Forgive my ignorance, but does Dropbox for Business support client side encryption? Is this something you even care about, or are there some usability barriers that make it not worth your while?
It does not. At least not any more than any other filesystem in a cloud type service. For items which we deem especially sensitive we will place them in an encrypted disk image which is then stored as a file in dropbox, however it is a very very rare occurrence we deem it necessary to do this. While a compromise at dropbox is certainly a risk, it is reasonably far down on the list of likely events compared to other risks.
We utilize full disk encryption on all of our machines and MDM type services which allow us to brick/erase a device remotely (now dropbox for business has a similar feature which will wipe a remote device if it connects to the server after such a request). We also force on dropbox's 2FA for all users and every access to a file by a user is logged.
Dropbox also gives us the ability to revert to any version of a file in the event a user makes an unwanted modification (a whoops or something like crypto-ransomware malware).
Obviously there are still risks in this type of setup, but most law firms I have seen have far far riskier setups that have far easier vulnerabilities to exploit if they were a target than Dropbox being compromised. (At least in my opinion).
EDIT: Also, I want to amplify that the information security skills and experience present at any major cloud provider (google, aws, dropbox, box, etc.) is in a totally different league than anything I have seen at even the huge MegaBigLawFirms. There are very few firms that take information security as seriously as they should and even those do not have the resources of the aforementioned companies. Essentially I trust google/dropbox to keep their digital stuff secure more than I would trust any law firm on the planet.
There is one exception to this -- which is some sort of sealed search warrant or national security type letter from a government agency. If there is information you are seeking to protect from an exploit in that realm, then they are certainly vulnerable in that area and you (the law firm) need to implement other precautions to address that vulnerability.
Hey, thanks for your detailed response. I definitely wasn't implying that not using client-side encryption is obviously a bad decision on your part. I totally buy that the security expertise of Dropbox et al is in a different league to that of most law firms. I'm a security researcher currently working on secure cloud storage and it's very interesting to hear about requirements of real users, especially for an industry as security sensitive as the legal industry.
Regarding the exception you mention, what granularity would you make this distinction at? For example, would you typically just say that all files related to a particular case must be protected from a government agency, or would you divide up the storage of files for particular cases at a finer granularity (e.g. some files for this case can be stored on Dropbox).
If Dropbox offered a solution with client-side encryption, how much do you think you would be willing to pay for it in terms of cost or performance?
