I've noticed a dramatic uptick in the use of Dropbox around my office. With Dropbox's recent password security issues (along with those of seemingly every other popular Web service), I question whether the service is secure enough for enterprise use and would rather move users away from it. Do you have any suggestions for secure Dropbox alternatives? Or are my Dropbox security concerns unfounded?
Ask the Expert
SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email. (All questions are anonymous.)
There is always a risk of reduced confidentiality and data leakage when giving your data to a third party. So no, your fears are not unfounded. Third-party provider selection is an important decision, and security concerns must be addressed before any third-party service is used to store or otherwise handle company data. An enterprise certainly needs a security policy to cover data in the cloud and should check whether regulatory or compliance requirements actually allow it. Data stored or handled on your behalf by any third party remains your responsibility.
The provider's data destruction policy should also be reviewed. A study of four cloud service providers by UK security company Context found a "dirty disk" vulnerability whereby fragments of data were left behind following deletion, which opened up the possibility of data being accessible by other customers. Ensure that you are comfortable with processes for destroying data when it is no longer required and when storage media and backup tapes are retired. The financial health of a provider is also critical, particularly when the service is ongoing, as in the case of storage. In the current economic climate, a company of any size can quickly go bust, possibly leaving data inaccessible.
Dropbox's reputation has suffered recently due to various security problems and the fact that its employees can access the unencrypted data of its clients. Regardless of the online storage provider you use, always encrypt data prior to sending it to the cloud. However, relying on employees to encrypt data before sending it to the cloud is not a particularly robust safeguard.
For a Dropbox alternative with better security, consider a provider that uses zero-knowledge security, such as SpiderOak or Wuala. Most online storage services, particularly in the consumer market, retain copies of encryption keys. This means their employees could access encrypted data, the keys could be given over to law enforcement agencies or hackers could obtain them. Zero knowledge means the provider never stores or knows a user's password or the plaintext encryption keys. The data encryption key is only saved on the user’s computer, so data and even filenames are inaccessible to the provider.
SpiderOak also provides two-factor authentication, which, if enabled, requires a code sent via SMS as well as account password entry every time a user logs in. Obviously, this is more time consuming, but it does add another layer of protection.
Finally, remember that Dropbox and most other storage services are primarily a place to store documents that are accessible to a specific group of people. Although most offer automated backup and some make it simple to synchronize those backups among a number of computers, they are not out-and-out backup services with full system restore functionality.
This was first published in April 2013