While attending an educational conference hosted by the RDU Chapter of the Association of Legal Administrators, I had internet security consultants, Sensei Enterprises, give me a scare regarding data security. Since I house 100% of my business on Dropbox, it made me stop and think, "I wonder just how safe is Dropbox?"
Over the last three years I have taken my business from a point of being buried in paper with wall to wall files to the point of being nearly 100% paperless. In doing so, Dropbox became a vital tool to accomplish that feat.
All of the information is critical to running my business and it would be difficult to function without it. However, none if contains any "trade secrets" or confidential client information. Unless your interested in the printing business, anyone that hacked into my data or if the NSA was snooping around, they would be very disappointed in what they found.
But as the dependency on cloud storage becomes more and more commonplace, I find more and more of not only my business, but my "life" is in the cloud. We are a more mobile society and it critical that a business be able to run itself from virtually any where in the world. I have reached that point so naturally security is more important than ever.
In Clio's 2013 Apple Devices in Law Office Survey, they cited the following:
...2013 was also the year cloud services came into their own in the legal sector, with each respondent averaging two cloud services used. Dropbox topped the charts in terms of cloud adoption with 26 percent of respondents saying they use the storage service...
SO JUST HOW SAFE IS DROPBOX?
First of all, since I love and use Dropbox I read everything with a tint of "rose-colored glasses." I want Dropbox to be a winner in this security debate.
So I started with the source: Dropbox.
Naturally, it's a high priority to Dropbox that it's customers have the highest level of confidence that their data is secure. So what does Dropbox do for us to earn that confidence?
Secure Transfer - When we upload our data into a Dropbox account, it gets transferred to the Dropbox servers. As a customer, our concern is how safe is that data during the transfer between our devices and the cloud? There are some bad people out there and they are very smart. So while no method of electronic transmission or storage can be guaranteed 100% secure, Dropbox uses secure channels for data transit using SSL (256-bit Secure Socket Layer). This is the standard for secure internet connections and we can have confidence in that.
- Encryption - Dropbox encrypts date during transfer AND when stored. It uses 256-bot AES encryption methods for our data which is approved by the NSA for "top secret" information. When a file is synced to the Dropbox servers, it is encrypted once again and stored on Amazon's S3 (Simple Storage Service) in multiple data centers across the United States. I have confidence in that.
- Two-Step Verification - For an extra layer of security at login, you can choose to receive an additional security code via text to confirm proper login. Dropbox will require a six-digit security code in addition to your password whenever sign in to Dropbox or link a new computer, phone, or tablet. (See Screencast: How to Enable Dropbox 2-Step Verification in 2 Minutes)
- Restore Previous Versions - If you ever (and you will) accidentally 'Save' or 'Delete' the version of the file you are working on, you will feel the cold sweat of a panic. But have no fear. Dropbox is like a time machine. It keeps snapshots of every change in your dropbox folder over the last 30 days. So even if you saved a bad change or deleted the file, you can restore the file to an older version with only a few clicks. The only catch is this much be done on the Dropbox web version and not on the desktop client.
Having said all the above, there is a slight issue surrounding encryption of Dropbox stored files. Dropbox holds the encryption key. So although it's safe from outsiders, it's not safe from Dropbox employees or law enforcement if subpoenaed.
Read from Drobbox.com regarding "Compliance with Law Enforcement Requests":
Compliance with Laws and Law Enforcement Requests; Protection of Dropbox's Rights.
We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) to protect Dropbox’s property rights. If we provide your Dropbox files to a law enforcement agency as set forth above, we will remove Dropbox’s encryption from the files before providing them to law enforcement. However, Dropbox will not be able to decrypt any files that you encrypted prior to storing them on Dropbox
But re-read the very last line again: "Dropbox will not be able to decrypt any files that you encrypted prior to storing them on Dropbox."
I see this as a case of CYA and they are telling us exactly how to get around it to make absolutely sure our data is safe. Safe from the shady employee and we keep data from subpoenaed files private until we have to.
There are many third-party apps to encrypt the data before uploading to Dropbox but that's another post.
Last fall, Dropbox made news when security researchers discovered the Dropbox opens some files once they are uploaded.
Tony says Dropbox explained:
Dropbox has automated backend processing to generate previews of certain file types. In a nutshell, the suspicious file activity is part of a feature that allows Dropbox users to view Word, PowerPoint, PDF, and text files directly from a Web browser without having to have a compatible program installed to open them.
So there you go, what do you think?
How secure is Dropbox?
I'm confident in the current levels of security for my information although there are steps I should take to enhance the security like:
Encrypt files before uploading
But I certainly love Dropbox and couldn't run my business without it. There are some other cloud-storage options out there that I may test. In particular, Box.com. If I do so, I'll let you know.
Any questions? Have you personally had anything "bad" happen while using cloud-storage? I'd love to hear about it.