Does GDPR compliance really mean your data is sufficiently protected?
Like most people, you were probably hit with a flood of GDPR-related emails just before the 25th of May, 2018 from pretty much every product or service you’d ever personally or professionally engaged with. And all those providers were éarnestly assuring you of the same thing – that they were 100% fully GDPR-compliant.
Now that all the initial excitement around GDPR has died down, you might find yourself wondering whether the underlying issues have actually been solved. Is your personal data now finally safe from hackers? Can data services from big players such as Microsoft and Google now be used without hesitation? Their updated data protection policies (which, let’s face it, nobody has really read) certainly give that impression, but is it true?
One thing is certain – cloud providers such as Google, Microsoft and Dropbox have taken privacy and security measures to ensure they can continue to offer their services in Europe by remaining GDPR compliant. But, particularly when it comes to sensitive company data, a nagging question remains – is the underlying data actually secure, or have these providers simply reassigned responsibility to ensure they’re protected from legal action?
We’ve examined the privacy policies and security measures of the three major cloud providers in order to answer this question. Below you’ll find full explanations of exactly what Google, Microsoft and Dropbox do to protect their customers’ data with services such as G Suite, OneDrive, and Dropbox Business.
Comparison of privacy measures from Dropbox Business, OneDrive for Business and GoogleDrive in the GSuite
Every major major cloud provider now offers a technically mature solution with similar security measures. All these providers have also implemented formal business continuity plans. As a result, their servers to the extent that it’s highly unlikely data will be lost due to technical failures or environmental setup issues.
The providers also have a very similar setup when it comes to encryption and access restriction. And they tend to match each other’s progress quickly when it comes to innovation. For example, if Google announces that it’s the first provider to introduce Perfect Forward Secrecy, Dropbox and other major competitors will quickly follow suit.
We’ll now move on to how the most popular cloud providers differ when it comes to handling corporate data.
To decide whether you want to entrust your enterprise data to the big cloud providers, it’s worth examining their business models to understand the rationale behind different offerings.
We’ve broken out the offerings by provider below and you’ll find three key sections in each listing to help you understand how they operate:
Microsoft, Google and Dropbox have a similar basic setup when it comes to encrypting cloud data. All of them encrypt the data at rest (i.e. stored on the servers) with AES at 256-bit. This is currently the most secure, state-of-the-art way of encrypting data.
During data transfer (data-in-transit), each of the three providers examined uses SSL/TLS encryption which is also a best practice solution.
OneDrive is Microsoft’s cloud storage service. As a personal user, you automatically get 5GB of storage space at OneDrive simply by using Microsoft services like Skype, Office 365, or email via Outlook.com. OneDrive for Business, by contrast, is intended for commercial use by teams.
In its privacy statement, Microsoft openly admits that data stored in OneDrive is leveraged for analytical purposes:
“Microsoft uses the information we collect to provide you with rich, interactive user experiences. (…) We also use the data for our business, including analysis and performance, compliance with our legal obligations, our workforce, and development.”
Data in the OneDrive cloud is stored in at least two different data centers, with both locations always several hundred kilometers apart in order to ensure redundancy. This keeps data reliably available even in the event of major disasters such as earthquakes.
According to Microsoft, protection against attacks which could be carried out by individuals is ensured as follows:
“Only a limited number of essential personnel can gain access to datacenters. Their identities are verified with multiple factors of authentication including smart cards and biometrics. There are on-premise security officers, motion sensors, and video surveillance. Intrusion detection alerts monitor anomalous activity.”
This is where Microsoft cloud distinguishes itself from Google Drive and Dropbox by using BitLocker drive encryption in addition to AES with 256-bit disk encryption. Companies should also note that they can secure keys in Microsoft’s Azure Key Vault:
“Using an Office 365 feature called service encryption with Customer Key, you can upload your own encryption keys to Azure Key Vault, which are used to encrypt your data at rest in Azure data centers.”
Further information on this topic can be found at: docs.microsoft.com/en-en/office365/securitycompliance/controlling-your-data-using-customer-key
This key management solution is technically solid and protects keys from external attacks. A central problem remains, however. Just as with OneDrive, Azure is ultimately a Microsoft product. This means that keys could theoretically be accessed by Microsoft if, for example, they were pressed to do so by government authorities. This problem also exists with Google and Dropbox services.
Google Drive is a cloud solution for home users. Google Drive in the G Suite is designed for commercial use by businesses.
“We use the data collected through our existing services to develop new services. For example, insights into how people organized photos in Picasa, Google’s first photo app, helped us develop Google Photos”.
The data is also often analysed for advertising purposes where it can be used to create a particularly fine-grained advertising profile of users in order to offer the right products at the right time and right place.
“We collect data in order to provide better services to all our users – from basic information such as your language to more complex issues such as advertising that you find particularly useful, the people you deal with most online, or the YouTube videos you find interesting.
