Dropbox working on FIDO U2F keys to ensure top notch security

In a bid to lure in more business customers, Dropbox is engineering FIDO-based universal two-factor authentication keys into its enterprise product.

The cloud file-sharing firm, which claims to have attracted 100,000 business customers since opening its enterprise division two years ago, is exploring how to secure confidential files in today’s post-password landscape using FIDO (Fast IDentity Online).

Dropbox’s new security lead and former chief trust officer at Salesforce.com, Patrick Heim said: “I’m not going to commit to a launch date, but we are actively working on FIDO authentication. It’s an important standard that should be adopted, and we have seen very few companies taking a leading role in adopting this.”

Heim said that he was a “huge fan” of universal two-factor authentication keys and a user of Yubikeys, which he described as “indestructible”.

After opening a London office in January, Dropbox has a new headquarters in Dublin while ramping up its security team behind-the-scenes - all in an attempt to win European business customers who pay for its service.

It has “doubled” its security engineering team, Heim said, but would not confirm total workforce numbers.

Threat research?

To nurture innovation amongst security employees the firm runs ‘hack weeks’ and balances their workload between new security features for customers as well as the cloud firm’s ability to manage security more effectively, Heim told ComputerworldUK.

“We have a dedicated team - basically a fraud and abuse team that are continuously in tune with threats”, Heim said.

The firm also shares anonymised threat information with other large-scale tech firms so it can prepare for issues that may affect customers.

While “talent just isn’t available” to work in small and mid-sized firms, Heim believes top-rate cyber hack gurus were attracted to cloud firms like Dropbox for their innovative culture. “It’s different if you are stuck in a corporate security department” with added “complexity of systems and dynamics around corporate IT budgets” stifling innovation.

What’s in the product?

In the past six months Dropbox has added tiered admin controls, a tool to require 2 Factor Authentication, a ‘shared’ folder and ‘shared link APIs’.

It’s rival Box recently inked a deal with IBM which will mean enterprise customers could use the service but with a private virtual datacentre space provided through IBM’s Softlayer.

Heim denied that this would improve security for enterprises, however.

“If you look at the history of breaches that are happening and what really causes them the actual datacentre infrastructure is not involved. The physical location, be it in the US or Europe is frankly not very relevant. What is really important is operational discipline, the quality of engineering and testing.”

However regulatory issues may come into consideration for European-wide firms, particularly when data sovereignty is hanging in the balance until the EU publishes its impending regulations.

Copyright © 2015 IDG Communications, Inc.

Where does this document go — OneDrive for Business or SharePoint?