for different members. The only options are to “Kick out” an existing member or to “Make owner”, which transfers your admin role to that user. That’s the lot. I’ve looked high and low for anything resembling a grown-up set of team management controls and they simply aren’t there.
I’ve even waded through Dropbox’s webinars about the Teams version. Worse still, I can’t enforce a no-onward-sharing ban across my team. There is, however, a checkbox for “Allow members to invite others”, which could be catastrophic if I don’t actively manage each team. I might one day find a bunch of people in there who I hadn’t authorised but who had been invited by a team member. A team-wide administrative ban on onward sharing is surely a must-have requirement.
Finally, the “Invite more people” box lets me type in anyone’s name – even someone who isn’t in the team or isn’t on Dropbox. For example, I just invited one of my own email accounts to view a folder. I fired up a Windows 7 virtual machine that had no knowledge of me or Dropbox, went to a browser window and pasted in the URL from the received email invitation and, bingo, I had a view of the files.
I just can’t understand how Dropbox can be so naive about the security of its implementation for business teams. Perhaps it believes that all its users are going to be sharing is pictures of fluffy kittens and gurgling babies, but Dropbox for Teams isn’t a free-with-the-breakfast-cereal product – it costs $722 for five users with 1TB of space. This isn’t a home-user product, this is software at a serious SoHo and small-business price point. The lack of businesslike controls, ones thought through from a proper business user perspective, is more than a little worrying.
As for me, I’ll keep using the product here because it fits our way of working so well and because I trust all of my team members: after all, each of them already has 24/7 access to the office and all its security doors. But I’d seriously question the wisdom of deploying Dropbox for Teams in any less managed or less trusting team environment. I’m sure there’s much that Dropbox can do to improve the product over time, but it has to show us a roadmap for such improvements and show it now.
At least Dropbox gave me a good giggle, though. I’ve just started uploading a lot of data, and its status box currently says “Uploading 414,319 files (724.4KB/sec, a long time left. Grab a Snickers)”.
[This is an excerpt from an article published in the April issue of PC & Tech Authority magazine]