Google emphasizes that all servers and all hardware it uses come from Google itself. This is to ensure the highest possible security standards and controls. Google also offers a white paper providing more detail about the different security layers of the Google infrastructure.
Among other things, this white paper explains how Google protects employees’ devices so that they cannot be used for external attacks, and also describes how it counters targeted phishing attacks on Google employees. An excerpt from the white paper:
“We make a heavy investment in protecting our employees’ devices and credentials from compromise and also in monitoring activity to discover potential compromises or illicit insider activity. This is a critical part of our investment in ensuring that our infrastructure is operated safely.”
As with OneDrive, the emphasis here is on minimizing employee access to servers and data as much as possible. Google goes one step further, however, in stating that its goal is the complete automation of processes – a step which would eventually make human access unnecessary.
In addition to OneDrive SSL/TLS encryption during data transfer, there is another protection mechanism that Google was responsible for first introducing: Perfect Forward Secrecy (PFS).
Put simply, PFS ensures that private SSL keys cannot be used for sessions that are in the past. This provides additional protection should a private SSL key fall into the wrong hands by ensuring it cannot be used to decrypt traffic that has been sent in the past.
Google also offers its own Key Management Service (KMS):
“Files or data structures with customer-created content written by G Suite are subdivided into chunks, each of which is encrypted with its own chunk data encryption key (“chunk key”). Each chunk key is encrypted by another key known as the wrapping key, which is managed by a Google-wide key management service (KMS).”
Note that, as was the case with Microsoft, Google theoretically has the possibility to access keys and read stored files by virtue of using its own KMS.
Dropbox is one of the original cloud storage providers and has been offering online storage solutions since 2007. The company has also been offering services to companies since 2011 under the name Dropbox for Teams.
According to the Dropbox Business Agreement (source: dropbox.com/en/privacy#business_agreement), files stored at Dropbox Business are not read or evaluated, but are only accessed for the functionality of the service. However, Dropbox points out that, in the interests of improving overall user experience, all available metadata is analyzed and processed.
Dropbox also offers a security white paper at Dropbox Business which, among other things, describes how business continuity plans are fully tested once a year for weak points in order to ensure full emergency readiness at all times.
Dropbox customers’s data is stored in third-party data centers in the USA (source: link). These third parties are responsible for physical server security, and these security measures are tested once a year by Dropbox.
Companies with more than 250 users have the option of having their data stored exclusively at European data centres in Frankfurt provided by Amazon Web Services. Files and metadata are stored on separate servers.
Dropbox explains that the encryption keys are stored decentrally:
“The key management infrastructure was developed with operational, technical and procedural security measures with very limited direct access to keys. The keys are generated, exchanged and stored decentrally at distributed locations”.
Users should note that, as with Microsoft and Google, access to the decentrally stored keys by Dropbox itself is potentially possible at any time. And, thus, the stored files can theoretically be read by Dropbox.
Related reading: Data protection for video conferences and webinars
It’s common knowledge that, due to the nature of their technical setup, cloud providers can at least theoretically access the data stored in the cloud. While they encrypt user data in transit and at rest, they do not continuously encrypt end-to-end. This means that data can potentially be available at a provider in a decrypted state.
There is also a potential issue with cloud providers such as Microsoft, Google and Dropbox where governments can demand the release of data. Even if the data is encrypted, the provider can access it because they themselves encrypt the data and can therefore decrypt it. Laws such as the CLOUD Act in the USA mean that providers can be obliged to release user data against their will.
Taking all of the above into account, the ideal way to proceed is to ensure separation of encryption and storage. In an ideal scenario, a server management and synchronization professional (the cloud provider) takes care of the storage and availability of the data. An independent encryption professional then takes takes care of end-to-end encryption separately using the Zero-Knowledge standard. In this way, you can get the best of both worlds and ensure you remain in full control at all times.
With Zero-Knowledge encryption, encryption keys either remain on the user’s device or, if transmission is required, are encrypted before being sent to the encryption provider. This prevents the encryption provider from using the keys to access user data.
Even in the case of requests from authorities, the provider is literally not able to release data or keys. The data never reaches the cloud in an unencrypted state, which in turn means that the cloud provider has no way to access the data.
All three major clouds offer state-of-the-art encryption and can therefore continue to offer their services in Europe while remaining GDPR compliant. Whether the services provided are actually a sufficient technical and organisational measure (TOM) in the strict sense of GDPR is debatable.
In our opinion, we say they are not as the prevention of access by unauthorised third parties is not perfectly guaranteed. Only by employing the Zero-Knowledge Standard is your cloud truly reliably protected against all unauthorized access.
With all that in mind, we recommend you start taking more active control of your cloud by adding an additional layer of security. Boxcryptor is optimized for use with Dropbox, Google Drive, and OneDrive and is ideally suited for both small and large teams. Boxcryptor guarantees that control over your corporate cloud remains completely and exclusively in your hands.