Keeping your information safe and secure is a top priority for us at Dropbox, and we think it’s important to keep IT teams informed about how we do that. Online security is a moving target that’s always evolving as threats change, but there are several fundamental ways that we keep our infrastructure and customer data secure.
A chain is only as strong as its weakest link
People have multiple online identities across their work and personal lives. Dropbox is just one of many that the typical internet user has. Attackers routinely compromise a single service and use this foothold to grow the access they have until they can take over a person’s complete online identity or deeply infiltrate an organization.
Dropbox, like all responsible online services, sees protecting our users’ online identity as the critical first step to protecting their data. The overwhelming majority of the attacks that we see utilize identities stolen from other services. Safeguarding this information is even more critical in enterprise IT environments where your identity is key to corporate access.
To address this, we added a feature that enables Dropbox administrators to require two-step verification (also known as two-factor authentication or 2FA) for all members of their team. We think that this is the single most effective step Dropbox users can take to protect themselves and their data. Enabling 2FA on all of their corporate and personal online services—Dropbox, Facebook, Salesforce, Apple, and Google—makes it significantly more difficult for an attacker to steal their online identity.
Currently, 1.5 million Dropbox users have two-factor authentication enabled, and we have no documented cases of any of these accounts being compromised. If we put these 1.5 million users in context of the over 400 million total Dropbox users, we see that the adoption rate is less than 1%. This highlights how far we have to go. We are committed to raising the percentage of 2FA enrolled users.
Another way for IT teams to secure user identities across multiple sites is to deploy single sign-on (SSO) based on the Security Assertion Markup Language (SAML) standard. This enables users to authenticate within their own organization and pass a secure token to services like Dropbox instead of having to maintain a separate password. Not only is this more convenient, it also prevents an attacker from signing in even if they know your password. Access to the SSO service can be the equivalent of a second factor.
Another important consideration is how people can protect themselves across the many remaining services that do not natively support 2FA or SSO. Using a password vault like 1Password enables individuals to have strong and unique passwords across many systems without having to memorize them. Implementing password vaulting tools shouldn’t just be viewed as an individual responsibility. IT leaders can easily deploy these across their organizations.
Making logical sense of security and breaches can be difficult. Security is a vast and complicated topic and we have to remember to prioritize risks based on actual data, not on the “fear of the day” being highlighted in the press. At Dropbox, we filter the noise and invest in those areas where we have the evidence that there are real and significant risks.
Protecting our users’ online identity
Our analysis of attacks shows us that the most common first point of attack is against users’ passwords, not our applications and infrastructure. Dropbox’s applications and infrastructure receive a high degree of security scrutiny. They are continuously reviewed, tested, and audited, and are therefore “hard targets” that are expensive to attack. It is simple economics for attackers to focus on end users.
We have built detection capabilities to protect user accounts, and our team has been able to block 95% of attempted password attacks automatically. When we have indicators that an individual’s password may have been compromised on another service, we routinely force a proactive password reset on their Dropbox account.
Working in partnership with the security community
We work closely with other organizations that are focused on promoting online security. One of many touch points our security teams have is through the Threat Exchange—a platform for responsibly sharing threat information.
Dropbox also believes that crowd-sourcing of security bugs is an important part of our commitment to deliver a secure product. We partner with HackerOne to run our “bug bounty” program. Security researchers can responsibly disclose security bugs and may be rewarded for their effort. For more information see the Dropbox page on HackerOne.
Building strong foundations, the core of an open ecosystem
What we have heard from customers is that they want a flexible approach to security. This means being able to architect a security stack that serves their entire enterprise and looks across multiple cloud providers and on-premise systems. They are thinking comprehensively about security.
We support this philosophy and have placed a great deal of focus on partnering with best-in-class security providers. We enable these partners by building APIs that allow deep integration of their security products into Dropbox. The number of Dropbox Business customers that use our API to integrate with a security service has tripled in the past year.
As threats, regulations, or business risks change, our customers have the flexibility of selecting the right blend of security solutions. We are also very actively developing new features for Dropbox Business and Dropbox Enterprise that provide more granular control and visibility with an eye on preserving usability, and scaling to even the largest enterprises.
Earning and maintaining the trust of our customers is the foundation of our business. We value the confidence organizations put in us and take the responsibility of protecting your information very seriously. It’s always at the top of our minds, and we’ll keep working hard to stay on top of our game.