You are here

Share

Box.com – Three Strikes; You’re Out

Posted by Super Admin
 
Dan Tynan, a reporter, is playing the role of umpire. No, he hasn’t been on the field for the  Red Sox/Cardinals world series games, but he is calling the shots when it comes to security & compliance and storing personal data in the cloud. Here’s his play by play:
 
1)     He tried to access his personal Box.com account to send high-resolution photos to his editors and couldn’t get in.
 
2)     He contacted Box and was told there was no record of an account associated with that email address.
 
3)     After putting his journalistic research skills to work, he found out that Box had rolled his account into the corporate account of a PR agency – without his permission. Why? Because Tynan’s wife had, at one point, invited an employee of the firm to upload an image to his shared folder and was deemed a “collaborator” of the firm.
 
4)     Later, an employee of the PR firm saw Tynan’s wife’s name on the list of people with access to their Box account, didn’t recognize it and hit delete.
 
Box handed over control of Tynan’s account to a complete stranger. Strike one.
 
Box failed to notify him. Strike two.
 
Tynan’s account was deleted without his knowledge and access to his file sharing documents disappeared right along with it.  Strike three.
 
For Tynan, while he was using his Box.com account for sending work files, he wasn’t storing sensitive or proprietary data and his files were recovered – albeit six months later. Lucky him.
 
But what if, as an enterprise, you are concerned about data governance?
 
Exercising control over data is an essential component of data governance and this story brings to light a very important security reality: when individuals or organizations turn their data over to a public cloud service, they are doing just that: turning over control. The vendor owns the key to the data – the encryption keys, that is. That means that IT surrenders control over data protection and loses control over how information is accessed, from where and by whom.
 
Given the number of missteps that Dan Tynan reported, Box deserves to be thrown out, not struck out, of the enterprise file sharing game.