Dropbox Security: Good Enough?


I don’t intend to argue the merits of the suit, except to say that I’m skeptical that people really know what they mean when they say “best practice.” (I’ve written critically about that term “best practice” before.)

Dropbox has apparently clarified its description of how files are secured on their servers.  They made it clear that customer data can be accessed by “a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so).”

Some people seem to be outraged by this revelation and are showing their displeasure by cancelling their Dropbox accounts.

Should you do likewise?  If you honestly feel deceived, perhaps you should.  But if you’re more concerned about the confidentiality of your data, Dropbox is still a reasonable choice.

The answer to the question, “is X secure?” is never just yes or no.  The correct question to ask is “how secure is X, given some risk Y?”  In other words, there is no absolute standard of security, but it is relative to the value of the information and the loss that would occur if it were compromised (i.e. risk).   This question applies to all external (cloud) services.

If you have very high value information, like national security secrets or future winning lottery numbers, Dropbox is not the place for you.  But what about things like customer information, credit card information, or electronic health records?  — you know, the practical data organizations deal with every day.  Are these things safe on Dropbox?  I would make the arguments that they are, and probably more so than if you kept them on your own systems.

While the FTC complaint alleges that industry best practices are not followed, Dropbox’s revised description of their practices (if their website is to be believed) certainly fall into the realm of reasonable and prudent.  Specifically, they:

  • Encrypt data at rest
  • Encrypt data in transit
  • Provide administrative and technical controls to prevent disclosure by privileged staff.

That last point may need some explaining.  It’s not necessary that no one have access to your data, only that the people who do are prevented from misusing that access.  Is that an ironclad guarantee of protection? No, but it’s reasonable and prudent, and that’s what most regulations such as HIPAA and SOX require.

There are those who will say, “I don’t trust anybody else with my data.”  They will argue that a more secure storage system is one where only you have the encryption key.  Since only you can decrypt the data, the storage provider can’t access it legitimately or illegitimately, so your data is more secure.

Well, maybe.  What you’ve done is transfer the responsibility from the storage provider back to yourself.  That may or may not be a good thing. Unless you have a well-thought-out security plan, you’re probably not doing as good a job as Dropbox is, even with their allegedly misleading advertising.

Here are just a few questions I would ask you:  how well do you protect access to your data before it is encrypted?  Who has access to the key?  How is that access controlled?  Is access to the data logged?  Can it be audited? Is the encryption key backed up?  If your laptop is stolen, can you recover the key? Could a rogue employee steal the key or hold it for ransom?

My experience is that most organizations don’t even come close to having acceptable answers to these questions.  For those organizations, storing data at a provider, even an allegedly deceptive one like Dropbox, is actually an improvement over managing security on their own.

Dropbox may or may not have mislead their customers, but their storage system provides reasonable security for most commercial uses.

Leave a Reply


Nick Kelly

Cybersecurity Engineer, Cisco

Nick has over 20 years of experience in Security Operations and Security Sales. He is an avid student of cybersecurity and regularly engages with the Infosec community at events like BSides, RVASec, Derbycon and more. The son of an FBI forensics director, Nick holds a B.S. in Criminal Justice and is one of Cisco’s Fire Jumper Elite members. When he’s not working, he writes cyberpunk and punches aliens on his Playstation.


Virgilio “BONG” dela Cruz Jr.

CCDP, CCNA V, CCNP, Cisco IPS Express Security for AM/EE
Field Solutions Architect, Tech Data

Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.


John Cavanaugh

CCIE #1066, CCDE #20070002, CCAr
Chief Technology Officer, Practice Lead Security Services, NetCraftsmen

John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services.  Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.

He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.