A solid guarantee of the technical compliance of your secure deletion process would certainly be expected if you provide a data storage service in the cloud. Or so you would think.
Yet Dropbox has managed to lose favour with countless users by admitting to accidentally keeping their files and folders for as much as seven years.
It blamed this glitch on a software bug that prevented the files from being fully deleted, but how could such an obvious and critical error occur?
First question: how did Dropbox’s security requirements testing process not find this? A relatively simple test could be written where a tester deletes a user’s files and folders, then programmatically searches Dropbox’s infrastructure to ensure they are gone.
The fact that Dropbox has current ISO 27001, ISO 27017, and ISO 27018 compliance certificates is even more surprising, given the relatively strict requirements around media handling that these standards require.
Moreover, according to its website, it uses third parties to "make sure that our security practices are working as intended".
"Specialists perform periodic penetration and vulnerability tests on Dropbox’s corporate and production environments. Identified issues are prioritised and remediated by our security engineering team. Additionally, third-party auditors evaluate our security practices against international and industry standards," it states.
One of those third parties appears to be Ernst & Young [pdf] in the US, which in a report said Dropbox has procedures in place to ensure it deletes files from its storage services within 60 days.
Clearly not.
Some of these recovered files were reportedly seven years old, which could easily have put users in compromised positions.
Consider this scenario: a consultant was working in a company five years ago that used Dropbox to store and share sensitive files.
On leaving the company, the employer deleted all the files from his Dropbox account to try and limit the exposure of trade secrets leaving with the consultant.
Seven years later, those files suddenly are recovered back into his Dropbox account, thus leaving the company exposed to a potentially serious data breach.
When we put our trust in cloud services companies, we are giving up a lot of the control that we used to have over our IT systems.
And security issues like these can become an existential threat to the ongoing success of a cloud services company - once the trust is lost in your user base, it’s incredibly hard to get it back.
Users can easily vote with their feet, so it’s incumbent on Dropbox to not only gain certification, but to actively and continually test and re-test the security posture of its systems.
It's also on users to push for more transparency from their cloud providers. Ask for certification scoping documents and test reports and if you don’t feel the company has done enough, speak out and ask for more evidence.
Otherwise, when your data is compromised, you'll be wishing you did.
