Dropbox or Drive as a Service - Any known downsides?
I found a bunch of links indicating that Dropbox or Google Drive can be rejiggered as a service instead of a startup item, meaning the tools do their sync-thing even when the associated Dropbox or Drive account is not logged in. (Here's a sample: http://www.dropboxwiki.com
Of course, Dropbox doesn't support the startup item-to-service rejigger. (Google might support a rejigger of Drive. I haven't looked into it.) And all my crazy ideas are predicated on the idea that Dropbox or Drive rejiggered as a service works and works reliably.
Do any of you smart folks with Experts Exchange see downsides to this configuration? Ideally, one or two of you have gone down this road or a road similar to this. If so, what problems have you encountered?
Office users with laptops have a local copy of their files on the office file server.
Dropbox for business isn't necessary because all users have access to file server.
This even provides a degree of offsite backup for the file server.
Of course, Dropbox doesn't support the startup item-to-service rejigger. (Google might support a rejigger of Drive. I haven't looked into it.) And all my crazy ideas are predicated on the idea that Dropbox or Drive rejiggered as a service works and works reliably.
Do any of you smart folks with Experts Exchange see downsides to this configuration? Ideally, one or two of you have gone down this road or a road similar to this. If so, what problems have you encountered?
Running as service requires administrator account so in fact, it is considered as privileged action. This may not be desired in corporate use case (more of controlled env) such as
(a) audit trail of such syncing or backup specific to user logon (admin may be the local admin),
(b) user to knowingly (as it may be "bypassing" using 2factor authentication not username/password) connect or backup or sync to the cloud binding to their account login, they are responsible for the intended action (in dispute of data leakage or breach),
(c) minimise user's denied repudiation claims or debate unless they prove otherwise
(d) security and hotfixes patch on such services readily done (services are commonly exploited due to their privileged state and may be targeted for opportunistic attempt to intercept all online cloud upload/downloads - machine becomes part of the plot planting in cloud slew of malware or crimeware... (not impossible esp if machine is not in latest patch)
(e) strong diligence in ensure well tested patches to push down in live machine, avoid conflict esp fixes (somehow) crash such services unintentionally or implicated due to such 3rd party s/w upgrade, AV false pos signature update or OS patch ...
My sense is more to prefer to err on safe side e.g. more user aware and managed in their furnished machine. However, it may be still alright if necessary risk mitigation can be taken (to reduce exposure to long cloud persistent session.) such as application whitelisting, anti-malware s/w, data loss protection, ext portable storage control etc ... . These are usually readily resident and configured to safeguard machine clean state integrity and (at best effort) prevent corporate data against loss and abuse.
Pardon me for being the devil advocate gearing more towards security as higher priority...user friendliness (less hassle)
>Other ref
Google Drive as a Windows service - http://www.myrtec.com.au/kb/331
Dropbox as a Windows service - http://www.jrdata.se/2011/03/11/installing-dropbox-as-a-service-on-windows-server-2008-r2-sp1-x64/
Exploit Dropbox to steal files and deliver malware - http://www.techrepublic.com/blog/it-security/dropsmack-using-dropbox-to-steal-files-and-deliver-malware/
Malware exploited Drive - http://www.cbronline.com/news/security/google-drive-abused-in-malware-attack-says-security-firm-4415078
(a) audit trail of such syncing or backup specific to user logon (admin may be the local admin),
(b) user to knowingly (as it may be "bypassing" using 2factor authentication not username/password) connect or backup or sync to the cloud binding to their account login, they are responsible for the intended action (in dispute of data leakage or breach),
(c) minimise user's denied repudiation claims or debate unless they prove otherwise
(d) security and hotfixes patch on such services readily done (services are commonly exploited due to their privileged state and may be targeted for opportunistic attempt to intercept all online cloud upload/downloads - machine becomes part of the plot planting in cloud slew of malware or crimeware... (not impossible esp if machine is not in latest patch)
(e) strong diligence in ensure well tested patches to push down in live machine, avoid conflict esp fixes (somehow) crash such services unintentionally or implicated due to such 3rd party s/w upgrade, AV false pos signature update or OS patch ...
My sense is more to prefer to err on safe side e.g. more user aware and managed in their furnished machine. However, it may be still alright if necessary risk mitigation can be taken (to reduce exposure to long cloud persistent session.) such as application whitelisting, anti-malware s/w, data loss protection, ext portable storage control etc ... . These are usually readily resident and configured to safeguard machine clean state integrity and (at best effort) prevent corporate data against loss and abuse.
Pardon me for being the devil advocate gearing more towards security as higher priority...user friendliness (less hassle)
>Other ref
Google Drive as a Windows service - http://www.myrtec.com.au/kb/331
Dropbox as a Windows service - http://www.jrdata.se/2011/03/11/installing-dropbox-as-a-service-on-windows-server-2008-r2-sp1-x64/
Exploit Dropbox to steal files and deliver malware - http://www.techrepublic.com/blog/it-security/dropsmack-using-dropbox-to-steal-files-and-deliver-malware/
Malware exploited Drive - http://www.cbronline.com/news/security/google-drive-abused-in-malware-attack-says-security-firm-4415078
btan - Thanks for a terrific posting. I appreciate all the thought that went into this. (I'll leave this posting up for another couple of days just in case someone else wants to chime in.)
sure no worries, just to share even recently the Dropbox was being exploited (again), and in Mobile platform
the saving grace is that there is patch and probability may be lower than common one mentioned, however the point is that privileged actions once gain by unintended "foreign" entity (process or adversary or insider), it can be beyond thoughts of the harm it can cause especially it cannot be detected and it goes stealthy. Hence it is always best to be on top of thing - though it can be quite "micro-managed" fashion. It makes sense for very secure objective driven business and provider but for norm SME or user, it can be balance off to square off the need and wants fairly.
Just few cents more ....
...discovered a vulnerability in the Dropbox SDK for Android (CVE-2014-8889) which allows attackers to connect applications on mobile devices to a Dropbox account controlled by the attacker without the victim’s knowledge or authorization. This is a serious flaw in the authentication mechanism within any Android app
The vulnerability can be exploited in two ways, using a malicious app installed on the user’s device or remotely using drive-by techniques. It cannot, however, be exploited if the Dropbox app is installed on the devicehttp://securityintelligence.com/droppedin-remotely-exploitable-vulnerability-in-the-dropbox-sdk-for-android/
the saving grace is that there is patch and probability may be lower than common one mentioned, however the point is that privileged actions once gain by unintended "foreign" entity (process or adversary or insider), it can be beyond thoughts of the harm it can cause especially it cannot be detected and it goes stealthy. Hence it is always best to be on top of thing - though it can be quite "micro-managed" fashion. It makes sense for very secure objective driven business and provider but for norm SME or user, it can be balance off to square off the need and wants fairly.
Just few cents more ....
Premium Content
You need an Expert Office subscription to comment.Start Free Trial