I received a great comment out on LinkedIn from Colin. He liked the post but raised a serious concern about how easy it is to move information into and out of the corporate walls. This topic struck me as a perfect blog post.
To start, I am not an IT person although I have worked in IT at various points in my career. However, I am a power-user on Windows, Office and generally all the departmental applications I use to run my department. I was one of the earliest adopters of Blackberries in my hospital about 6 years ago (kind of late compared to how long the Blackberry had been around at that point, but hey, I work in Healthcare). I was a fairly early adopter of the iPad (August 2010) and one of the first that felt comfortable enough to use an iPad in meeting at work. Through all of this time I made a point to keep up relationships with key staff in IT to maintain intel on technology IT was ready to (and not ready to) deploy in the hospital. In thinking about Colin’s statement as well as my decision making process on what I store out on Dropbox I figured it was time to write a post about security in the cloud and on the iPad.
To start with the end in mind, I can summarize this post with the following statement:
PUT NOTHING ON DROPBOX OR IN THE CLOUD THAT YOU WOULD NOT WANT SOMEONE ELSE TO READ!
I had always thought of Dropbox as a fairly secure service but there have been many, many posts over the past year about some of the inherent risks of Dropbox. Do a search on Dropbox security and you will see many hits on the topic. To summarize, Dropbox does encrypt files stored on their servers, but employees of Dropbox have the ability to de-crypt and view any of those files themselves. This is an issue of course if you consider your data sensitive or confidential in any way. Perfect examples would be SSN’s, medical information, financial information, confidential corporate information, legal documents, etc. If you care about the security of any of this information I would urge you NOT to store these files on Dropbox. All of this begs the questions, what is Dropbox really good for then? Well, I would say any non-confidential work documents, Christmas Lists, music, pictures, etc. So, Dropbox has its use; just never for confidential information without proper precautions.
There is a silver lining if you want to use Dropbox in a more secure way, but without iPad integration. You can choose to encrypt your files BEFORE copying them to Dropbox. There are many services that do this, the most versatile of which appears to be the “free” TrueCrypt; be sure to donate if find value in the product. In researching this post I downloaded TrueCrypt and installed it on my Mac Mini running Lion and my kids WinXP machine. Check out this post for a great how-to on installing and running TrueCrypt. I created a 25GB container file and stored it in the Dropbox folder on the MAC and then mounted the “file” on both of my computers; Dropbox automatically synced the container file to my kid’s machine. What TrueCrypt does is create a virtual drive each computer that you can store files on and access at will any computer with TrueCrypt installed. The beauty of this approach is that you are still leveraging the power of Dropbox but with the added security of encrypting your files BEFORE moving them onto the Dropbox Servers. Of course, this approach does eliminate the ability access your files on the iPad given that there is no TrueCrypt app.
So, how is it possible to be secure and use the cloud to share files with your iPad? Well, in my opinion you really can not be secure and follow the workflow I described here using Dropbox and GoodReader. What you gain in convenience, you give up in security. As I said above, put nothing unencrypted onto Dropbox if you don’t want someone accessing that file. One writer even said that he considers everything that he puts in the cloud as essentially a public folder.
All is not lost with respect iPad security however. There are build-in ways to keep information on your iPad encrypted and therefore somewhat secure with limited potential for un-intended access (assuming of course you are ok with sensitive stuff in the cloud). Simply search on iPad security and you will find many, many articles. My favorite one however is this one out on Macworld by Rich Mogull. Rich walks you through the process of enabling the iPad’s excellent build-in security and encryption features. If you have followed most of his suggestions (I can’t give up on the simple 4-digit pin vs. a longer password), your security settings should look like this:
There you have it, a very simple disclaimer/tutorial on the state of security in the cloud and on your iPad. The good news is that there are many excellent tools out there that will improve your productivity on the iPad. The bad news is that these tools should really only be used to access sensitive information for the benign and un-interesting rather than the confidential.
For some more resources on the topic, check out the following excellent articles.
- Apple’s Security Overview for the iPad
- A great review of SpiderOak on hytechlawyer.com, a much more secure alternative for Dropbox
- A recent article on ZDNet I read about how using the iPad in Healthcare may be dangerous…
- A not so recent blog post on the Economist about the general state of Cloud Security
- A random security message board discussing the security of TrueCrypt
- A nice overview of encryption on the GoodReader web site
Check the Storify Post I created to consolidate comments from a few locations that this post has been published to…