Dropbox has established an information security management framework describing the purpose, direction, principles, and basic rules for how we maintain trust. This is accomplished by assessing risks and continually improving the security, confidentiality, integrity, and availability of the Dropbox Business systems. We regularly review and update security policies, provide security training, perform application and network security testing (including penetration testing), monitor compliance with security policies, and conduct internal and external risk assessments.
Employee access to the Dropbox environment is maintained by a central directory and authenticated using a combination of strong passwords, passphrase protected SSH keys, two-factor authentication, and OTP tokens. Our internal policies require employees accessing production and corporate environments to adhere to best practices for the creation and storage of SSH private keys. Remote access requires the use of VPN protected with two-factor authentication, and any special access is reviewed and vetted by the security team.
Dropbox employs technical access controls and internal policies to prohibit employees from arbitrarily accessing user files and to restrict access to metadata and other information about users’ accounts. As Dropbox becomes an extension of our customers’ infrastructure, they can rest assured that we are responsible custodians of their data.
Dropbox diligently maintains the security of our back-end network. Dropbox identifies and mitigates risks via regular application, network, and other security testing and auditing by both dedicated internal security teams and third-party security specialists.
Our network security and monitoring techniques are designed to provide multiple layers of protection and defense. We employ industry-standard protection techniques, including firewalls, network security monitoring, and intrusion detection systems to ensure only eligible traffic is able to reach our infrastructure. Access to the production environment is restricted to only authorized IP addresses, which are reviewed on a quarterly basis to ensure a secure production environment.
A formal Change Management Policy has been defined by the Dropbox Engineering team to ensure that all application changes have been authorized prior to implementation into the production environments. All changes are stored in a version control system and are required to go through automated Quality Assurance (QA) testing procedures to verify that security requirements are met. Our software development lifecycle (SDLC) requires adherence to secure coding guidelines, as well as screening of code changes for potential security issues via our QA and manual review processes. The Dropbox Security team is responsible for maintaining infrastructure security and ensuring that server, firewall, and other security-related configurations are kept up-to-date with industry standards.
Find more details about our control and visibility features in our Dropbox Business security whitepaper.