Home Security Data & Storage Are Cloud Services Really Secure? Reality Check On iCloud, Dropbox, OneDrive and...

Are Cloud Services Really Secure? Reality Check On iCloud, Dropbox, OneDrive and Google Drive

Cloud storage security concept

If you are one among those people easily influenced by screaming headlines about hacked accounts and compromised passwords involving the cloud storage, you won’t be thinking of using such services, ever. However, if you are already using the cloud, the question you should be asking is how secure are the services of major players like iCloud, Dropbox, OneDrive and Google Drive.

The truth is that cloud services are not as unsafe as they appear in the news. In fact, much can be said about the steps taken by service providers to make their systems more secure. We can also talk much more on the huge money they spent on security features upgrade.

Now, let’s take a closer look at these four major service providers. Please note, this is not going to be a slanted review, so you can be sure that it is an objective look at what is really happening in the industry.

Is Dropbox secure?

Dropbox logo security

We are sure you are aware of the fact that Dropbox has survived many security scares and in the process the company has managed to harden its security system accordingly.

Dropbox in 2012 admitted that a compromised password was used to access an employee’s Dropbox account through which hackers were able to get access to a file which have users’ email IDs, which were then spammed. However, the stored data was never really at risk, but that became a wakeup call as to how reputation damage could seriously and negatively impact a cloud service business.

From that time onwards, Dropbox has upped security on the login area, with an optional two-step verification process (one via a text message or time-based one time password applications). This feature added an extra layer of security for users.

Like any secure cloud services, Dropbox staff can’t see the content of your files. However, they do have access to the metadata in case they need to provide you technical support. Dropbox also makes it very clear that this access privilege is restricted to just a handful of staff for legal and technical reasons.

The data during transit is also safely encrypted using the Secure Sockets Layer (SSL) and at rest by using AES-256 bit encryption to which only Dropbox has the keys. Users can easily unlink lost or stolen devices from their account to reduce the risk of unauthorized access.

In addition, business version, Dropbox Pro, has a feature to enable viewer permissions for collaborative usage and one can set both passwords and expirations for those shared links, which further hardens the security system for premium users.

Is iCloud secure?

iCloud logo security

Apple iCloud may have come under fire after hackers stole photos of celebrities and splash them online, but it was not much about iCloud being unsafe; it was more of the celebs compromising their AppleID passwords.

Fact of the matter is that Apple has a good reputation in terms of security across all their devices. Well, Apple claims that user data is encrypted both in transit and at rest on their servers. Instead of using AES 256-bit encryption all across the board, the company uses “a minimum of 128-bit AES” which, perhaps, is considerably less secure.

The only thing one can see where 256-bit is deployed is for the iCloud keychain (that is used for storing and transmitting user’s passwords and credit cards details, also while deploying elliptic curve asymmetric cryptography and key wrapping process which is extremely good).

However, the iCloud keychain encryption keys are created on the user’s own devices and Apple staff has no access to them. Apple claims that it cannot access any of the core material that may be used for decrypting sensitive data and the only trusted devices that the user had pre-approved can access the iCloud keychain.

Secure tokens are used for authentication purpose when the user is accessing iCloud from other Apple apps (like Mail and Calendar) and there is also an optional two-step verification process (which can be turned on at this page). It authenticates you via a text message or device generated code for effecting changes to the account or signing into an iCloud from a new device.

Is Google Drive secure?

Google drive logo security

Google is one of the biggest victims of password compromise security scare which states that about 5 million Gmail accounts were hacked after one of its databases was dumped on a Russian security forum.

Since Google Drive uses the same Google account for accessing Gmail, there was a danger of everything being compromised. However, it eventually turned out that the dump was those of the old phished passwords and that at most 2% may have worked – even those were all reset immediately by Google.

After the one master key to login into all Google services was introduced, it became even more crucial for users of Google Drive to protect their login information. Google has shifted to HTTPS for all of its services to tighten security and this is coupled with introduction of ‘internal measures’ which would look for potential compromised login activity.

Besides, Google is now offering a two-step verification system like other players. As far as your data is concerned, it is safely encrypted during transit (to and from your device, and also while transferring between Google data centers) through SSL.

Is OneDrive secure?

Onedrive logo security

Microsoft Windows is known to be the #1 target for hackers and cybercriminals. However, OneDrive (earlier called SkyDrive) has not suffered from serious security breach. So, can it be safely said that the service is the most secured of all the cloud service providers? In fact, no, since none of these services have actually suffered from direct data breach.

However, most users are concerned about security issues and making private or public their privacy is very important. Microsoft also reserves the right to scan your files for any ‘objectionable content’ (just like iCloud). This could lead to accidental deletion of your data and your OneDrive account.

As for data security system that is outside the spying realm, while data is encrypted during transit using SSL technology, it remains unencrypted while at rest. Unless you are using OneDrive for business purpose, Microsoft has introduced per-file encryption system for encrypting files. In that case, each file has a unique key, so if a password was compromised it would be able to access just one individual file and not the whole storage.

All OneDrive users are now given a two-step verification process for enhancing their account security – via One Time Code app or through a text message.

Summary: is it safe to use any cloud storage services?

Although the cloud service remains, for many, something like an unknown quantity as far as security is concerned, but the truth is that data security is never totally black and white. It has its own share of fifty shades of grey.

Attaining a 100% secure data storage solution is like grabbing your own shadow. So you have to be prepared for what is ‘close enough’ as far as these services are concerned. This determination could easily be a deciding factor for you if you are a business which is regulated and that you have to meet compliance requirements, etc.

For consumers and many small business users, the cloud is actually secure these days. Data encryption is the prime issue here. Almost every cloud store now encrypts data in transit (i.e. as it is transferred to and from the cloud).

While user data may not be encrypted at rest, or if it is the cloud provider managing the keys, it also means that the data can be easily indexed, duplicated, compressed and then restored. In a worst case scenario, it also means that user data is not as secure as it might have otherwise been.

It is a good practice to take control of your data security by using on-the-fly encrypting services like BoxCryptor. Using such services is a good step towards reducing risk in the cloud.

One should also be aware that the weakest security link is not in the cloud service providers, but you, yourself. Also, it is good to follow the best security practice in terms of creating a password and you should never re-use any of your old passwords again.