Dropbox Question 5 - Data Security

I'm also a casual user of Dropbox and just share random unimportant files with friends and family, so im not too concerned with security. But if I was to transmit sensitive data, I think I would still trust Dropbox.

Sorry in advance for sounding too naive, but doesn't the security of dropbox function much like the email services we all use so frequently? We transmit a whole lot of sensitive emails everyday, how is it not the same as putting that same information on dropox. Also, for enterprise use wouldnt it be prudent to not just rely on security of the services that they use, and just encrypt the files that go out?

For casual users like student, security might not be a big issue, even though I still don't want to upload some private files like diary or something. But when it comes to business customers, security is so important that no one want to take a risk to see whether Dropbox is security enough or not.
Right now cloud storage is not so safety that everyone can trust, but I believe in the future there will be some technique improve that can make sure it's information security, but right now I still stand beside and watch.

I think it needs to be mentioned that nothing is 100% secure on the internet. To simply google the words "Dropbox security hack" is a facile activity because even the most secure government sites has proven vulnerable to the most skilled hackers. The Sony Playstation Network hacking scandal earlier in the year shows that private enterprises are no exception either. IT security needs to know how to respond swiftly to security lapses, and end users also need to use discretion when uploading sensitive documents to be shared with others. Too much blame is often foisted on the host server, and end users must practice good habits in keeping their own accounts safe, the same way they lock their car doors and cover their pin numbers at ATM machines.

One way to mitigate security risks is perhaps to make a service so amazing that it will not get on the radar of hackers. Sony caught the ire of hackers when it tried to sue a small time modder. So far, the company culture of Dropbox has not given hackers any reason to target them. They are a burgeoning company providing a free service to everyone, and its nearly impossible to find fault with them. I would not be surprised if some hackers themselves used Dropbox to collaborate with their coding partners.

Just as bank money is guaranteed by the bank and the government itself, the future's best cloud data storage services will be able to guarantee, through monetary incentives or backup data copies, the safety of the client's data. As more and more services surface, we can expect this to be a main draw towards the best companies. Government bodies may also want to look into guaranteeing the safety of its citizens data, in much the way deposits are guaranteed by federal banks.

Thanks for your reply.
I just thought of a really interesting point of view about the security issue of cloud storage once I've heard several months ago:

If we want to keep our treasure or money, most people are willing to put them in a vault at the bank,
and let the bank help to watch it for us. It's the same idea as we put our data on cloud, and let them take care of it,
it's even safer than put it in the computer, which may be stolen or ivaded by others.

Although I showed some bad news about Dropbox,
what I want to emphasize is just "one should have the awareness of the risk", and should estimate the potential risk by oneself,
so far I'll still regard dropbox as a relatively safe place.

MarieDelasson wrote:In my opinion, there are 2 different issues with this question:
- The first one: Is Dropbox able to garantee a fair level of security of your data. Well, when I see Glen's comment, I have some doubts about it, but I think computing specialists are more able to discuss this part of the problem
- On the other hand, the real question is: can you put some very sensitive data on the Dropbox and be sure they will be safe? I have some concerns about that, and I guess it is exactly the same problem with gmail, facebook or any other storage device on the Internet. I think it could be to tempting for a company to sell private data in order to get easy money, and even if the user is supposed to know that, I am not sure he is always aware of it. Also, if your data are really sensitive and may have issues with the government for example, you should definitely not use Dropbox to share them!
In the end, I have a limited trust with the Internet in general and Dropbox in particular, so I stay very careful with the data that I share.

Data security is obviously one of the biggest issue concerning cloud computing.
However, what if rather than being the source of security concerns, the cloud could also offer a solution too? In September the Cloud Security Alliance released their first whitepaper ( https://cloudsecurityalliance.org/csa-news/csa-issues-first-secaas-white-paper/ ) defining Security as a Service, offered through the cloud.
The idea behind the paper is to start to define the various security services that could be offered as cloud-hosted products, including such areas as encryption, security information and event management, email security and so on. This will open up interesting possibilities. For example, by creating security services specifically hosted in the cloud, confusion over who has responsibility may be reduced. Moreover, it may allow businesses to more clearly and cleanly ensure segregation of duties between the cloud service provider (for example, a storage provider) and the security functions, which could now be delivered through a specialized third party.

I also did some research and summarized it a little bit. It is a little bit technical but maybe it facilitates the understanding a little bit.

First it is to say Dropbox does provide some security. A client gets downloaded from getdropbox.com and, after install, a folder called "My Dropbox" is placed onto their machine. The client creates two folders by default: Photos and Public. Data transferred between these folders and Dropbox servers are protected with SSL. In addition, before it is stored on Dropbox's back end, that data is encrypted with AES-256.

One issue, though. Once you give access to the "Photos" folder, a user can peruse your photo album and any sublevel albums.

The folders that reside on the client side allow the syncing up of data between multiple machines. Each machine involved in the synchronization must have the Dropbox client installed. The client software can be installed on Windows, Mac or Linux, placing an icon on the system tray in Windows for quick access.

Users can log into an account management area from the getdropbox.com. From here, users can do things like add users to shared content, upload files, and also revert files back to a specific version or undelete a file. This is because Dropbox takes a snapshot every time a file change occurs.

Dropbox is comparable to other online storage services of this nature. It gets a bonus for the snapshot feature. It's a good alternative to having to remember to carry around flash drives, or having to send untold amounts of e-mail attachments to share data with others. But it's probably not the place you would want your most sensitive data to reside.

Here is another example of dropbox's past vulnerabilities.
http://www.macworld.co.uk/macsoftware/news/index.cfm?newsid=3297796
It's a little too technical to understand how it goes, but I guess the points are followings.

1. Unauthorized access > files are distributed to someone without knowing that is happening
2. Attacker steals ID > all victim's files are downloaded to attacker when he resynced
3. Request files from certain URL using different ID

Also, last paragraph said, "The attacks could have been used to hide data within Dropbox's cloud, the researchers say. Unlimited chunks of data could be uploaded to the cloud without being associated with the attacker's account by using a modified Dropbox client"

Including what Glen posted, unauthorized access and share files secretly were two big security issues they had. I presume, unauthorized access is always an issue for service which handle data. It may take place by different way in the future.

So far, people who concerns about security for dropbox need to protect files by own. Not uploading important file in dropbox is the most secured of course, but beside that some people zip it with password or using software like secret sync. http://getsecretsync.appspot.com/download/lifehacker/

In my opinion, there are 2 different issues with this question:
- The first one: Is Dropbox able to garantee a fair level of security of your data. Well, when I see Glen's comment, I have some doubts about it, but I think computing specialists are more able to discuss this part of the problem
- On the other hand, the real question is: can you put some very sensitive data on the Dropbox and be sure they will be safe? I have some concerns about that, and I guess it is exactly the same problem with gmail, facebook or any other storage device on the Internet. I think it could be to tempting for a company to sell private data in order to get easy money, and even if the user is supposed to know that, I am not sure he is always aware of it. Also, if your data are really sensitive and may have issues with the government for example, you should definitely not use Dropbox to share them!
In the end, I have a limited trust with the Internet in general and Dropbox in particular, so I stay very careful with the data that I share.[quote="Glen Yang"]

andykorn87 wrote:Dropbox had a serious bug this June, all the users could log in without correct passwords,
(news from their blog : Yesterday’s Authentication Bug )
and that dangerous situation was lasting for 4 hours, although they claimed that they fixed the bug and there was only a little harm,
but no one can guarantee Dropbox will no longer make a mistake.

