C-level briefing: Dropbox’s security head talks user experience and security in file-sharing.
Theoretically, you can make anything secure if you are not concerned about the user experience.
In this sense it’s tempting to think of the two factors as binary opposites. In general, the more onerous the security protocols are for using a product, the safer it is, but the less the user will want to use it.
For this reason, in their personal lives, consumers tend to choose less secure options than enterprises might mandate in the workplace.
Consumers are usually also employees, and the entry of the consumer-focused products into the workplace has created what IT directors refer to as Shadow IT. This has led to technology companies creating a range of products that attempt to provide a consumer user experience with enterprise grade security or controls.
For example, device vendors such as Samsung have built security products into their consumer devices such as Samsung Knox.
In the cloud sharing space, Dropbox is one company that has had to navigate this change. The company ‘s file-sharing solution had been widely adopted by employees and was now being taken into enterprises.
As Mark Crosbie, Head of International Trust and Security at Dropbox explains, the company saw an opportunity to build its product into something that could bridge this gap.
The crucial thing that the company focused on, rather than security against a cyber attack was control of information, or as Crosbie calls it the "data-centric controls that a CIO or CISO needed over the company’s data."
This is in many ways more an issue of policy than technology, although technology is important; the company provides two-factor authentication and back-end analytics and abuse detection infrastructure that can detect unusual patterns of activity.
Recently a former Ofcom employee gave a large amount of sensitive data from the regulator to his new employer, in the largest breach in the company’s history.
The Guardian report said that as much as six years of data that submitted to the regulator by broadcasters was downloaded. The new employer, said to be a major broadcaster, was offered this information but instead disclosed the theft to Ofcom.
The recent Market Pulse report commissioned by Sailpoint found that globally, 42 percent of respondents were able to access corporate accounts and data after termination, or 39 percent in the UK.
Dropbox essentially kept the same user experience on the client side, but shifted the control over the data to the IT department. The control over how and where the data was shared was is centralised in the IT department, with the user’s day-to-day interactions with the product as little changed as possible.
"Balancing security and user experience doesn’t happen by accident," says Crosbie. "You have to make conscious engineering and design decisions.
"Usability takes a tonne of engineering to make it happen. It’s always the corner cases, the tiny details that make a difference. When you share a file, you just want it to go."
To Crosbie and Dropbox, this is part of a wider shift in the role of the IT department, from the "department of no" to the "department of yes, but".
"CIOs are now seeing themselves as facilitators rather than dictators. They see their role as helping people who are trying to do their job but do it more safely."
On the other side, the end-users in companies are having a much greater voice in the solutions that they use in their workplace.
"It’s no longer putting roadblocks in the way but putting guard-rails down the side of the highway," says Crosbie. "We’re letting them go fast down the highway to get their job done while keeping them safe."
The security technology of the future, then, must balance this keeping the users happy with providing the right levels of control to IT.
In a world where security accreditations are expected from file-sharing applications as a given, or "table stakes" as Crosbie says, this usability element is one of the key areas where Dropbox and others can compete.
He also emphasises agnosticism as key; these file-sharing applications need to be able to work with Microsoft, Mac or whatever the user wants so that it can slot easily into an organisation.
"Users are still happy as they are still using the products they are used to. But now the IT department is happy because they are back in control."