GDPR Compliant is Not Enough – Privacy and Data Security at the 3 Biggest Cloud Providers
In 2018, the GDPR was everywhere. Suddenly, even people who had nothing to do with data security or IT security had to deal with the issue. At one point, all services that I used, privately or in the office, started sending out emails, assuring me that they updated their privacy policies according to the new regulation.
Now everything quiet down.
But now I ask myself: What exactly happened there? Did all of the big players secure everything in a way that allows me to use their services and sleep well at night, knowing my data is secure? The updated privacy policies at least suggest that. I think that many end users feel safe now.
Google, Microsoft, Dropbox and the other big cloud providers are apparently GDPR compliant, since they can still offer their services in the EU after the GDPR. But my question remains: Is the data secure, or did the providers just change the wording in their policies or internal procedures, to be protected enough and prepared in case of lawsuits? This question is especially relevant for sensitive company data that is stored in clouds. We took a closer look at the privacy policies and the security setup of the three biggest cloud storage providers Google, Microsoft and Dropbox. We explain in which way your data is secure in Dropbox Business, Google Drive in GSuite and OneDrive for Business, and in which way it is not.
Do You Pay in Euro, Dollar, or Data?
To figure out if you want to entrust the big cloud providers with your data, it helps knowing about their business model and about the purpose behind their offers. For example, if you are a free user of Google Drive and store your pictures there, they might be scanned and used as data fodder for Google’s image recognition software and to improve machine learning:
We use the information we collect in existing services to help us develop new ones. For example, understanding how people organized their photos in Picasa, Google’s first photos app, helped us design and launch Google Photos. (Google/Privacy)
Data is also often used to personalize ads. With the collected data, providers can create a very precise profile of each user, to display the right products at the exact right time and place.
Especially when you use free cloud storage, you should be aware that you are paying for storage space with your data and that the companies make use of this data. They may only use it to convert you into a buying customer, for example at Dropbox, where cloud storage is their only business. Google or Microsoft, however, offer many more services and your data might also be used for other purposes. In their privacy policies, they are quite outspoken about that, for example at Google Drive:
We collect information to provide better services to all our users — from figuring out basic stuff like which language you speak, to more complex things like which ads you’ll find most useful, the people who matter most to you online, or which YouTube videos you might like.
Or at OneDrive:
Microsoft uses the data we collect to provide you with rich, interactive experiences. (…) We also use the data to operate our business, which includes analyzing our performance, meeting our legal obligations, developing our workforce, and doing research.
When you store your data at Dropbox Business or any other company cloud, your data might be treated differently, depending on the setup of your company cloud and on business agreements you sign. The providers want you to trust them and choose them over a competitor. Therefore, they will do their best to gain your trust with good security.
Data Protection Measures in Dropbox Business, OneDrive for Business and GoogleDrive in GSuite in Comparison
In 2019, all the large cloud providers offer well-engineered solutions with similar security measures. All of them take similar measures to guarantee business continuity. The servers are well-protected in a way that makes it highly unlikely that data is lost due to faulty servers or environmental causes. When it comes to encryption and protection against third-party access, the setup is very similar as well. When one provider implements something new, the others follow quite quickly. For example, Google implemented Perfect Forward Secrecy first, but Dropbox and the rest were quick in adopting it as well.
Infrastructure and Data Centers
The following chapter gives a quick overview over the security measures of the three biggest providers and points you to the sources for further reading. To list every precautionary measure to enhance security of the stored data, however, is beyond the scope of this article.
OneDrive for Business
Microsoft describes on their online pages on the issue of data center security, how they prevent strangers to access the facilities:
Only a limited number of essential personnel can gain access to datacenters. Their identities are verified with multiple factors of authentication including smart cards and biometrics. There are on-premises security officers, motion sensors, and video surveillance. Intrusion detection alerts monitor anomalous activity. Another important security measure is that all data is stored in at least two different places, several hundred miles apart. This way, an earthquake or any other environmental catastrophe would most likely not affect both places and the data would be secure.
Google Drive in GSuite
Google stresses, that all hardware and all servers are Google-made, to have the highest possible control and security standards. They provide a detailed whitepaper that contains information on the different security layers of the Google infrastructure. One focal point of this whitepaper is how the devices of Google employees are protected, to prevent phishing attacks and other attempts to get access to the Google universe.
We make a heavy investment in protecting our employees’ devices and credentials from compromise and also in monitoring activity to discover potential compromises or illicit insider activity. This is a critical part of our investment in ensuring that our infrastructure is operated safely.
Similar to OneDrive, access of employees to the servers and data is minimized as much as possible. Google goes one step further in planning to completely automate all processes to make human access unnecessary. However, this is probably still a long way off.
