Is Dropbox secure?

Dropbox was, for a long time, the go to example when people wanted to talk about shadow IT. Fast, convenient and free, it became almost the de-facto way for employees to share documents with colleagues and access them outside of work.

But this convenience came with a price - low security. While this may not be so much of an issue when users are dealing with their own personal data - it is, after all, their own information to use as they wish - it can present serious consequences for businesses, both from a regulatory and an operational perspective.

Since then, Dropbox has made serious attempts to "go straight" in the business space, introducing Dropbox for Teams - now Dropbox for Business - and emphasising security with features like single sign-on (SSO), remote wipe and audit logs.

Yet the question remains - is Dropbox really secure? Can a consumer service retrofitted for the business space ever be safe enough?

First, it is important to realise that there is no such thing as total security.

It has become a clich among the security community to say "it's not if you suffer a breach, it's when" and while this, in my opinion, is a slight over exaggeration, it is reflective of the fact nothing can ever be 100 per cent secure, be it Dropbox, products that were built from the ground up for business, or your own internal systems.

The question, then, becomes "does this product offer an acceptable level of risk?"

The truth is that, despite its reputation as a spreader of data insecurity within companies, Dropbox for Business can be equally as secure as other solutions, including rivals such as Box, Mozy, SugarSync, Acronis or even Amazon S3. Like them, it offers SSL/TLS encryption for data in transit, AES encryption for data at rest, as well as admin features like SSO, two-factor authentication (2FA), remote wiping and shared audit logs.

It has also seemingly recognised the original "shadow IT" problem it created and in 2013 it began to offer personal and professional account linking.

Ilya Fushman, who at the time was head of product, business and mobile at Dropbox, said the feature had been introduced as a result of people being forced to put personal files in their Dropbox for Business account to access them at work.

"As we got more excited about building more features for Dropbox for Business, we kept running into the same problem: just as people often work at home, they also want to have their personal files with them at the office. We needed to build a way to help people keep their stuff separate, but still make both sets available from everywhere," Fushman said in a blog post.

"Each Dropbox will be properly labelled for personal or work, and come with its own password, contacts, settings, and files," he added.

But any solution is only as secure as its weakest link, and at this point it is in the hands of the IT administrators to bring in both a user education programme and the appropriate processes to ensure what data is stored where is compliant with legislation.

Dealing with the latter of these two points first, just because Dropbox is "secure" does not mean it is secure enough to comply with data protection legislation for certain types of data. For example if there is personally identifiable information or data that has to stay within the UK or EU then Dropbox would likely be unsuitable, as all its data centres are located in the US.

Therefore, other data management tools should be put in place to prevent data of this kind from being transferred into Dropbox, or any other inappropriate storage service or device.

Education is an important part of reinforcing security in any setting. When it comes to Dropbox, IT administrators should explain to users how to use Dropbox for Business and its various collaboration and sharing features safely, as well as helping them to link their personal and business accounts if they wish to.

Any restrictions, from not putting business information into their personal account to being prevented from adding certain files to Dropbox at all, should be clearly communicated, both to avoid any accidental breaches and reduce frustration.

So, is Dropbox secure? Well, depending on your appetite for risk, yes it can be - but admins still have their part to play in ensuring that security.

Jane McCallion
Deputy Editor

Jane McCallion is ITPro's Managing Editor, specializing in data centers and enterprise IT infrastructure. Before becoming Managing Editor, she held the role of Deputy Editor and, prior to that, Features Editor, managing a pool of freelance and internal writers, while continuing to specialise in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.