Problem solve Get help with specific problems with your technologies, process and projects.

Dropbox security concerns: Time to find secure Dropbox alternatives?

Are Dropbox security concerns serious enough to require enterprise users to switch to secure Dropbox alternatives? Expert Michael Cobb discusses.

I've noticed a dramatic uptick in the use of Dropbox around my office. With Dropbox's recent password security...

issues (along with those of seemingly every other popular Web service), I question whether the service is secure enough for enterprise use and would rather move users away from it. Do you have any suggestions for secure Dropbox alternatives? Or are my Dropbox security concerns unfounded?

Ask the Expert

SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email. (All questions are anonymous.)

There is always a risk of reduced confidentiality and data leakage when giving your data to a third party. So no, your fears are not unfounded. Third-party provider selection is an important decision, and security concerns must be addressed before any third-party service is used to store or otherwise handle company data. An enterprise certainly needs a security policy to cover data in the cloud and should check whether regulatory or compliance requirements actually allow it. Data stored or handled on your behalf by any third party remains your responsibility.

If employees find that cloud-based storage and file sharing genuinely improve their efficiency, then any potential service provider needs to be evaluated. Review not only the provider's privacy policy, but also its data handling policy and, if possible, its recruitment process. Look for evidence that the provider takes reasonable steps to check the identity and reliability of its staff and that staff members are trained in data handling procedures. With the growing sophistication of new attacks, it's important that providers conduct ongoing security awareness training to keep employees up to date with the latest types of attack.

The provider's data destruction policy should also be reviewed. A study of four cloud service providers by UK security company Context found a "dirty disk" vulnerability whereby fragments of data were left behind following deletion, which opened up the possibility of data being accessible by other customers. Ensure that you are comfortable with processes for destroying data when it is no longer required and when storage media and backup tapes are retired. The financial health of a provider is also critical, particularly when the service is ongoing, as in the case of storage. In the current economic climate, a company of any size can quickly go bust, possibly leaving data inaccessible.

Dropbox's reputation has suffered recently due to various security problems and the fact that its employees can access the unencrypted data of its clients. Regardless of the online storage provider you use, always encrypt data prior to sending it to the cloud. However, relying on employees to encrypt data before sending it to the cloud is not a particularly robust safeguard.

For a Dropbox alternative with better security, consider a provider that uses zero-knowledge security, such as SpiderOak or Wuala. Most online storage services, particularly in the consumer market, retain copies of encryption keys. This means their employees could access encrypted data, the keys could be given over to law enforcement agencies or hackers could obtain them. Zero knowledge means the provider never stores or knows a user's password or the plaintext encryption keys. The data encryption key is only saved on the user’s computer, so data and even filenames are inaccessible to the provider.

SpiderOak also provides two-factor authentication, which, if enabled, requires a code sent via SMS as well as account password entry every time a user logs in. Obviously, this is more time consuming, but it does add another layer of protection.

Finally, remember that Dropbox and most other storage services are primarily a place to store documents that are accessible to a specific group of people. Although most offer automated backup and some make it simple to synchronize those backups among a number of computers, they are not out-and-out backup services with full system restore functionality.

This was last published in April 2013

Dig Deeper on Productivity apps and messaging security

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Does the perspective of this article shift at all when you consider Dropbox's two factor authentication? https://www.dropbox.com/help/363/en