Blog

Dream Firms Talks 09/2023

Topic: Cloud Storage Security Review

Basic Security
 12 Character Minimum for all passwords.
o Anything 8 characters or less is vulnerable to immediate brute force attacks.
o Complexity – Must include:
 Upper Case Characters (ASDF…)
 Lower Case Characters (asdf…)
 Numbers (1234…)
 Symbols (!#$%…)
o Last Changed – Change at least Twice a Year best practice
 Businesses should use Premium Business versions of Anti-Malware software.
o Premium Version on every work system
o BitDefender or Malwarebytes are both good options
o Make sure it is updated regularly.
 Don’t use Gmail as your business email. Businesses should have their own domain.
 Employee training at least twice yearly is a very important part of your Cyber Security plan.
 Monitor your internal networks and systems for alerts and changes.
Cloud File Storage
 A service, frequently included with productivity suites, that facilitates file storage, remote access and
collaboration
o OneDrive – Included with Microsoft Office 365
o Google Drive – Included with every Google account and with Google Workspace
o Dropbox – Stand Alone. Not aligned with a productivity suite
 In 2022, more than 60% of all corporate data is stored in the cloud
 We will be focusing on Enterprise/Business paid level applications for these services.
o If you use the free versions of these software, the security is considerably less. I.E no ability to lock
down user permissions, no suspicious activity monitoring etc.

OneDrive
 OneDrive is a cloud-based file sharing platform offered by Microsoft that allows users to store and share data.
o In 2022, Microsoft OneDrive is one of the most popular cloud storage platforms.
o OneDrive offers some protection features for personal and enterprise users. These features help reduce
the risk of cyberthreats, minimize data loss and give you control over your files.

 Security Features
o Ransomware Detection – Alerted when detected – Monitoring
o Suspicious Activity Monitoring – Sign-in blocked and alerted when detected – Prevention
o Data Encryption – At Rest and In Transit
 Disk Level Encryption using AES256 encryption key

 Transport Layer Security (TLS) for communication between users and data center – requires
HTTPS connection
 Will allow connection not using HTTPS, however this breaks security.

o Access Control
 Files and folders can be shared with specific users and you can define the role of each user.
 Password-protected files can keep your files secured by requiring a password to access them.
 Expiring links allow you to set an expiration date on the links you share with other users.
o Data recovery and durability
 Data is mirrored into at least two different Azure regions
 Version history – You can restore a previous version of a file if you happen to delete it or write
unwanted changes to it.
 Ransomware recovery – OneDrive for Business allows you to recover individual files or restore
your entire OneDrive for up to 30 days following a ransomware attack.

 Security Flaws
o Generally minimal if configured and administrated correctly
o Delayed threat response – Threat notifications can go undetected and be left unattended allowing the
threat to evolve into a more serious and widespread problem.
o Encryption key stays with Microsoft giving them the ability to access your files (privacy flaw)

Google Drive
 Google Drive is a cloud-based file sharing platform offered by Google.
 One of the most used productivity and collaboration suites in the cloud.
 Security Features
o Data Encryption – At Rest and In Transit
 AES256 Encryption at rest and AES128 Encryption while In Transit
 Secure Socket Layer (SSL) and Transport Layer Security (TLS) for communication between users
and data center – requires HTTPS connection

o Access Control
 File and folder can be controlled using trust rules shared with specific users.
 Password-protected files can keep your files secured by requiring a password to access them.
 Expiring links allow you to set an expiration date on the links you share with other users.
o Data Recovery
 File Versioning up to 30 days or 100 versions – Recover accidentally deleted or edited files

 Security Flaws
o Encryption keys are stored on Google servers which may allow third party access in a breach
 Hackers and Google staff could access your files
o Requires admin to monitor logs to reveal breach attempts
o Default data privacy – may not be strong enough for your firm

Dropbox
 Dropbox is a one of the original stand-alone cloud-based file sharing platforms.
o Over 700 million registered users

o Offers tools that integrate with Google Docs and Microsoft Word
 Security Features
o Data Encryption – At Rest and In Transit
 AES256 Encryption at rest and AES128 Encryption while In Transit
 Secure Socket Layer (SSL) and Transport Layer Security (TLS) for communication between users
and data center – requires HTTPS connection
 Files are split into Blocks then each Block is encrypted then stored
o Access Control
 Files and folders can be shared with specific users.
 Password-protected files can keep your files secured by requiring a password to access them.
 Expiring links allow you to set an expiration date on the links you share with other users.
o Data Recovery
 File Versioning with Dropbox Rewind – Recover accidentally deleted or edited files
o Security Add-On – Included in Dropbox Advanced and Dropbox Enterprise
 Ransomware Detection – Detects suspicious activity – Shown on admin console
 Data Classification – Assists in compliance – Auto identifies and tags PII and allows tracking and
reporting of PII in your accounts
 Security Alerts – Admins can configure email notifications when suspicious behavior, risky
activity and potential data leaks are detected

 Security Flaws
o Encryption keys are stored on Dropbox servers which may allow third party access in a breach
 Hackers and Dropbox staff could access your files
o Integration with Word and Google Docs lowers the overall security to allow the connection
o Requires admin to monitor logs to reveal breach attempts

Common Mistakes – All Platforms
 Weak Credential Management
o Weak and/or Re-Used Passwords
 If you’d like more information, our last presentation covered Password Management. We’ll
paste the link to our Blog where you can read the transcripts from each CyberFriday Talk.

o Lack of Access Controls
 Shared files left open to edit by all.
 No individual folder security – all users can access all files.
o No Off-Boarding procedure to revoke rights when employees leave.
 Must shutdown inactive users manually.

 Outdated Operating System and Applications
 Unsecured use through Public WIFI
o Should have a policy against using Public WIFI on any device that connects to the corporate network.

Best Practices – All Platforms
 Credential Management
o Use Strong Passwords

o Use 2FA – 2 Factor Authentication
o Set up Access Permissions and Privileges
 Assign specific permissions for different users and monitor access logs
 Limit access to confidential data by granting only the necessary permissions for specific roles.
o Avoid storing passwords, payment data and other critical files on your file sharing platform, especially in
shared folders.
o Administrators should use regular accounts when sending emails, editing documents or sharing files
rather than their admin accounts.

 Use a HotSpot when traveling
o Use a VPN if you must use public WIFI.
 Install a third-party backup solution
o The built-in file sharing security tools do not provide comprehensive protection and do not guarantee
recoverability.
o Cloud File Storage is a file sharing platform and should not be your backup solution. These services are
designed to facilitate collaboration and productivity and were never intended as a secure file backup
solution. We strongly recommend adding a reliable off-site backup solution.

 Install security patches and updates
o Helps avoid security gaps and software vulnerabilities.

Summary
 Shared Responsibility Model
o Cloud Vendor is responsible for the security of their systems
o Client is responsible for the security and configuration of their accounts and data
 Humans are once again the weak link in the security
 All three applications are reasonably secure IF:
o Configured and administrated correctly
o Used for their intended purpose only
o Use Strong Passwords
 None of the three (google drive, dropbox, OneDrive) guarantee privacy or full data recovery
o We recommend you do not store critical or sensitive files on these services
 Only the Enterprise/Business level applications should be used within your company
o NO Personal accounts should be used
 Don’t have the same level of security
 Don’t allow team administration
 Should never mix personal files with business files