Can I use Dropbox?

As cloud computing becomes easier to understand and use, many employees across campus and in the Division of Academic & Student Affairs are investigating the use of Dropbox and other cloud-based storage services such as Box.net and SkyDrive. Technology units across campus are being asked to support these services, including the DASA Tech team.

There are many concerns about the security of Dropbox and similar services. Those are outlined below. In particular, OIT, DASA Tech, and other colleges/division tech units have discussed the potential for significant harm resulting from the use of these services for storing and sharing data that is protected by university policy, state law (such as personnel records) and/or federal law (such as FERPA or HIPAA protected student data).

As a result of these conversations and guidance from OIT, DASA Technology Services has developed the following protocol for Dropbox:

1. DASA Tech will not install Dropbox or similar software on any computer, laptop, or mobile device.
2. Exceptions include only those situations where a staff member must share documents with individuals outside of NC State University for work purposes, such as work associated with a professional organization.
3. DASA employees can use NCSU Drive and Google Drive as alternatives for storing and/or sharing files and Remote Desktop for accessing files; DASA Tech and OIT already provide support for these alternative resources.
4. Anyone currently using Dropbox may continue to do so but must comply with Dropbox protocols and security restrictions.
   1. Any data classified as yellow, red, or purple must be immediately removed.
   2. The user must agree not to store any confidential or protected data on their account in the future.
   3. Users are strongly encouraged to use dual authentication measures where those are available.
   4. Users are strongly encouraged to follow OIT’s recommended practices for Dropbox.
   5. Violation of that agreement will result in the removal of Dropbox.
5. Anyone storing FERPA, HIPAA, personnel, budget, or other confidential information must discontinue their use of Dropbox for this data. DASA Tech will assist in moving this data to Google Drive or other shared drive options.

Security Concerns

1. The possibility of data leakage is magnified. It is easy to inadvertently publish information publicly through Dropbox. Some Dropbox data is stored outside of the US.
2. Communication with Dropbox through mobile devices is not secure.
3. Installing Dropbox creates an additional opportunity for hackers to access your computer during installation.
4. It is very easy to copy configuration files from one PC to another, enabling unauthorized access to your Dropbox account.
5. Access to Dropbox via third-party APIs does not protect users from unwanted access to your account.
6. Dropbox does not require strong passwords. If you re-use passwords across multiple accounts, your Dropbox files could be easily compromised.
7. N.C. State has no contractual agreement with Dropbox and, therefore, cannot retrieve files or transfer ownership nor guarantee the stability or reliability of services.

Further Reading

• Best Practices for Data Security in Google Apps @ NC State
• OIT’s recommended practices for Dropbox