Last month, InfoWorld reported that people are sharing files with sensitive personal information “with the world” on Microsoft’s Docs.com site, which at the default settings can be searched and accessed by virtually anybody. You can be sure there are employees out there using the site, and others like it, for uploading company files, as well. This is especially true in small, new, or more loosely run organizations that haven’t implemented strong policies and educated their users regarding the use of various cloud sharing and storage services.

And of course, the same is also true of numerous other cloud storage and sharing sites: Google Drive, Amazon Drive, iDrive, Apple iCloud, Dropbox, Box, and many more. Many small businesses use these services, but information workers also often have their own “personal clouds” and if you don’t have firm policies (that are firmly enforced) in place, some of them may be putting company documents there, at least temporarily, to make it easier for them to access and work on those files from home or when traveling.

Don’t assume that “what happens on the company server stays on the company server.” If users can download docs to their hard drives to work on them (which is necessary when, for example, they have slow or unreliable Internet connections, or need to work where Internet connectivity isn’t available – for example, on a plane that doesn’t isn’t wi-fi equipped), they may save them to other locations, as well. Digital rights management solutions can help prevent this, but there are ways around it. Never underestimate the ingenuity of workers whose objective is make things more convenient for themselves.

Knowing where you are

All cloud storage and file sharing services are not created equal when it comes to security – nor are they intended to be.  What got some users of Docs.com in trouble was that they didn’t understand the difference between a file-sharing site and a file storage site. It’s no wonder, because many services bill themselves as both and the lines get blurred.

Microsoft’s cloud-based storage service is OneDrive. When you save files there, unless you place them in the Public folder, they can’t be accessed by anyone else by default. You can change those permissions to share them with specific people. Data in transit is encrypted in both personal and business versions of OneDrive, but data at rest is not encrypted unless you use OneDrive for Business. 256 bit AES is used. Both versions support multi-factor authentication via a code sent to your phone as a text message, or verification via the Microsoft Authenticator phone app.

You can use third party solutions such as Boxcryptor (free for non-commercial use) to protect your OneDrive data with end-to-end encryption.

With OneDrive for Business in Office 365, your data is encrypted at the disk/volume level by Microsoft’s BitLocker. Per-file encryption is also available, whereby chunks of files are encrypted with separate keys and distributed randomly throughout the data center in different storage containers, the encryption keys that are used are also encrypted with a master key, and the keys and master key are stored in physically separate data stores.

Whereas OneDrive is designed to be a place to store your files, Docs.com is intended to be all about sharing that data. You can restrict the audience to whom the files are accessible, but by default they’re shared with everybody – the opposite of OneDrive’s default settings (on all but the Public folder).  

In fact, Docs.com is more than a place to share documents; it goes a step further to help you showcase them, by providing personalization and presentation tools so that you can create a branded profile and use Sway to “tell the story” with your shared documents. Sway makes it easy for users to create newsletters, interactive reports, and slide shows.

Once you understand the primary purpose behind the different services, the default permissions setting make sense. It’s not a flaw on the part of Docs.com; when your primary purpose is public sharing of documents, focus is naturally on accessibility rather than restrictive security. Users need to be educated about these differences, and if you do decide to allow them to utilize online file sharing and file storage services, they need to be aware of default permissions settings and know which services are best for securely storing their files.

TANSTAFS (There Ain’t No Such Thing as Free Storage)

With apologies to Robert A. Heinlein, actually there is such a thing as free storage, but it’s important to keep in mind another old adage: you get what you pay for (and you often don’t get what you don’t pay for). When users press their own solutions into place, those are often the “free” or low-cost storage services, and as evidenced by the difference, described above, in file security on a free or low-cost personal OneDrive account vs. an Office 365 OneDrive for Business account, those services designed for consumers will usually have less of a focus on security than those aimed at businesses.

Some other services that are commonly used by consumers (and may be used by employees who seek to make their lives easier) include the following:

  • Google Drive – Google’s usability strength, and its security weakness, is that it uses one account for logging into all of its services. Your Gmail account is also your Google Voice account, your Google+ account, and your Google Drive account. If the user credentials for that account are compromised, all of your Google services and the information stored there can be exposed. That means it’s extremely important to create a strong password, and to change it after such incidents as the hack that resulted in millions of Gmail passwords being made available on a Russian site a couple of years ago. The good news is that Google now supports multi-factor authentication (which it calls two-step verification), security alerts and notifications when suspicious activity is detected, and encrypts traffic with SSL and per-file encryption of data at rest. The bad news is that “128-bit or stronger” AES is used; of course AES-128 is less secure than the 256-bit AES used by OneDrive and some of the other services.  As with OneDrive, you can use a third party solution such as Boxcryptor for added protection. Find out more about Google Drive at https://drive.google.com.
  • iCloud – Apple’s cloud storage service now allows you to access your files from a PC (you have to install the iCloud for Windows application), making it a bit more viable as a storage option, but there’s no Android app, so unless you’ve bought into the Apple mobile ecosystem, you’ll probably prefer something a little more universally compatible. Apple, encrypts data in transit over the Internet with SSL.  They say data at rest on the iCloud Drive (as well as backup data, photos, calendar, contacts, notes and reminders) is encrypted with “a minimum of 128 bit AES.”  They do state that they use 256-bit encryption for the Keychain Passwords. Two-factor authentication is offered when you sign in on a new device for the first time. When the device is “trusted,” two-step is no longer required. You can find out more about iCloud security at https://support.apple.com/en-us/HT202303.
  • Amazon Cloud Drive – Amazon Drive comes with Amazon Prime membership (unlimited photo storage and 5GB for other files). You can buy unlimited storage for $59.99 per year. Many non-techie people like it because it has a very simple, user-friendly interface for uploading and downloading. This can be a concern in regarding to employees using their own storage services, because there is no encryption on data at rest. Amazon’s policy says “You (the user) are responsible for maintaining appropriate security and protection of your files.” Amazon does, of course, provide SSL encryption of data in transit, and offers two-factor authentication with a code that can be sent via email, text or a phone call.
  • Dropbox – Dropbox boasts “multiple layers of security.” The service encrypts data at rest with 256 bit AES and data in transit with SSL/TLS and supports multi-factor authentication via SMS texts or a TOTP (Time-based One-Time Password) app. Dropbox’s policy goes a bit further than most in saying that their employees are prohibited from accessing user data except in “rare exceptions” such as when legally required to do so.  You can find out more about Dropbox security here: https://www.dropbox.com/security
  • Box – Box focuses on business customers but also does have a personal storage option. You can get 10GB free (with a 250MB per-file limit) or pay a monthly fee for the personal pro plan with 100GB (5GB per-file limit). Because their infrastructure is designed for business customers, there is a focus on security with AES-256 and data in transit secured with SSL/TLS. An interesting feature is that you can set expiration dates on shared files so that those to whom you give permissions will only be able to access them for a limited period of time, without any further action from you. Comparing cloud-based file storage services.

All of the above are cloud storage services, albeit with file-sharing features. Any of these is more appropriate and more secure by default than a file-sharing service such as Docs.com. Make sure your users know the difference.