Interview with Patrick Heim, Head of Trust and Security, Dropbox


Is your password coming from a system we haven’t seen before?

I firmly believe that, not even in the long term, it is right now that it is a losing proposition to maintain the required security skills in house.  With the complexity of maintaining these systems and keeping them secure, it is out of reach of most small companies and even midsized ones. As we come to rethink what does it mean to conduct a technology based business, it is necessary to identify who are the cloud providers that we want to partner with that are going to be providing the specialised functions that are needed, versus trying to doing it yourself, which will in the long term be a failing solution because you will not be able to secure it.

If you look at all the major breaches a vast majority of them involved traditional technology environments where companies have chosen to maintain their systems in their own data centres.  From a Dropbox specific perspective, we are now serving over 400 million users globally and 70 per cent of our users are outside the USA, so we are very much a global company. If we look at the volume of documents, we have more office documents than Microsoft has in their own cloud and some recent numbers are some 35 billion office documents, so the volume of what we store is phenomenal. The reason I mention this is that it is the foundation where we have so many users collaborating and sharing information that it creates a pull that when these users are using Dropbox for their personal use it also brings in its use for small business and the enterprises where they work so what is happening is that our Dropbox for business product is an off shoot that is designed to address the needs of businesses.

If there is one problem I’d like to solve is for people not to use the same passwords across multiple sites because that is so strongly correlated with breach activity. There are esoteric risks and threats and data encryption, this and that, but if I really look at the world and what is causing data leaks and breaches that are material, it’s precisely that element of that Password reuse, and that’s for both businesses and consumers. It’s not about changing the password frequently it’s about making it unique and we go to great lengths to protect the passwords and use a ‘becrypt algorithm’ with what we call ‘salt and pepper’, to make it as unfeasible as possible for someone to recover a password, even if they were to hack into Dropbox. So the recommendations is not around changing passwords or password complexity it is adopting a password management tool, such as ‘password plus pass’ and others that really provide the ability to have unique passwords without the horrible user experience. Having complicated unique passwords for every website and making them easy to apply with a password management tool would be one key recommendation. The second one would be for consumers and businesses to adopt some form of 2FA (two-factor authentication) whether it’s the SMS, or the one time password or the U2F token and as two of those are free there is no excuse. So it is purely about awareness and even from a convenience perspective it’s not like you have to do this on a daily basis, it’s really more about ‘is your password coming from a system we haven’t seen before’.