Dropbox for Business security explained: is it enterprise ready?

Dropbox wants to move from business to enterprise class. Nobody could accuse it of not aiming high

In less than a decade, Dropbox has made the journey from being just the best known brand of a wave of cloud consumer file storage firms to a plausible enterprise business service. It's still rare for startups to race so dramatically from pure consumer to high end without losing something in the process but today the firm remains a curious mixture of both often very different sectors under one banner.

The company launched Dropbox for Business in 2013 (more a relaunch of Dropbox for Teams which appeared in 2011), followed in 2015 by the ambitious Dropbox for Enterprise, both attempts to chase a market offering big margins but difficult sales calls. The firm's own figures claim that among its 500 million accounts, it is used by 8 million businesses worldwide, 150,000 of which have subscribed to Dropbox Business. More generally, one in three UK Internet users use Dropbox and around three quarters of the firm's customers are non-US.

"There is a perception that we're a consumer company and not an enterprise one," Dropbox's EMEA head of trust Mark Crosbie told Computerworld UK. Judging from the new Enterprise service, that is now a pretty misleading view. Somehow, on the quiet, Dropbox has turned into a business service.

As to the view that it competes with old-style USB sticks, Crosbie raises the obvious point that USB sticks are simply a way to carry around files, lacking collaboration, synchronisation and external sharing.

"As you start to scale and have bigger forms of collaboration all of a sudden that solution doesn't scale and the overall security posture starts to fail."

What do businesses use Dropbox for?

At the simplest end of the scale, file and data storage, large file exchange, synching across desktop and mobile devices, work collaboration. At the other end, deeper integration with systems such as Office 365 and the extension of all of file access to external collaborators with compliant admin and data security. In many cases, Dropbox-like services are simply a more secure and practical solution to running a file server or handing out USB sticks and also come with the added benefit of automatic and continues file backup that can be restored by the employee rather than the IT team.

Rivals might point out that such features are not unique to Dropbox although the latter does claim extremely high availability and synching performance as a selling point.

Who uses Dropbox Business? Sectors where it has gained a particular following include media agencies, advertising, manufacturing (blueprints), and architectural firms. There are also sector-specific packages such as Dropbox for Education. Collaboration is a big driver. "That tends to be the beachhead for Dropbox," admits Crosbie.

Dropbox Enterprise v Business

The two are essentially identical, offering similar user account space, admin and collaboration tools, integration with third-parties via Dropbox's Business API, and even user migration (see below). Enterprise extends the analytics possible on usage and collaboration as well as being designed to manage much larger teams. Dropbox Business has three tiers: Basic, Pro and full-blown Business, with the first two imposing a limit on file recovery of 30 days.

Datacentres: With the ending of the Safe Harbour Agreement covering data transfers between the US and Europe and ongoing uncertainty over its replacement, the EU-US Privacy Shield, Dropbox announced plans to host customer data within a new datacentre in Germany by Q3 2016 running on Amazon Web Services (AWS). This aspect of the service is still clearly being developed. Compliance: HIPAA, ISO 27001, ISO 27018, and SOC 1, 2, and 3.

Dropbox - migrating 'shadow' accounts

A concern when adopting Dropbox is that some employees might already have been using the service on a shadow IT basis to store business files, precisely the sort of security risk that prompts enterprises to adopt an in-house deployment in the first place. The first task, then, is to identify these accounts, in theory not an easy task. However, Dropbox Business/Enterprise offer capture tools to identify existing accounts and move them within the admin space of Business or Enterprise as well as the ability to import them from Active Directory, LDAP or third-party identity providers.

In BYOD environments, users can use both personal and work accounts from the same device with full data separation. Access to personal accounts from work systems is enabled by the admin.

Dropbox - authentication and SSO

As with most big-brand services, authentication support offers two-step verification which receives PIN codes either via SMS texts message or using a mobile app or, alternatively, through Single Sign-on and an identity provider: Google Apps, Auth0, Ping Identity, OneLogin, Symantec Identity: Access Manager, Salesforce and a defined list of providers work out of the box. Using SSO obviously requires new users to be registered with those services first. Two-step verification would suit smaller Business users while SSO will be the preferred option for Enterprise because it allows more complex authentication options to be set.

Dropbox - data control

Admins can enable file sharing for external users through a link with edit or read-only access as appropriate. Passwords can also be set with expiration dates for files while access can be revoked on an individual or team basis. Unlimited previous versions of files can be retrieved.

Dropbox - data encryption

A vexed issue with cloud storage providers. Files are transferred across SSL/TLS encryption and stored at rest using 256-bit AES in 4MB chunks. As with every cloud service, this sort of default security allows employees to gain access to the data under defined circumstances or if requested to though a signed warrant. From 2016, UK data will be held inside a European datacentre.

According to Dropbox, this arrangement is fine even for large enterprises for about 80 percent of data, with about 20 percent requiring the enterprise to retain encryption keys for the sake of compliance. The challenges of this are twofold - key management and the task of identifying which data is critical. Enterprises must embrace device encryption to secure synched or shared data -individual devices can be 'linked' to or unlinked from accounts with a remote wipe facility if they are lost.

Dropbox - third-party integration

A major strength of Dropbox Enterprise going forward is the ability to add additional security layers through the Dropbox Business API. Popular sectors mentioned by Dropbox in the service's official security guide in addition to SSO include SIEM, Data Loss Prevention (DLP), eDiscovery, Digital Rights Management, migration and dedicated backup, and custom workflow management.


Dropbox has not been immune from security scares, including a small breach in 2012 and a more contentious one in 2014 in which hackers appear to have reused passwords from other sites to target weakly-secured consumer accounts. But its Business and Enterprise services have evolved into offerings that go far beyond the humble file storage game where the firm started.There is some way to go.

The Enterprise service is still in its infancy and the migration from serving general business needs at a departmental level to being something developers embrace presents a big challenge. The advantage of Enterprise v Business is still not sharply defined enough. Competition is also incredibly tough, not least because platform vendors such as Microsoft and Google also have file storage and collaboration systems of their own before you even get to rivals such as Box. It remains a consumer file storage and sharing service but it is the Business and Enterprise services that will decide its future success.

Join the CSO newsletter!

Error: Please check your email address.

More about Amazon Web ServicesAWSDLPDropboxEUGoogleISOMicrosoftPing IdentitySymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place