Dropbox Security

[Vlamgat]

Hi there everyone,

I would like to find out if anyone can help me...

I would like to get a broader understanding of dropbox's security and can dropbox be used for confidential documentation or is it not worth the risk.

Let me know your help would be appreciated.

Kind Regards,
Vlamgat

 

[TJ99]

It's probably never a good idea to put confidential information on servers controlled by a third party, if you're going to be a target (like say a big company/government storing some dirty secrets.) For things like your personal passwords etc, it's fine, as long as you use an encrypted database like Keepass or Truecrypt, within the Dropbox.

 

[bekdik]

What TJ99 said.

Exception would be where the files will only reside in the cloud for a short length of time and then be deleted, so as to minimize the risk.

 

[quovadis]

What TJ99 said.

Exception would be where the files will only reside in the cloud for a short length of time and then be deleted, so as to minimize the risk.

And you're assuming the the files deleted are actually deleted at disk level/cdns etc - Think facebook and profile photos etc. CDN's introduce a whole new dynamic.

 

[Gambit]

You can always encrypt your files before putting them in dropbox to ensure that they are secure.

 

[Vlamgat]

Thanks guys appreciate the help will start encrypting asap got some company info in dropbox that i need everywhere i go but cannot be leeaked

 

[zamrg]

You could store an encrypted TrueCrypt container file on your DropBox. Only down-side is that every time you update the volume, it will re-upload the entire container.

If it's just small documents and you mainly use this volume for read-only, it would be your best bet though.

 

[HavocXphere]

Dropbox essentially resells Amazon's cloud, so one can be reasonably certain the the data isn't stored on a sketchy server in Uzbekistan.

However, Amazon doesn't guarantee that the data won't be lost.

Generally the problem comes from a different angle: Chances are the data will physically be stored inside US jurisdiction, meaning patriot act & all that crap applies.

You'd also have to read the terms & check whether commercial use is even permitted.

Only down-side is that every time you update the volume, it will re-upload the entire container.

There are encryption programs that are specifically aimed at this & reduce the upload.

Personally I think anybody who stores confidential company data on Dropbox is an idiot. Thats coming from a corporate perspective - I can see how in certain cases it might make sense for small companies.

 

[Elimentals]

If you want security box.com has a much better solution.

See https://www.box.com/enterprise/security-and-architecture/

The only draw back is that its not as cheap.

 

[bdt]

SpiderOak make quite a thing out of their never having access to/knowing what you've got stored. Also, it seems, you can get the blues

 

[Elimentals]

SpiderOak make quite a thing out of their never having access to/knowing what you've got stored. Also, it seems, you can get the blues

Sure they claim they are safe and secure, most do, but show me an independent certification?

I do not want your word for it I wanna see an Audit.

 

[bdt]

Sure they claim they are safe and secure, most do, but show me an independent certification?

I do not want your word for it I wanna see an Audit.

Just when I was starting to think a friendship was coming along nicely here... *cough* But you do know they have a specific contact address to find out?

 

[Elimentals]

Just when I was starting to think a friendship was coming along nicely here... *cough* But you do know they have a specific contact address to find out?

LOL@ friendship, Dont get me wrong I love the product and the Open Source aspect of it, its just that it lacks proper audit info.

I can tell you without the need to contact them, they are not certified or rated. Part of the SSAE requirements is that you have to show your rating on your site.

 

[noswal]

A podcast from a few weeks ago which discusses dropbox and other clould storage, from a security perspective.

http://media.grc.com/sn/sn-349-lq.mp3

 

[Swift-wp]

Boxcryptor - https://www.boxcryptor.com/

BoxCryptor encrypts your files using the AES-256 standard. This makes your data secure - no matter which cloud storage provider you use. Access your encrypted files on all devices. We have BoxCryptor for Windows, Mac OS X, Android and iOS - and even support Linux. Encrypt your files the quick and easy way. Each file is encrypted individually in real-time and stored in a folder of your choice, e.g. your Dropbox folder

 

[bdt]

I can tell you without the need to contact them, they are not certified or rated. Part of the SSAE requirements is that you have to show your rating on your site.

Boxcryptor - https://www.boxcryptor.com/

BoxCryptor encrypts your files using the AES-256 standard ... Each file is encrypted individually in real-time and stored in a folder of your choice, e.g. your Dropbox folder

Man I dig this place - the info that comes outta the woodwork. Back on-topic tho: does Box Cryptor allow for differential updates which, if I'm remembering this correctly, is a large part of how these services work?

 

[Swift-wp]

Well it depends whether the cloud storage provider does incremental backups to files or not.

BoxCryptor just encrypts the files within the folder.

 

[Arthur]

See this report.

Security Deficits at Dropbox, Mozy & Co.

The security of cloud storage services is often inadequate. This is the result of a study by the Fraunhofer Institute for Secure Information Technology in Germany, which tested various providers.

Conclusion: none of the tested providers were able to fulfill all of the security requirements, and some of them were even lacking proper encryption. In addition to technical shortcomings, the testers also found weaknesses in relation to user guidance. And the latter could result in confidential data being found with the help of search engines.