The OMI-DB project uses the dropbox API to directly upload data to the cloud and Dropbox links are used to share batches of images and data with Research Groups, rather than sharing via HTTPS. This results in:
- A considerable reduction in the storage requirements at each site, as the anonymised data will only need to be stored at each site for as long as it takes to upload through the DropBox API.
- Researchers’ local Server does not need to have a large storage volume:
- Utilising smart sync - Cloud only settings ensures the images remain in the Dropbox data centre and not synchronised until requested.
- Sharing of images to third parties is faster and secure:
- Downloading over the internet has been shown to be 100 times faster than using hospital DMZ servers
- Download links are password protected
- Download links can have a time limit
- Full audit of who has accessed the data and when can easily be obtained
- Cost is considerably less than maintaining and upgrading Storage Servers
- Backup at the central site is not required as Dropbox backups the data.
Dropbox security practices comply with the most widely accepted standards and regulations like ISO 27001, 27017, 27018 and SOC 1, 2, and 3. More information on Dropbox standards compliance can be found on their compliance web page.
Dropbox Certification
The International Organisation for Standardisation (ISO) has developed a series of world-class standards for information and societal security to help organisations develop reliable and innovative products and services. Dropbox has certified its data centres, systems, applications, people and processes through a series of audits by an independent third party – Netherlands-based EY CertifyPoint.
- ISO 27001 (Information Security Management)
- ISO 27017 (Cloud Security)
- ISO 27018 (Cloud Privacy and Data Protection)
- ISO 22301 (Business Continuity Management)
- UK Digital Marketplace G-Cloud (see listing here)
Data Centre Location
The recommended Data Centre for this programme is the Frankfurt, Germany, EEA data centre that aligns and compliments the strict EEA data protection principles and security.
Dropbox security and architecture
Dropbox is designed with multiple layers of protection, including secure data transfer, encryption, network configuration, and application-level controls distributed across a scalable, secure infrastructure (Figure 1).
Dropbox users can access files and folders at any time from a number of interfaces, including the desktop, web, and mobile clients, or through third-party applications connected to Dropbox. Each has security settings and features that process and protect user data while ensuring ease of access. All of these clients connect to secure servers to provide access to files, allow file sharing with others, and update linked devices when files are added, changed, or deleted.
Figure 1 - Dropbox Security architecture [image retrieved from here]
The dropbox architecture is comprised of the following services:
Encryption and application service
This service handles all processing for the Dropbox applications. Each file is split into blocks, and each block is encrypted using a strong cipher. Only blocks that have been modified are synced. When a change is made, new or modified blocks are processed and transferred to the storage service.
Dropbox file data at rest is encrypted using 256-bit Advanced Encryption Standard (AES). To protect data in transit between Dropbox apps (currently desktop, mobile, API, or web) and servers, Dropbox uses Secure Sockets Layer (SSL)/Transport Layer Security (TLS) for data transfer, creating a secure tunnel protected by 128-bit or higher Advanced Encryption Standard (AES) encryption.
Metadata service
Basic information about user data (including file names and types), called metadata, is kept in its own discrete storage service separate from file blocks. This metadata acts as an index for data in users’ accounts, and is shared and replicated as needed to meet performance and high availability requirements.
Security service
The actual contents of users’ files are stored in encrypted blocks with this service. Each individual encrypted file block is retrieved based on its hash value, and an additional layer of encryption is provided for all file blocks at rest using a strong cipher.
Notification service
This is a separate service dedicated to monitoring if changes have been made to Dropbox accounts. No file data or metadata is stored or transferred here. Instead, clients establish a long poll connection to this service and wait for a change, which then signals a change to the relevant clients
Perfect forward secrecy
For end points we control (desktop and mobile) and modern browsers. Dropbox uses strong ciphers and support perfect forward secrecy. By implementing perfect forward secrecy, private SSL key can't be used to decrypt past Internet traffic. This adds extra protection to encrypted communications with Dropbox, essentially disconnecting each session from all previous sessions. Additionally, on the web all authentication cookies are flagged as secure and enable HTTP Strict Transport Security (HSTS).
Find more details about the security architecture here.
Versioning
Currently Dropbox will store the version history for files indefinitely for Business users.For more information please see Dropbox versioning FAQ
Additional Information
Dropbox Privacy Impact Assessment - draft : https://www.dropbox.com/s/34upm892svu9a2n/PIA%20Dropbox.pdf?dl=0
General Data Protection Regulation regarding Dropbox: https://www.dropbox.com/s/x6owpfksiuygvak/Dropbox%20GDPR%20Handout%20.pdf?dl=0