You can say there's very very little chance to encounter the misfortune,
but I think everyone should have the awareness that there are always potential risks while using any services on the internet,
especially the cloud services.

andykorn87 wrote:What is your point of view concerning the data security...do you rely on Dropbox by synchronizing important documents like CVs or contracts?

I would like to see more discussion on this, e.g., Dropbox's current mechanism for synchronizing and the potential privacy risk it entails. A complete or clearer description about how it operates would be nice.

andykorn87 wrote:What is your opinion about the data security of Dropbox, do you think they would be able to offer synchronizing services also to companies by ensuring data security?
What is your point of view concerning the data security, do you think Dropbox also store information like Facebook or Google and do you rely on Dropbox by synchronizing important documents like CVs or contracts?

Please share your opinions, I am looking forward for reading your interesting answers.

Dropbox had a serious bug this June, all the users could log in without correct passwords,
(news from their blog : Yesterday’s Authentication Bug )
and that dangerous situation was lasting for 4 hours, although they claimed that they fixed the bug and there was only a little harm,
but no one can guarantee Dropbox will no longer make a mistake.

You can say there's very very little chance to encounter the misfortune,
but I think everyone should have the awareness that there are always potential risks while using any services on the internet,
especially the cloud services.

For many start-up companies, Dropbox is a storage alternative to Google Doc which is so diversified that it can be a competitor of many new businesses. A good example of this is Groupon France which started its operations enormously relying on Google Doc and which moved progressively to Salesforce (CRM and Database) with private cloud service and Dropbox when Google announced its intention to take over the company and then to launch Google Offer.

In my opinion, a company like Dropbox has the image of a neutral + player, it is obviously better skilled when it comes to defending data from thieves than other generalized players (ecommerce sites, tier 2 webmail, blogs...) and I think that the company couldn't survive from a data leakage scandal (massively handling personal data to third parties at the expenses of customers).

Ch

Hey,

To my mind, data security is a key factor when it comes to companies, since the data are often the value of the business (so you don't want it to be lost, corrupted or hacked). So like said in Q1, it is key to ensure data security for B2B activities.
When it comes to B2C, and so people like me, I think what matters the most is privacy. I want to be able to control who can see what, like in Facebook or Google docs. In my opinion, the way dropbox is doing it for now seems to be quite good, and I'm not concerned about them keeping my info. Indeed, you only stock documents, and not edit document on dropbox so i don't see how they'd be able to know exactly what you stock.
The example of CVs is nevertheless quite interesting as it can be easily found, and could be resold. But as privacy and security are the cornerstones of these businesses to be succesful, I don't see that happening.

No doubt that data security is important, especially for business customers, Dropbox understand this I am sure and the Dropbox for teams offer "bank grade encryption". Personally, I do not consider cloud based solutions to be less safe than any computer connected to a network, quite the contrary, and I happily store important documents in my Dropbox.

As a casual dropbox user I do not think that dropbox has any use of the data that is being shared via this channel since I myself am able to choose which data they can see and what I put on there as opposed to Facebook or Google who will track my actions regardless of me wanting them to or not.
Of course security is a main issue involved when dealing with companies and ensuring it is a crucial aspect of being able to tackle this customer segment. In order to do so the company should consider implementing additional services such as personal response in case issues arise and further encoding and protection of data.

If we are talking about business customer than I think safety is a very crucial condition. But I am sure that Dropbox is able to guarantee data security for a certain level, off course included with some additional fees for the customer. However, Dropbox has to explain how they avoid any data loss. The real problem is what you gonna do if you lose your whole data, or you have problems to access your data? I have no clear answer to this question, but Dropbox has to show some solutions how to avoid or to reduce this risks.

What is your opinion about the data security of Dropbox, do you think they would be able to offer synchronizing services also to companies by ensuring data security?
What is your point of view concerning the data security, do you think Dropbox also store information like Facebook or Google and do you rely on Dropbox by synchronizing important documents like CVs or contracts?

Please share your opinions, I am looking forward for reading your interesting answers.