Link to home
Create AccountLog in
Avatar of Comm_Guy
Comm_GuyFlag for United States of America

asked on

How secure is Dropbox?

If I need to protect PII information, has Dropbox progressed to the point where the community feels safe using them?  Where do I get specific data on the actual standards they use?
Avatar of CompProbSolv
CompProbSolv
Flag of United States of America image

I found this at dropbox.com:
https://www.dropbox.com/business/trust

I would ask Dropbox about what security standards they follow.
use your own encryption to encrypt before storing on dropbox. They are not HIPAA compliant. out of the box and require a BAA agreement to get started on the route. 
Avatar of Dr. Klahn
Dr. Klahn

Once any data leaves your own disk drive it must be considered insecure.  Ergo, as David says, encrypt (and I'd encrypt twice using two different methods) before using "cloud" storage for anything.

What Dropbox claims, and what actually happens when the FBI shows up with a secret FISA warrant that Dropbox is forbidden to reveal, are two different things.
Ditto on the above.

Never trust any service.

Always encrypt.
It depends on your risk appetite.
If you have low risk tolerance, you shouldn't even opt for any cloud based storage. You can't control what you can't see.

If you have high risk tolerance, you can consider and opt for the option (see link) that is cost effective. Even if it is accredited with HIPPA, you as the data owner are still accountable. It is a shared responsibility using any form of cloud services.

If you are totally not sure, and in doubt, it is best you try out without the sensitive data as most of the time, misconfiguration and negligence are common causes to data breach like exposing of access to public, using poor password or leaving data in plain in the cloud store.

Familiarity with the cloud risk is important and they varied from SaaS to IaaS. You should try to understand that before jumping into using the services if security is your key consideration. Risk assessment is necessary.

https://www.dropbox.com/en_GB/plans?trigger=nr

SOLUTION
Avatar of madunix
madunix

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Dropbox has since secured itself, but they were easily hacked back in the beginning when they first started.  How secure do you need it.  Maybe Spideroak is what you  might want.
Avatar of Comm_Guy

ASKER

Concerned with sharing PII information:  name, address, SSN, etc.  It appears their business accounts are secure given they state they're HIPPA compliant.  Am trying to figure out if any documents saved in a business account is encrypted to the point that they don't have access (keys).  Certainly sounds like they have access to any of the 'free' accounts.  Being a non-profit, am trying to determine options and preventing the compromise of data.  Staff like 'free' stuff and don't always understand the consequences.
HIPAA is just an agreement and a certification that they are protecting the data per guidelines.  It doesn't mean that the dropbox staff doesn't have access.  It means that if they do have access, they also follow the procedures to protect that data per HIPAA guidelines.  That's why they have to have a separate agreement.  That way, they can place your data into the HIPAA accounts storage that only HIPAA certified employees can access, versus any general dropbox employee.  It doesn't mean that the data is only accessible to you.  They just certify that they'll protect it also.  This needs a signed agreement with them.
ASKER CERTIFIED SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Thank you one and all.  I certainly have a better understanding.  I especially like the idea of using Boxcryptor in conjunction with other solutions.  I appreciate your willingness to take the time and share your insights.