We help IT Professionals succeed at work.

How secure is Dropbox?

Comm_Guy
Comm_Guy asked
on
If I need to protect PII information, has Dropbox progressed to the point where the community feels safe using them?  Where do I get specific data on the actual standards they use?
Comment
Watch Question

CERTIFIED EXPERT

Commented:
I found this at dropbox.com:
https://www.dropbox.com/business/trust

I would ask Dropbox about what security standards they follow.
David Johnson, CDSimple Geek from the '70s
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
use your own encryption to encrypt before storing on dropbox. They are not HIPAA compliant. out of the box and require a BAA agreement to get started on the route. 
Dr. KlahnPrincipal Software Engineer
CERTIFIED EXPERT

Commented:
Once any data leaves your own disk drive it must be considered insecure.  Ergo, as David says, encrypt (and I'd encrypt twice using two different methods) before using "cloud" storage for anything.

What Dropbox claims, and what actually happens when the FBI shows up with a secret FISA warrant that Dropbox is forbidden to reveal, are two different things.
David FavorFractional CTO
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Ditto on the above.

Never trust any service.

Always encrypt.
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
It depends on your risk appetite.
If you have low risk tolerance, you shouldn't even opt for any cloud based storage. You can't control what you can't see.

If you have high risk tolerance, you can consider and opt for the option (see link) that is cost effective. Even if it is accredited with HIPPA, you as the data owner are still accountable. It is a shared responsibility using any form of cloud services.

If you are totally not sure, and in doubt, it is best you try out without the sensitive data as most of the time, misconfiguration and negligence are common causes to data breach like exposing of access to public, using poor password or leaving data in plain in the cloud store.

Familiarity with the cloud risk is important and they varied from SaaS to IaaS. You should try to understand that before jumping into using the services if security is your key consideration. Risk assessment is necessary.

https://www.dropbox.com/en_GB/plans?trigger=nr

madunixExecutive IT Director, MVE
CERTIFIED EXPERT
Most Valuable Expert 2019
Commented:
Keep in mind the CIA triad; so protect your data in terms of confidentiality, integrity, and availability.
To ensure that data is protected (few points):
• Use encrypted protocols to protect data in transit, or encrypt data before transmitting it.
• Use properly configured and up-to-date SSL/TLS.
• Use standard, robust encryption protocols.
• Ensure that collected personal information is accessible only by authorized users.
• Ensure that a data retention policy is in place.
• Pay particular attention to personally identifying information PII.
• Providing end-user training on secure computing practices.
• Requiring multi-factor authentication and complex passwords.
• Encrypts all sensitive data at rest (including backups).
• Discards data as soon as possible.
• Uses strong standard encryption algorithms and strong keys.
• Follow all of your organization's policies and procedures for safely handling sensitive data.
• Apply Threat Modeling approaches for securing Data.

https://www.comparitech.com/blog/cloud-online-backup/make-dropbox-more-secure/
https://www.dropbox.com/security
https://help.dropbox.com/search-results#q=security&t=All&sort=relevancy
https://www.experts-exchange.com/articles/33330/Threat-Modeling-Process-Basics-and-Purpose.html

CERTIFIED EXPERT

Commented:
Dropbox has since secured itself, but they were easily hacked back in the beginning when they first started.  How secure do you need it.  Maybe Spideroak is what you  might want.

Author

Commented:
Concerned with sharing PII information:  name, address, SSN, etc.  It appears their business accounts are secure given they state they're HIPPA compliant.  Am trying to figure out if any documents saved in a business account is encrypted to the point that they don't have access (keys).  Certainly sounds like they have access to any of the 'free' accounts.  Being a non-profit, am trying to determine options and preventing the compromise of data.  Staff like 'free' stuff and don't always understand the consequences.
CERTIFIED EXPERT

Commented:
HIPAA is just an agreement and a certification that they are protecting the data per guidelines.  It doesn't mean that the dropbox staff doesn't have access.  It means that if they do have access, they also follow the procedures to protect that data per HIPAA guidelines.  That's why they have to have a separate agreement.  That way, they can place your data into the HIPAA accounts storage that only HIPAA certified employees can access, versus any general dropbox employee.  It doesn't mean that the data is only accessible to you.  They just certify that they'll protect it also.  This needs a signed agreement with them.
Exec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Dropbox doesn't support client side encryption, in short the key may be accessible by the external party.
Dropbox doesn't provide for client-side encryption. Dropbox also doesn't support the creation of your own private keys. However, Dropbox users are free to add their own encryption. There are many third party applications that provide encryption at both the file and container level.
https://help.dropbox.com/accounts-billing/security/how-security-works

 For end to end encryption, it needs to be encrypted before data gets into the dropbox store. You need another solution or train user to password protect the files before uploading. Boxcryptor is one option.

https://www.dropbox.com/app-integrations/boxcryptor

Author

Commented:
Thank you one and all.  I certainly have a better understanding.  I especially like the idea of using Boxcryptor in conjunction with other solutions.  I appreciate your willingness to take the time and share your insights.