Ask LH: Is It Safe To Use Dropbox For Collaboration?

Hi Lifehacker, My company is thinking about using Dropbox for daily file transfers (such as working from home and not needing to email the document to another email), but some people are concerned about the possible access the general public would have to the files. Do you guys have any suggestions of how to keep the info as secure as possible using Dropbox? Or is it not advisable to use Dropbox if we’re planning on using it for confidential information? Thanks, Laura

Dear Laura,

It's a good question (and one which actually popped up in a comment but which merits a broader answer).

We're big believers in using Dropbox for collaborative work, and the US Lifehacker team offered a detailed guide a while back on how to make that work. The approach outlined there is worth checking out for some general ideas, so I won't repeat them here. In terms of security, the answer to your question is: Dropbox is fine as long as you approach it the right way.

The wrong way is to drop them in the 'Public' folder on a Dropbox account, since that creates a web link which is accessible to anyone who gets hold of it.

As we've suggested before, a better idea is to set up a work Dropbox which everyone can log into. That means there are copies of vital files on multiple machines, and the newest versions are automatically replicated. If someone wants to grab a file for use on an unfamiliar machine (perhaps an emergency presentation), that's also possible by logging in via a web browser.

Not that whole they are shared, those files aren't available to the general public; only people who have the relevant login address and password can get to them. Make sure to use a strong password and change it regularly (including whenever a team member leaves or takes on a new job).

That approach isn't foolproof: if the password leaks, then those documents will be accessible. But that applies to virtually any collaboration system. Given its ease of installation and availability on a wide range of platforms (including via a web browser), Dropbox is still a great solution for where you want to exchange files or have them available to multiple members of a team but don't need actual, real-time interaction.

Cheers Lifehacker

Got your own question you want to put to Lifehacker? Send an email to [email protected], and include 'Ask Lifehacker' in the subject line.

WATCH MORE: Tech News & Life Hacks

Comments

    There is also this method from LH if you are super paranoid/have specifically sensitive information http://bit.ly/kgPjaV.

    I think Waula is a GREAT option, since it's encrypted all the way. And I want to remember that Dropbox isnt.
    Please correct me if I'm wrong, have a nice friday :)

    Except as per an email I've forwarded to LH (and hope you guys investigate further) There's a significant security hole in the way Dropbox authenticates to registered devices.
    More at this link: http://dereknewton.com/2011/04/dropbox-authentication-static-host-ids/

    I am using Dropbox. I have a desktop computer and a laptop. Every time I travel I sync my working files to Dropbox so that I could still continue my online job while on travel. I don't put my files into the 'Public' folder because obviously it's for the public. I have employers who share their files to me via Dropbox and so far we have no problem.

    If your information/resources are valuable and you're putting them online assume it's going to be public (but take measures to make sure it's not) and anyone - including the hosting company - can access it. As people already commented, Dropbox has known flaws in its security; other systems may too.

    It's a little more hassle but a lot less risk of being compromised:

    Encrypt your files before uploading them.

      I think encrypting them even when they're on your own network is important if they're sensitive enough. Anything that goes out online should be encrypted, even if that online space is supposedly "private." I only use Dropbox for personal stuff, and encrypt stuff that could prove problematic if someone got hold of it (e.g. I have a PDF of my birth certificate and drivers license in there somewhere, but strongly encrypted with a 20+ character password with True Crypt.) Everything else, whilst I don't expect it to get into other people's hands, it doesn't matter if it does (if they really want my Uni assignment from last semester, they can have it!)

      I think a general rule of thumb is, if it's confidential and/or for a business (and in the case mentioned in the post, it would be) always encrypt it no matter what service you're using. For personal stuff, not quite as important except for personally identifiable information (such as drivers license, birth certificate, passport etc).

    Good article – here is another cloud storage solution that is fully encrypted:
    With SugarSync, you get 5GB of cloud storage space with the FREE version, but now there is no restriction to the number of computers you can sync/backup (up from 2).
    It gives you the ability to upload and sync any folder on your computer.
    It is the only service that offers such a broad device and OS support with apps for BlackBerry, Android, iPhone/iPad, Symbian, not to mention your computer!
    You can also stream MP3 music files to your smartphone or computer.

    It depends on what you want to do. For many regulated industries, DropBox is not compliant. Their website clearly states this:
    https://www.dropbox.com/help/238
    Dropbox Enterprise File Transfer from Thru is the secure solution for businesses and enterprises. Their solutions have been working for large businesses for ten years without a single security breach. http://www.thruinc.com/solutions/dropbox-enterprise-file-transfer/
    http://www.thruinc.com/products-services/secure-file-transfer/

    Laura, I hope you have found a solution by now. There are many ways to have shared folders for multiple people each with their own account (think audit trails from a PCI perspective). I would be scared to have too many people with a single login. How do you communicate the new password when it needs to be changed? Not email I hope! I've been suggesting this solution (GoAnywhere Services) to my customers. It allows remote file access, shared team folders, virtual links to network shares, AND all the files stay on your corporate networks! http://www.goanywheremft.com/products/services
    It is definitely worth a few thousand quid to know that everything you are doing is secure and meets the compliance requirements of your locality.

Join the discussion!