Cloud storage: How secure are Dropbox, OneDrive, Google Drive and iCloud?
How the big cloud vendors stack up when it comes to encrypting and protecting your data
Cloud has very much been the future of information sharing and storage for some time, but how secure are the swathes of cloud storage platforms to which we’re supposed to entrust our data?
A lot of noise is made about the occasional gaping security hole you may see in cloud storage platforms, ranging from hacked systems to leaky databases. If you’re influenced by this press coverage, however, the chances are you wouldn’t go anywhere near the cloud.
These systems are more secure than screaming security headlines may suggest, however. There’s also huge weight in the argument that platforms ranging from the likes of iCloud to OneDrive are incentivised to make their systems as secure as possible. They would also have the money and resources to make their customers’ data far more secure than their customers can on their own.
We’ve decided to examine the security credentials of a selection of the biggest cloud hosting platforms that you can trust to keep your data safe and secure. For a more in-depth review of each of these services, with a full breakdown of the pros and cons, be sure to check out our Dropbox vs OneDrive vs Google Drive article instead.
How secure is Dropbox?
Dropbox has survived security scares and hardened its security posture accordingly
Dropbox dropped the ball back in 2012 as far as security was concerned when it admitted that a compromised password had been used to access an employee Dropbox account which gave access to a document containing some user email addresses which then got spammed.
Stored data was never at risk though, but it served as a wake-up call as to how reputational damage can impact a cloud business. Since then Dropbox has upped its game on the login front, with optional two-step verification (via text message or Time-Based One Time Password apps) adding an extra layer of security to user accounts.
Like most cloud services, Dropbox employees cannot view the content of the files you store but can access metadata if they need to in order to provide tech support for instance. Dropbox makes it clear, however, that a small number of employees can access stored files if required to for legal reasons.
Data in transit is encrypted using Secure Sockets Layer (SSL) and at rest using AES-256 bit encryption to which Dropbox holds the keys. Lost or stolen devices can be easily 'unlinked' from your account to further mitigate the risk of unauthorised access.
The business version, Dropbox Pro, adds an ability to enable viewer permissions for collaborative usage and set both passwords and expirations for shared links which harden the security posture for power users.
How secure is iCloud?
Two-step verification is a must-have for any security-aware cloud user
Apple’s iCloud faced scrutiny in 2017 when cyber criminals stole photos of celebrities and published them online. This was less of an issue with iCloud’s security, however, and rather more to do with these individuals having their credentials compromised through successful phishing attacks. Apple actually has a solid reputation for maintaining security across its devices, although what does that mean for security in its cloud services?
Well, Apple says that data is encrypted both in transit (using SSL) and at rest on the server. Rather than using AES-256 bit encryption everywhere, however, it uses "a minimum of 128-bit AES" which is considerably less secure. The only thing that I can see where 256-bit is employed is for the iCloud keychain (used to store and transmit passwords and credit card data, also employing elliptic curve asymmetric cryptography and key wrapping which is good) so have to assume all other data is protected by weaker encryption which is not particularly encouraging.
The iCloud keychain encryption keys, however, are created on your own devices and Apple can't access them. Apple says it cannot access any of the core material that could be used to decrypt that key data and only trusted devices that you have approved can access your iCloud keychain.
Secure tokens are used for authentication when accessing iCloud from other Apple apps (such as Mail and Calendar) and there is optional two-step verification (which can be turned on at https://appleid.apple.com/account/home) via text message or device generated code for making changes to account information or signing into iCloud from a new device.
How secure is Google Drive?
One account shall access them all so securing your login is paramount
Google has also fallen victim to the password compromise security scares that impact on so many services. Last year it was claimed that nearly 5 million Gmail accounts had been hacked when a database was dumped on a Russian security forum.
Because Google Drive uses the same Google account for login as Gmail, the danger was that everything was compromised as a result. It turned out, however, that the dump was of old phished passwords and at most 2% may have worked but were all reset by Google anyway.
What this illustrates is how much of the security of a service such as Google Drive, which uses a single account to access multiple services, depends on the user protecting that login. Google now uses HTTPS on all of its services, which is to be applauded, and also implements 'internal measures' to look out for potentially compromised account login activity.
In addition, Google offers two-step verification like the other services mentioned here. As for your data itself, this is encrypted in transit (to and from your device, and also between Google data centres) using SSL but only stored at rest using 128-bit AES like iCloud.
How secure is OneDrive?
Encryption at rest is available on OneDrive, but only for business users
Although Microsoft Windows is the number one targeted platform for hackers and cybercriminals, so far OneDrive (formerly called SkyDrive) has remained fairly free of any serious breach headlines.
Does this mean it's the most secure of the services we have covered here? Not really, as none of them have actually suffered a direct data breach (rather than user-compromised access) that has come to our attention.
Much of the public concern surrounding OneDrive security is actually that user-error stuff once more; the wrong file sharing permissions and password insecurity mainly. Actually, files aren't shared with other people unless you save them in the Public folder or choose to share them.
Microsoft does reserve the right to scan your files for 'objectionable content' (as does Apple iCloud) which could lead to deletion of the data and your account. That is seen by many as a reason to look elsewhere as file security cannot be guaranteed if the content provider deems it objectionable.
As for data security outside the snooping realm, while data is encrypted in transit using SSL it remains unencrypted at rest. Unless you are a user of OneDrive for Business as from the end of last year Microsoft introduced per-file encryption which encrypts files individually each with a unique key; so if a key was compromised it would only access one individual file rather than the whole store.
All OneDrive users do get access to two-step verification though, which further protects the login via One Time Code app or text message.
How secure is cloud storage: Summary
Although the cloud remains for many something of an unknown quantity as far as security is concerned, the truth is that data security is never black and white but rather fifty shades of grey.
Attaining a 100% secure data storage solution is akin to grabbing your shadow; you can get very close but will never actually do it. So you have to determine what is 'close enough' as far as cloud services are concerned. This determination may be decided for you if you are a business which is regulated and has to meet compliance requirements, and that may mean that not all your data can be stored in the cloud.
For consumers and most small business users though, the cloud is actually pretty secure these days. Data encryption is, if you'll excuse the pun, key here. Just about every cloud store will encrypt data in transit, that is as it's transferred into and out of the cloud, and some (usually if you buy the business version of the service) will encrypt it at rest, or while it is being stored, as well.
While data not being encrypted at rest, or if it is then the cloud provider managing the keys, does mean that the data can be indexed, de-duplicated, compressed and easily restored in a worst-case scenario it also means that your data isn't as secure as it might otherwise be.
If you really want to ensure that your data cannot be peeked at, then encrypt it yourself before you send it to your cloud storage provider. If you have control of the keys, then 'the men in black' cannot borrow them for a quick peek without you knowing about it.
Taking control of your own data security by using an on the fly encryption service such as BoxCryptor for example, is a good step towards mitigating risk in the cloud.
Another is to be aware that the weakest security link is not the cloud provider, but rather you yourself. Follow security best practise in terms of password construction and use (don't re-use passwords across services) as well as employing two-factor authentication where available and your risk mitigation level gets even better.
How inkjet can transform your business
Get more out of your business by investing in the right printing technologyDownload now
Journey to a modern workplace with Office 365: which tools and when?
A guide to how Office 365 builds a modern workplaceDownload now
Modernise and transform your sales organisation
Learn how a modernised sales process can drive your businessDownload now