Is Dropbox for Business secure?


Is security the most important attribute of a technology solution? No, it's not. Otherwise no one would be using Microsoft Windows. Security is not a fixed state of being. Security is a constant battle of good guys vs bad guys (actually it's usually good guys vs yourself or your staff) and it's always in flux. Great security last week could be terrible security this week if an issue was discovered in server software you're running. 

Security has always been a trade off between safety and convenience as well as reasonable expectations and reasonable budgets. Every organization has dozens of security issues. Before cloud computing, security for the traditionally underserved in the client-server paradigm (SMB, EDU, government, NPO and most enterprises) was usually terrible. And the "bring your own device" (BYOD) flips the traditional security model on its head, offering even more challenges to the legacy security approaches.  

"Dropbox isn't secure enough for our important business." We hear it a lot, but when asked for specific examples, there are none. I imagine they've heard this FUD line from their Microsoft rep a few dozen times.  

Dropbox for Business is secure and we can be specific. 

From a recent Dropbox for Business blog post:

1. We encrypt data in transit and at rest. Regardless of how you’re accessing data you store in your Dropbox — through our desktop app, mobile app, or website, or a third-party app you’ve authorized — it’s always encrypted. We use Secure Sockets Layer (SSL)/Transport Layer Security (TLS) for data transfer to create a secure tunnel protected by 128-bit or higher Advanced Encryption Standard (AES) encryption. Once it reaches us, we lock it down using 256-bit AES encryption at rest.

2. We keep data broken up. Every time you add a file to your Dropbox it’s split into blocks, each encrypted using a strong cipher. Only blocks that have been modified between revisions are synchronized, which is part of what makes Dropbox sync so fast and reliable. On top of this, metadata (including file names and types) is stored separately from the files’ raw data, further obscuring your data from unauthorized access.

3. We’ve enabled perfect forward secrecy. By implementing perfect forward secrecy, we’ve made it so our private SSL key can’t be used to decrypt past Internet traffic. This adds extra protection to encrypted communications with Dropbox, essentially disconnecting each session from all previous sessions.

4. We’re audited regularly by independent firms. Dropbox, our data centers, and our managed service provider undergo regular third-party audits (e.g., SSAE 16 SOC 1, SOC 2, and ISO 27001). We successfully completed a Service Organization Control (SOC) 2 Type 2 examination, conducted by an independent auditor. The audit report details the design and effectiveness of our security controls, and can serve as a valuable resource for Dropbox for Business customers as they create their own compliance strategies.

5. We give you visibility and control. Dropbox for Business was built with IT admins’ needs in mind, and we’ve designed it to make it easy to monitor and protect your data. Our audit log lets you keep tabs on what and how your team members are sharing data. Two-step verification adds an extra layer of protection, requiring a six-digit security code in addition to a password upon sign-in or when linking a new device. And with remote wipe, admins can delete Dropbox data and local copies of files from both computers and mobile devices when employees leave the team or devices are lost.

Dropbox for Business is $125/user per year and offers UNLIMITED storage. It also happens to provide better security than you're ever had. We can have your trial up and running in 10 minutes, so drop us a line and check it out. 

If you really want to get into the details, check out the Dropbox for Business security whitepaper