Dropbox

6 minute read

It all started 5 years ago with good old-fashioned Shadow IT. Dropbox. Loved by users and hated by IT.

Background

Back then I was just minding my business, being a local IT manager for the Swedish branch. In our (somewhat sporadic) Nordic IT alignment meetings, it became clear all branch offices had started to use Dropbox. Well, not by asking IT or buying licenses of course. Just started to use it for production, sharing files and folders using gmail and/or company addresses on private accounts. We had a self-proclaimed expert in the office, running around telling everyone how great this Dropbox app was, and that everyone should use it.

preacher megaphone

The influencer (that word was not coined back then to my knowledge, but that’s exactly what he was and is) had powers and star status. So everyone listened. And everyone followed his advice. Boom, a new business critical system had been implemented. I’ll admit, the implementation was quick. The clean-up however, has been going for 5 years and counting. Goddammit.

Facepalm

Enterpricify

So what do IT do? Scream at deaf ears. After that, we try to make the best of the situation. Because that’s what we do. Thankfully I had just gotten my first child and was off to parental leave. My college Fredrik rolled up his sleeves, got all the branch office IT peeps together, and implemented Dropbox for Business. Our boss at the time actually called me (me and the family lived in France for 7 months during our parental leave), and being a long way from the office, both mentally and physically, I really didn’t care. “I cannot hold back against this Dropbox thing any more we’re going to buy it”. “Whatever”. I had left the office 5 months earlier with harsh words regarding Dropbox, so it was understandable my boss was worried about my reaction to this blatant betrayal while I was away, and therefore unable to defend the fort. But it was of course the right thing to do, trying to make this consumer product as businessified as possible.

Sinking ship

Trying to live with it

Once back at the office, rested and enthusiastic, I got briefed on the Dropbox for business implementation, and was ready to get acquainted with all the new and shiny business features we had bought, for a hefty amount of money, mind you. I was underwhelmed. Every single feature, even the most basic ones, regarding access control and insights was missing. “It’s on the roadmap”. Yea right. Like for example the ability to break permission inheritance on Team folders? The most basic of features when trying to create an IT managed, enterprise folder structure? You know being able to actually use the system in a company, without having to create Team folders for every single folder that need to be restricted in any way? Like that feature in the roadmap? That’s been on the roadmap for 3 years? Where you have deleted all the angry comments in your public forum demanding this feature? Like that on the roadmap you mean? Yes? My high spirits started to fall. Fredrik told me horror stories of the implementation and migration of users. I decided to stop listening and focus on my happy place.

InfoSec

Like described in my previous post about GDPR neither I nor the company had cared very much about InfoSec historically. But that was about to change. All previous sins were going to come back and bite us in the ass.
All the flagrant mishandling of data had to be sorted. Thankfully, and especially thanks to Fredrik, we had a solution at hand. While I was away, he had established relationship with a CASB vendor, Netskope. In the beginning they marketed themselves as a tool for Shadow IT control, but when GDPR hit, the step for them to becoming our GDPR compliance provider was very short. More on that in a future post. Netskope provided us with the tools to get insights and perform actions in this mess. But to completely have cleaned it up, well, I’m not sure that’s ever going to happen. That’s Dropbox by design for you.

Crappy by design

Also, the credential stuffing attacks coming from the multiple breaches Dropbox has had on their poorly designed and implemented infrastructure will haunt us, and the world, for a long time. Thank you start-up culture, thank you time-to-market, thank you freemium offer, fuck you very much. I was informed by our customer success team that I needn’t worry about being locked out of Dropbox when changing SSO identity providers because “you can always log in with the local credentials”. Hm, local credentials you say, even though require sso is enabled? Turns out AD sync doesn’t disable users when disabled in AD and/or removed from the Dropbox users group, and there’s a local password in Dropbox ready for the user who don’t wish to use company credentials. Ah, that’s just lovely. All pervious employees still have access. And, while at it, thanks for setting the default share mode on “create link” to “public”. Now anyone in the world has been able to enjoy our company data. And thanks for not setting the access permission on a link to match that of the folder/file being shared if a user happens to stumble upon the option of restricting link access to “Team only”. It’s just easier if anyone has access. And nooo, it’s not confusing at all with different permissions, making users exposing data without even knowing. “Well you still need the link to get access” you say? So no one would be able to loop through possible links, AWS S3 bucket style, you mean? Let’s ask shodan, shall we? Or even redirect an email with the link to the wrong recipients? That would give them silent and perpetual access, would it not? “But we have this nice feature called set link expiration” well I’ve yet to see one single user in the company who have enabled that link feature. Oh, I wish I could put the blame on someone. I’ll blame it on capitalism. And great user experience, timing and marketing. I wish I could punch them all in the face.

Conclusion

With endless terabytes of data, and every single company process in some way depending on Dropbox, the company is in Dropbox prison. But rest assured, we’re gonna break free. The competition has caught up, and Dropbox is no longer the grand user experience it once was on the consumer side. Finally, the fairy dust has worn off, and the users are no longer under the Dropbox spell. I hear people talking about alternatives. I hear management in all branch offices complaining about the lack of structure and potential leakage of information. Newbies have no prior relationship with Dropbox, and they could not care less about what we use for filesharing. This change in attitude could let us accumulate the strength needed to abandon this sinking ship. Because we’re gonna need strength to follow through on a full-scale migration. But I believe the time has come to strike.

Time to strike

Do I have anything positive to end this rant with? Yes.

  • I love Dropbox. As a luser, that is, not as an admin. But it just works, on all my devices. Flawlessly.
  • The company has benefited from using Dropbox. There’s no denying, the “everyone’s an admin and everything is public” approach suits our project-based organization well. It’s very agile. It’s very ad-hoc. It’s very collaborative.
  • We have been treated well by customer support sales success (possibly because we’re the only company in the Nordics stupid enough to have bought it. Sorry that was another rant right there mixed in with the positive. I’ll just end it now. Over and out.)

The personal experiences, viewpoints and opinions expressed in this blog post are my own and in no way represent those of the company.