Is Dropbox secure?

Dropbox can be a useful file-sharing service, but is it really fit for use in business?

Dropbox was, for a long time, the go to example when people wanted to talk about shadow IT. Fast, convenient and free, it became almost the de-facto way for employees to share documents with colleagues and access them outside of work.

But this convenience came with a price - low security. While this may not be so much of an issue when users are dealing with their own personal data - it is, after all, their own information to use as they wish - it can present serious consequences for businesses, both from a regulatory and an operational perspective.

Since then, Dropbox has made serious attempts to "go straight" in the business space, introducing Dropbox for Teams - now Dropbox for Business - and emphasising security with features like single sign-on (SSO), remote wipe and audit logs.

Yet the question remains - is Dropbox really secure? Can a consumer service retrofitted for the business space ever be safe enough?

First, it is important to realise that there is no such thing as total security.

It has become a clich among the security community to say "it's not if you suffer a breach, it's when" and while this, in my opinion, is a slight over exaggeration, it is reflective of the fact nothing can ever be 100 per cent secure, be it Dropbox, products that were built from the ground up for business, or your own internal systems.

The question, then, becomes "does this product offer an acceptable level of risk?"

The truth is that, despite its reputation as a spreader of data insecurity within companies, Dropbox for Business can be equally as secure as other solutions, including rivals such as Box, Mozy, SugarSync, Acronis or even Amazon S3. Like them, it offers SSL/TLS encryption for data in transit, AES encryption for data at rest, as well as admin features like SSO, two-factor authentication (2FA), remote wiping and shared audit logs.

It has also seemingly recognised the original "shadow IT" problem it created and in 2013 it began to offer personal and professional account linking.

Ilya Fushman, who at the time was head of product, business and mobile at Dropbox, said the feature had been introduced as a result of people being forced to put personal files in their Dropbox for Business account to access them at work.

"As we got more excited about building more features for Dropbox for Business, we kept running into the same problem: just as people often work at home, they also want to have their personal files with them at the office. We needed to build a way to help people keep their stuff separate, but still make both sets available from everywhere," Fushman said in a blog post.

"Each Dropbox will be properly labelled for personal or work, and come with its own password, contacts, settings, and files," he added.

But any solution is only as secure as its weakest link, and at this point it is in the hands of the IT administrators to bring in both a user education programme and the appropriate processes to ensure what data is stored where is compliant with legislation.

Dealing with the latter of these two points first, just because Dropbox is "secure" does not mean it is secure enough to comply with data protection legislation for certain types of data. For example if there is personally identifiable information or data that has to stay within the UK or EU then Dropbox would likely be unsuitable, as all its data centres are located in the US.

Therefore, other data management tools should be put in place to prevent data of this kind from being transferred into Dropbox, or any other inappropriate storage service or device.

Education is an important part of reinforcing security in any setting. When it comes to Dropbox, IT administrators should explain to users how to use Dropbox for Business and its various collaboration and sharing features safely, as well as helping them to link their personal and business accounts if they wish to.

Any restrictions, from not putting business information into their personal account to being prevented from adding certain files to Dropbox at all, should be clearly communicated, both to avoid any accidental breaches and reduce frustration.

So, is Dropbox secure? Well, depending on your appetite for risk, yes it can be - but admins still have their part to play in ensuring that security.

Featured Resources

Next-generation time series: Forecasting for the real world, not the ideal world

Solve time series problems with AI

Free download

The future of productivity

Driving your business forward with Microsoft Office 365

Free download

How to plan for endpoint security against ever-evolving cyber threats

Safeguard your devices, data, and reputation

Free download

A quantitative comparison of UPS monitoring and servicing approaches across edge environments

Effective UPS fleet management

Free download

Recommended

Alkira offers Check Point CloudGuard Security to secure virtual cloud networks
Cloud

Alkira offers Check Point CloudGuard Security to secure virtual cloud networks

29 Sep 2021
Iboss protects web sessions with remote browser isolation
Cloud

Iboss protects web sessions with remote browser isolation

16 Aug 2021
Most CISOs worry cloud software flaws aren’t being caught
cloud security

Most CISOs worry cloud software flaws aren’t being caught

7 Jun 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Royal Mint to recover gold from smartphones and laptops in world first
Technology

Royal Mint to recover gold from smartphones and laptops in world first

21 Oct 2021