How secure are Dropbox, Microsoft OneDrive, Google Drive and Apple iCloud cloud storage services?

Should you be worried about how secure your cloud storage provider is?

Davey Winder
3 May 2016

If you were to be influenced purely by the more tabloid of tech publications, with headlines screaming about hacked databases, compromised passwords and secret service data probing then you wouldn't touch the cloud with a bargepole.

Truth be told, cloud services are not as insecure as the occasionally screaming headlines make out. In fact, there's much to be said for the argument that Dropbox, iCloud, Google Drive and OneDrive have both the money and motivation to make their data stores much more secure than you could hope to achieve on your meagre budget yourself.

So let's take a look at these four services, but first we need to get a few things out of the way. This isn't a review of these services, if you want to know what ins and outs of the cloud services, take a look at our article: Dropbox vs OneDrive vs Google Drive: what's the best cloud storage service of 2014?

How secure is Dropbox?

Dropbox has survived security scares, and hardened its security posture accordingly

Dropbox dropped the ball back in 2012 as far as security was concerned when it admitted that a compromised password had been used to access an employee Dropbox account which gave access to a document containing some user email addresses which then got spammed.

Stored data was never at risk though, but it served as a wake up call as to how reputational damage can impact a cloud business. Since then Dropbox has upped its game on the login front, with optional two-step verification (via text message or Time-Based One Time Password apps) adding an extra layer of security to user accounts.

Like most cloud services, Dropbox employees cannot view the content of the files you store but can access metadata if they need to in order to provide tech support for instance. Dropbox makes it clear, however, that a small number of employees can access stored files if required to for legal reasons.

Data in transit is encrypted using Secure Sockets Layer (SSL) and at rest using AES-256 bit encryption to which Dropbox holds the keys. Lost or stolen devices can be easily 'unlinked' from your account to further mitigate the risk of unauthorised access.

The business version, Dropbox Pro, adds an ability to enable viewer permissions for collaborative usage and set both passwords and expirations for shared links which hardens the security posture for power users.

How secure is iCloud?

Two-step verification is a must have for any security aware cloud user

Although Apple iCloud came under fire last year when hackers apparently stole photos of celebrities and published them online, this was less a case of iCloud being insecure and more a case of those celebs getting their AppleID passwords compromised through successful phishing attacks elsewhere.

In fact, Apple has a pretty good reputation when it comes to security across its devices, but how does that translate into cloud services?

Well, Apple says that data is encrypted both in transit (using SSL) and at rest on the server. Rather than using AES-256 bit encryption everywhere, however, it uses "a minimum of 128-bit AES" which is considerably less secure. The only thing that I can see where 256-bit is employed is for the iCloud keychain (used to store and transmit passwords and credit card data, also employing elliptic curve asymmetric cryptography and key wrapping which is good) so have to assume all other data is protected by weaker encryption which is not particularly encouraging.

The iCloud keychain encryption keys, however, are created on your own devices and Apple can't access them. Apple says it cannot access any of the core material that could be used to decrypt that key data and only trusted devices that you have approved can access your iCloud keychain.

Secure tokens are used for authentication when accessing iCloud from other Apple apps (such as Mail and Calendar) and there is optional two-step verification (which can be turned on at https://appleid.apple.com/account/home) via text message or device generated code for making changes to account information or signing into iCloud from a new device.

How secure is Google Drive?

One account shall access them all - so securing your login is paramount

Google has also fallen victim to the password compromise security scares that impact on so many services. Last year it was claimed that nearly 5 million Gmail accounts had been hacked when a database was dumped on a Russian security forum.

Because Google Drive uses the same Google account for login as Gmail, the danger was that everything was compromised as a result. It turned out, however, that the dump was of old phished passwords and at most 2% may have worked - but were all reset by Google anyway.

What this illustrates is how much of the security of a service such as Google Drive, which uses a single account to access multiple services, depends on the user protecting that login. Google now uses HTTPS on all of its services, which is to be applauded, and also implements 'internal measures' to look out for potential compromised account login activity.

In addition, Google offers two-step verification like the other services mentioned here. As for your data itself, this is encrypted in transit (to and from your device, and also between Google data centres) using SSL but only stored at rest using 128-bit AES like iCloud.

How secure is OneDrive?

How secure is OneDrive?

Encryption at rest is available on OneDrive, but only for business users

Although Microsoft Windows is the number one targeted platform for hackers and cybercriminals, so far OneDrive (formerly called SkyDrive) has remained fairly free of any serious breach headlines.

Does this mean it's the most secure of the services we have covered here? Not really, as none of them have actually suffered a direct data breach (rather than user-compromised access) that has come to our attention.

Much of the public concern surrounding OneDrive security is actually that user-error stuff once more; the wrong file sharing permissions and password insecurity mainly. Actually, files aren’t shared with other people unless you save them in the Public folder or choose to share them.

Microsoft does reserve the right to scan your files for 'objectionable content' (as does Apple iCloud) which could lead to deletion of the data and your account. That is seen by many as a reason to look elsewhere as file security cannot be guaranteed if the content provider deems it objectionable.

As for data security outside the snooping realm, while data is encrypted in transit using SSL it remains unencrypted at rest. Unless you are a user of OneDrive for Business as from the end of last year Microsoft introduced per-file encryption which encrypts files individually each with a unique key; so if a key was compromised it would only access one individual file rather than the whole store.

All OneDrive users do get access to two-step verification though, which further protects the login via One Time Code app or text message.

How secure is cloud storage: summary

Although the cloud remains for many something of an unknown quantity as far as security is concerned, the truth is that data security is never black and white but rather fifty shades of grey.

Attaining a 100% secure data storage solution is akin to grabbing your shadow; you can get very close but will never actually do it. So you have to determine what is 'close enough' as far as cloud services are concerned. This determination may be decided for you if you are a business which is regulated and has to meet compliance requirements, and that may mean that not all your data can be stored in the cloud.

For consumers and most small business users though, the cloud is actually pretty secure these days. Data encryption is, if you'll excuse the pun, key here. Just about every cloud store will encrypt data in transit, that is as it's transferred into and out of the cloud, and some (usually if you buy the business version of the service) will encrypt it at rest, or while it is being stored, as well.

While data not being encrypted at rest, or if it is then the cloud provider managing the keys, does mean that the data can be indexed, de-duplicated, compressed and easily restored in a worse case scenario it also means that your data isn't as secure as it might otherwise be.

If you really want to ensure that your data cannot be peeked at, then encrypt it yourself BEFORE you send it to your cloud storage provider. If you have control of the keys, then 'the men in black' cannot borrow them for a quick peek without you knowing about it.

Taking control of your own data security by using an on the fly encryption service such as BoxCryptor for example, is a good step towards mitigating risk in the cloud. Another is to be aware that the weakest security link is not the cloud provider, but rather you yourself. Follow security best practise in terms of password construction and use (don't re-use passwords across services) as well as employing two-factor authentication where available and your risk mitigation level gets even better...

Read more about: