Is Dropbox Secure?

When it comes to file sharing software, Dropbox is often top of mind: many individuals and organizations use it to simplify their file sharing, syncing, and collaboration. But how secure is Dropbox, and is it right for your organization?

To break down Dropbox security effectively, we’ll explain what Dropbox is.

What is Dropbox?

Dropbox was initially created as a file sharing platform for individuals that made it easy to access your files (especially large files) from anywhere – simply edit the file and then access the latest version from any device. Thanks to both a web-accessible option and software you can install, Dropbox continues to make accessing files simple.

As Dropbox transitioned from consumer-only file sharing software to enterprise file sharing, it added new features to better secure user data.

Is Dropbox Secure: What Security Standards does Dropbox Utilize For Users?

When it entered the enterprise market, Dropbox added and improved some features for the Business version, including the ability to:

  • Unlink lost or stolen devices
  • Set permissions for file access and collaboration
  • Turn password protection on for files
  • Schedule expiration dates on shared links
  • Enable two-factor authentication

Encryption

Data in transit (including between any Dropbox app and its servers) is encrypted using SSL/TSL, designed to create a secure 128-bit or higher AES tunnel, and data at rest is encrypted using AES 256-bit encryption.

Further, the Dropbox cloud app is accessible via browser protected by an HTTPS connection.

Is Dropbox Secure?

Yes – mostly. But it’s lacking in some key areas.

Part of the appeal of Dropbox is that it makes interacting with other people and apps quick and simple. But for that to happen data needs to move freely without being unduly slow (due to pesky things like decryption). So, Dropbox keeps your encryption key on hand – which keeps processes moving quickly but it also means that Dropbox holds the key to your data and could look at your files at any time.

It’s not uncommon that technology sacrifices some security for performance, so Dropbox doesn’t stick out like a sore thumb here (for reference, even AES balances security and performance, which is why its key sizes only go up to 256 bits and limits how much it scrambles data). But Dropbox does come under fire despite that.

A few years back, critics including Edward Snowden famously called Dropbox “hostile to privacy,” which Dropbox didn’t refute – instead, Dropbox itself admitted that it could offer better encryption, and argued that users knew they were sacrificing some security for convenience and performance.

As a cloud-based service, Dropbox could offer better encryption; some other cloud-based file sharing software products use zero-knowledge encryption, meaning that no one – including the online service – besides you holds the keys to your data.

In terms of secure file transfer, Dropbox security hasn’t suffered many hacks, but the biggest ones were notably damaging to the company, resulting in both lost email addresses and 68 million leaked passwords.

Risks of Using Dropbox for Secure Transfer

  • Encryption key access: Dropbox retains the right to access your information – which they can do because Dropbox stores all encryption keys for its users for all tiers, from Basic to Enterprise. While this is mostly only a risk if Dropbox receives a government request for your data, Dropbox can theoretically decrypt your files and view them at any time. This also opens at least two avenues for data exposure: a rogue employee could decrypt and view your files, or an incredibly unlucky hack could expose Dropbox’s encryption keys, and thus user files.
  • Privacy and metadata: Dropbox regularly complies with government requests and other legal investigations to access data stored on its servers. Plus, metadata is accessible by Dropbox employees, usually as part of tech support.
  • Access settings: Dropbox offers two-step verification, but it’s an extra setting you must opt into. And, while Dropbox offers some access permission settings in its Business tier, it’s limited in how much it can protect from employee misuse or error.
  • Control over your files: Dropbox stores file version history and deleted files for 30 days (180 with a Business account) – supposedly. While this makes revisiting old versions or saving a mistakenly-deleted file simple and convenient, a 2017 error showed users deleted files, including some that had been “deleted” six years previously. Essentially, that data was never deleted and was vulnerable to a leak.
  • Personal data and devices: Like many platforms, Dropbox collects some personal information from users, as described in their privacy policy. Dropbox has also created documents outlining how Dropbox Business protects users’ devices but has not yet released the same outlining the security of personal files.
  • HIPAA and HITECH: Some tiers aren’t built to support PHI regulation compliance, and don’t offer full insight into user history and data movement.

Dropbox’s security is limited in both its ability and willingness to keep your data secure – so much so that a cursory internet search will reveal many guides on how to beef up your Dropbox security, including adding the extra step of encrypting data before you upload it to the service, a practice also recommended by Dropbox.

At the end of the day, Dropbox can be an affordable and “secure enough” way for small organizations and individuals to store and share files.

Secure File Sharing Solutions

If security is your main concern, or if the risks of Dropbox are too much for your organization, consider a different file sharing solution that meets – or exceeds – your security expectations. When it comes to your organization’s sensitive and business-critical data, a software solution made for business and industry file transfer and file sharing may be a better fit.

Managed file transfer (MFT), a secure solution that meets all aspects of inbound and outbound file transfers, is file sharing software that helps to centralize, automate, and achieve compliance with data security standards.

While using Dropbox as a secure transfer solution is good for free or low-cost occasional file sharing, managed file transfer is an affordable tool built to move your files securely from point A to B, all while tracking file movement and user access. Some MFT solutions, including GoAnywhere MFT, include content collaboration abilities with similar functionality to Dropbox. Comment on, edit, and view version history, all from one secure interface thanks to GoDrive.

GoDrive isn’t the only tool GoAnywhere offers to simplify your file sharing and collaboration:

  • Secure Mail lets you send sensitive data over email. Send multiple files at a time, control and limit downloads and access, set expiration dates, view audit trails, recall packages, and allow any recipient to respond securely, without the need for their own account.
  • Secure Folders are web-accessible network folders that can be accessed using a web browser and internet connection. Files can be transferred quickly between a desktop and internal network over a secure HTTPS connection. Detailed controls allow admins to specify user permissions and, like with Secure Mail and GoDrive, audit trails and reporting help you to maintain compliance requirements.