Hardly a day goes by that a lawyer, or a security
expert talking to lawyers, doesn’t suggest that “Dropbox is too flawed
for lawyers to use.” People who demonize Dropbox (or any cloud service)
often offer a flood of verbiage, but rarely offer a balanced, thoughtful
assessment. And they almost never offer realistic solutions.
I was recently directed to this ‘securityblawg’ post, because it was proudly cited by a lawyer concerned about Dropbox. The post, drones on for 2,862 words before noting “[u]ltimately, every lawyer will need to make his or her own decision about the appropriateness of using Dropbox for client work.” And then it recommends, of course (since it’s written by a security firm), that lawyers should “encrypt sensitive information before placing it on Dropbox.”
Right. That’s sort of a given. Did we need almost 3,000 words to support that advice?
You rarely hear security experts begin a blog post by pointing out an ironclad security principle: no security system is perfect, and the attempt to craft “perfect security” invariably leads to minimal usability (see e.g. Get Smart’s depiction of the problems with the Cone of Silence for a goofy parody that actually illustrates the point perfectly).
You rarely hear security experts begin by conceding another “security fact of life”: namely, that if a hacker or some evil doer is intent on getting into your data, then the odds are, with enough time, they will.
The way that lazy, marginally-skilled hackers get into your data is typically not through Dropbox, or any other cloud-provider’s failings, but through social-engineering or guessing your bad passwords. Or just camping out at a place where lots of people with bad security habits tend to frequent.
Let’s ask questions that get to the heart of the most common security problems. Here’s a few, and I submit these should be required to be discussed before answering any question that comes up about Dropbox. For example…
How many lawyers out there log into secure accounts while using the free Wi-Fi at a local coffee shop? How many click on links in emails that say “Is this really a picture of you?!!” How many use an easy-to-guess password? How many don’t bother to log out of their office computer while they go to lunch? How many leave it open overnight? How many use the same easy-to-guess password for all their online accounts? How many lawyers use one of the 25 most common passwords, such as “password” or “123456”?
Answer: probably lots. So, let’s not waste words on mumbo jumbo. Let’s get real.
Security is about making assessments, and weighing risks, benefits, and contexts. There is no “one size fits all solution” for security. In the end, the security gurus will wind up saying “it depends.” Some will say this after thousands of words that they copy and paste from prior articles; because they always say the same thing. And they usually end with “and make sure you encrypt your sensitive data.” But what about putting serious security problems in a larger context?
The cloud is only one context; we don’t talk about the ones that have always been problematic, and which are actually the most insidious problems, because we’re too busy obsessing about “the cloud.” What about old-fashioned security mishaps?
For example, I know an attorney who talked on a cellphone with his client about case strategy, while standing next to an opposing counsel in an airport gate. I know because I was that opposing counsel. And, for what it’s worth, I walked away so I wouldn’t hear his conversation. Sometimes ‘not listening’ is the right thing to do.
Conversely, when most people hear about common security problems, and what it takes to address them, they don’t walk away. And they don’t listen.
You can rail about Dropbox and the cloud all you want. The real security problems lie not in the clouds, but in ourselves.
I was recently directed to this ‘securityblawg’ post, because it was proudly cited by a lawyer concerned about Dropbox. The post, drones on for 2,862 words before noting “[u]ltimately, every lawyer will need to make his or her own decision about the appropriateness of using Dropbox for client work.” And then it recommends, of course (since it’s written by a security firm), that lawyers should “encrypt sensitive information before placing it on Dropbox.”
Right. That’s sort of a given. Did we need almost 3,000 words to support that advice?
You rarely hear security experts begin a blog post by pointing out an ironclad security principle: no security system is perfect, and the attempt to craft “perfect security” invariably leads to minimal usability (see e.g. Get Smart’s depiction of the problems with the Cone of Silence for a goofy parody that actually illustrates the point perfectly).
You rarely hear security experts begin by conceding another “security fact of life”: namely, that if a hacker or some evil doer is intent on getting into your data, then the odds are, with enough time, they will.
The way that lazy, marginally-skilled hackers get into your data is typically not through Dropbox, or any other cloud-provider’s failings, but through social-engineering or guessing your bad passwords. Or just camping out at a place where lots of people with bad security habits tend to frequent.
Let’s ask questions that get to the heart of the most common security problems. Here’s a few, and I submit these should be required to be discussed before answering any question that comes up about Dropbox. For example…
How many lawyers out there log into secure accounts while using the free Wi-Fi at a local coffee shop? How many click on links in emails that say “Is this really a picture of you?!!” How many use an easy-to-guess password? How many don’t bother to log out of their office computer while they go to lunch? How many leave it open overnight? How many use the same easy-to-guess password for all their online accounts? How many lawyers use one of the 25 most common passwords, such as “password” or “123456”?
Answer: probably lots. So, let’s not waste words on mumbo jumbo. Let’s get real.
Security is about making assessments, and weighing risks, benefits, and contexts. There is no “one size fits all solution” for security. In the end, the security gurus will wind up saying “it depends.” Some will say this after thousands of words that they copy and paste from prior articles; because they always say the same thing. And they usually end with “and make sure you encrypt your sensitive data.” But what about putting serious security problems in a larger context?
The cloud is only one context; we don’t talk about the ones that have always been problematic, and which are actually the most insidious problems, because we’re too busy obsessing about “the cloud.” What about old-fashioned security mishaps?
For example, I know an attorney who talked on a cellphone with his client about case strategy, while standing next to an opposing counsel in an airport gate. I know because I was that opposing counsel. And, for what it’s worth, I walked away so I wouldn’t hear his conversation. Sometimes ‘not listening’ is the right thing to do.
Conversely, when most people hear about common security problems, and what it takes to address them, they don’t walk away. And they don’t listen.
You can rail about Dropbox and the cloud all you want. The real security problems lie not in the clouds, but in ourselves.
No comments:
Post a Comment