Is Dropbox Secure Enough For Lawyers?

Filed under: Cloud | Tags: |

I have been using DropBox in my practice for over a year and I have been absolutely thrilled with it. It keeps my computers synchronized and with its versioning and off site storage, it provides a layer in my backup strategy.

Later this year I will be doing  a presentation on cloud based services for lawyers at Colorado Trial Lawyers Convention. This has given me a chance to go back and review Dropbox’s security. I have to say, I have come away impressed.

Much of this is taken from Dropbox’s website and the Amazon S3 site (Dropbox uses S3 for its storage).

How secure is Dropbox?

  • Shared folders are viewable only by people you invite.
  • All transmission of file data and metadata occurs over an encrypted channel (SSL).
  • All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password.
  • Dropbox website and client software have been hardened against attacks from hackers.
  • Dropbox employees are not able to view any user’s files.
  • Online access to your files requires your username and password.
  • Public files are only viewable by people who have a link to the file(s). Public folders are not browsable or searchable.

Where are Dropbox files stored?

  • All files stored online by Dropbox are encrypted and kept securely on Amazon’s Simple Storage Service (S3) in data centers located along the east coast of the United States.

So lets take a look at Amazon’s security:

PHYSICAL SECURITY

Amazon has many years of experience in designing, constructing, and operating large-scale data centers.  This experience has been applied to the AWS platform and infrastructure.  AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means.  Authorized staff must pass two-factor authentication no fewer than three times to access data center floors.  All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.

Amazon only provides data center access and information to employees who have a legitimate business need for such privileges.  When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services.  All physical and electronic access to data centers by Amazon employees is logged and audited routinely.

BACKUPS

Data stored in Amazon S3, Amazon SimpleDB, or Amazon Elastic Block Store is redundantly stored in multiple physical locations as a normal part of those services and at no additional charge.  Data that is maintained within running instances on Amazon EC2, or within Amazon S3 and Amazon SimpleDB, is all customer data and therefore AWS does not perform backups.

In summary, your data is encrypted during transmission and storage, kept in redundant, distributed data centers guarded with security systems that no single law firm could possibly hope to match.

So, yes, I consider cloud based storage (at least as far as Dropbox is concerned) to be secure* enough for lawyers.

*Note: there are other issues to be considered, such as the cloud providers Terms of Service. However, that will have to be a topic for another day.

07/14/11 UPDATE: Since this article was written a lot has changed with Dropbox:

  • I have written about the June 2011 security hole left Dropbox accounts open for several hours.
  • A summary of the rapidly changing Dropbox terms of service.
  • If all this makes you scared to use Dropbox, you can always set up your own synchronizing service with a pogoplug. The trade off is reduced physical security (you’re not going to be able to have the same physical security as Amazon), but you control user access and when data gets turned over to the feds (assuming they don’t just seize everything). Check out my discussion of the pros and cons of do-it-your-self vs various services.

The upshot is that regardless of the “planned-for” security, “actual” security is based on how a service deals with attacks, treats its uses data, and how it evolves over time. I wrote on Ben Stevens site that the ultimate goal is for a syncing services that allows per-file pre-encryption. However, that goal still has to be achieved within a system where the syncing works. That may seem obvious, but syncing is hard.

Consider the relatively simple task of synchronizing contacts and calendars between several systems (iCal, Google, etc). I still hear frequent complaints of duplicated entries or older versions “updating” newer versions with bad information. Again, syncing is hard. The thing about dropbox is that it works. It does sync, cross-platform, and it doesn’t mess up files (even with some picky programs on the Mac like Notebook which have had problems with other sync services).

So, while I am on the lookout for the service that will allow per-file pre-encryption, the first and foremost concern is a service that will not chew up and destroy my files (especially if it does it slowly so it is not noticeable until it is too late).

One contender in the market for per-file pre-encryption is Spider Oak. If you have used in, particularly in a Mac environment, please let me know your experiences. Thanks!