Dropbox has established an information security management framework describing the purpose, direction, principles and basic rules for how we maintain trust. This is accomplished by assessing risks and continually improving the security, confidentiality, integrity and availability of the Dropbox Business systems. We regularly review and update security policies, provide security training, perform application and network security testing (including penetration testing), monitor compliance with security policies and conduct internal and external risk assessments.
Employee access to the Dropbox environment is maintained by a central directory and authenticated using a combination of strong passwords, passphrase protected SSH keys, two-factor authentication and OTP tokens. Our internal policies require employees accessing production and corporate environments to adhere to best practices for the creation and storage of SSH private keys. Remote access requires the use of VPN protected with two-factor authentication, and any special access is reviewed and vetted by the security team.
Dropbox employs technical access controls and internal policies to prohibit employees from arbitrarily accessing user files and to restrict access to metadata and other information about users’ accounts. As Dropbox becomes an extension of our customers’ infrastructure, they can rest assured that we are responsible custodians of their data.
At Dropbox, we diligently maintain the security of our back-end network. We identify and mitigate risks via regular application, network and other security testing and auditing by both dedicated internal security teams and third-party security specialists.
Our network security and monitoring techniques are designed to provide multiple layers of protection and defence. We employ industry-standard protection techniques, including firewalls, network security monitoring and intrusion detection systems to ensure that only eligible traffic is able to reach our infrastructure. Access to the production environment is restricted to only authorised IP addresses, which are reviewed on a quarterly basis to ensure a secure production environment.
A formal Change Management Policy has been defined by the Dropbox Engineering team to ensure that all application changes have been authorised prior to implementation into the production environments. All changes are stored in a version control system and are required to go through automated Quality Assurance (QA) testing procedures to verify that security requirements are met. Our software development lifecycle (SDLC) requires adherence to secure coding guidelines, as well as screening of code changes for potential security issues via our QA and manual review processes. The Dropbox Security team is responsible for maintaining infrastructure security and ensuring that server, firewall and other security-related configurations are kept up to date with industry standards.
Find more details about our control and visibility features in our Dropbox Business security whitepaper.