Dropbox offers a Whitepaper, about the security at Dropbox Business as well. One Chapter describes how once a year business continuity is tested to find possible vulnerabilities. This way, the provider wants to be prepared in case of an emergency.
The data of Dropbox and Dropbox users is stored at server centers of third-party providers in the US. These providers are responsible for server security, but Dropbox tests their security measures once a year. Companies with over 250 users can store their data in Europe. The European servers are hosted by Amazon Web Services and located in Frankfurt, Germany. As an additional security precaution, data and meta data are stored on different servers.
Encryption of Dropbox, Google Drive and OneDrive
All three providers have a similar (almost identical) setup when it comes to the encryption of cloud data. All data at rest is encrypted with AES encryption with 256 bits. This meets the state of the art and is therefore one of the most secure ways to encrypt data at rest. OneDrive implemented additional full volume encryption with BitLocker.
Data in transit is encrypted with SSL/TLS encryption by all three providers, which as well is the most common and secure solution for data in transit, at the moment. Another security feature that according to Google, they implemented first, is Perfect Forward Secrecy (PFS). With PFS a private SSL key cannot be used for sessions that occurred in the past. So even if someone got access to an SSL key, he cannot use it to decrypt older traffic.
OneDrive for Business
OneDrive offers a feature that allows business clients to store their keys in Microsoft Azure Key Vault:
With Customer Key, you control your organization's encryption keys and then configure Office 365 to use them to encrypt your data at rest in Microsoft's data centers. In other words, Customer Key allows customers to add a layer of encryption that belongs to them, with their keys.
Google also uses its own Key Management Service for Key Management:
Files or data structures with customer-created content written by G Suite are subdivided into chunks, each of which is encrypted with its own chunk data encryption key (“chunk key”). Each chunk key is encrypted by another key known as the wrapping key, which is managed by a Google-wide key management service (KMS).
Dropbox has a decentralized key management system in place:
Dropbox’s key management infrastructure is designed with operational, technical, and procedural security controls with very limited direct access to keys. Encryption key generation, exchange, and storage is distributed for decentralized processing.
Your Data is Not Protected From One Crucial Threat
All these key management solutions are technically sound and protect your data from many attacks and outside threats. But one central issue remains at all of them. Azure is a Microsoft product just as OneDrive Business and therefore, Microsoft can access the keys. Google is using its own KMS and Dropbox self-manages the keys as well. Hence, all providers are in a position to theoretically access all data of their customers.
That cloud providers can access customer data due to their technical setup is no secret. They can (and have to) use the keys to give out data when governments request cloud customer data and of course, Microsoft, Google and Dropbox have to comply. Even when the data is encrypted the provider can access the data because they have the keys to decrypt the data. Thanks to planned legislation like the CLOUD Act, providers have to hand over user data against their will. Unauthorized third parties can therefore access your data, even if it is just Microsoft, Dropbox or Google employees.
The ideal solution is the separation of encryption and storage. One expert takes care of storage and synchronization, the other independent expert takes care of encryption with zero knowledge standard. This way you have full control and the best of two worlds.
With zero knowledge encryption the encryption keys either stay on the user’s device, or, when transfer is technically necessary, the keys are encrypted on the device, before they are sent to the encryption provider. This way, the provider cannot use them to decrypt the data, even when governments should request cloud customer data.
Take GDPR Compliance Into Your Own Hands
All three providers offer state-of-the-art encryption. For that reason, they can still offer their services in Europe, even after the GDPR became effective in 2018. Whether the offered encryption really is an appropriate technical or organizational measure (TOM), to prevent third-party access as demanded by the GDPR, is debatable. We say no, since third parties can access the data. Only zero knowledge encryption reliably protects the data in a cloud from unauthorized access.
Encryption and the technical setup of the cloud providers did not change since the GDPR became effective. All providers guarantee GDPR compliance, but that does not mean that your cloud data is protected from all threats.
Become active yourself and add an extra layer of security to your cloud. Boxcryptor is optimized for the use with Dropbox, Google Drive and OneDrive, and is ideal for teams and organizations of all sizes. On our website, we offer extensive information on our technical setup, details on our encryption as well as key management. Find out, how we implemented Boxcryptor’s end-to-end encryption with zero knowledge standard. This way we guarantee, that full control over your company data remains in your hands.
Secure Your Cloud With Boxcryptor - Get to Know Boxcryptor in Our Free 14-Day-Trial
Start securing your cloud data now with the end-to-end encryption of Boxcryptor. Try out all collaborative features of Boxcryptor Company and Boxcryptor Enterprise for 14 days. The trial is free and you can start using Boxcryptor right away. No additional setup is needed after the trial period.