Warning: TrueCrypt is not secure. See this post for details and information on migrating to Bitlocker or FileVault.

When it comes to storing files in the cloud, there is a lot of fear, uncertainty, and doubt going around. Some of it is even spread by cloud-based software companies who are trying to get a leg up on their competition.

I try to balance security with utility to make sure I protect my client files while enabling me to access those files whenever and wherever I need them. Here’s the gist: Encrypt everything, use Dropbox wisely, use local backup, and backup to the cloud using CrashPlan.

(Learn how to do all these things yourself, by the way. This constitutes basic computer literacy.)

Using TrueCrypt, Dropbox, local backup, and CrashPlan

There are four parts to my client file storage system.

1 First, and most importantly, I use TrueCrypt to encrypt my file system (Bitlocker works fine if you have an Ultimate version of Windows; FileVault works fine if you have a Mac). This secures the contents of my hard drive, which is otherwise nearly as easy to access as a USB drive (those little “thumb drives” everyone carries around).

2 For files I am currently working or that I need regular access to, I use Dropbox so that I can access those files no matter where I am and no matter what computer (or device) I am using. For me, that includes open client files, forms, data files like my QuickBooks file, website files, and a few other items.

Besides being good for security, keeping your Dropbox small will minimize the time it takes Dropbox to index your files on boot. If you have a lot of files, this can bog down your system for quite a while.

If you only ever use one computer and never need to access your files from a gadget or browser, Dropbox is unnecessary. If, like me, you use multiple computers and gadgets, or you like to travel without dragging along an extra bag of tech gear, Dropbox is essential.

3 Everything I don’t need to access regularly is stored in the regular Documents/My Documents folder on my computer. Business archives are on my desktop at the office, and personal archives are on my laptop at home. My archives include closed client files, finances from past years, and anything else I am just storing, rather than using.

4 I use two methods to backup everything, whether it is in my Dropbox folder or not. First, I backup everything nightly to a second hard drive using the regular Windows backup utility. My second hard drive is a second internal hard drive, but you could get an external hard drive, too. Second, I backup everything to CrashPlan. (I use the CrashPlan+ Family Unlimited Plan, which lets me backup unlimited data from up to 10 computers.) This way, I always have a recent backup of all my critical files in at least two separate locations. It would take a lot of disastrous coincidences for me to lose my files.

Don’t use free versions

As a general rule, you should pay for the software and services you use to store client files. That’s because free versions often have different terms, privacy policies, and security levels.

This is definitely true for my cloud backup service of choice, CrashPlan. With the free version, you get only 128-bit encryption. That’s fine — it’s what your bank probably uses — but the paid versions come with a hardcore 448-bit encryption.

With Dropbox, the agreement and services don’t change significantly if you pay for the service (except that Dropbox won’t automatically delete your account if it is inactive for 90 days), but the base plan’s 2 GB of storage won’t last long if you are actually storing files there.

TrueCrypt is an exception. There is no premium version, although you can — and should — contribute to the project to help support it. TrueCrypt is free and open-source software (FOSS), which means the source code is available to anyone. That is a huge advantage when it comes to security software; it doesn’t mean the software is any less secure.

Why Dropbox is (a teeny bit) risky

It’s not that risky, first of all. Dropbox transmits your files over a secure, encrypted connection (although the files themselves are not encrypted before transmission) and stores them encrypted on Dropbox’s servers. Much ado has been made over the fact that some Dropbox employees have the codes necessary to decrypt files. I am not concerned about this, because I am satisfied by Dropbox’s statements on access:

Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata (e.g., file names and locations). Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that’s the rare exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access.

That’s more assurance than I expect most firms get from their cleaning staff — or their secretaries, for that matter.

However, I no longer recommend just tossing all your files in your Dropbox folder. It’s not really Dropbox’s security I am worried about as much as the size of Dropbox as a “target.” Dropbox stores an enormous amount of information. You’ve got to think it’s a pretty tempting target for malicious hackers.

A couple of years ago, I wasn’t too concerned about “hackers,” which were a threatening idea, but not much of an actual threat. The explosion of malicious hacking and other incidents over the last year or so have  changed that.

Now, I think it is a good idea to minimize the data you store in large, tempting buckets like Dropbox. But I’m not willing to stop using services that are (1) actually quite secure and (2) really useful.

Why CrashPlan is secure

CrashPlan is cloud backup with impressive security. As I mentioned above, the paid versions of CrashPlan use 448-bit encryption, which is pretty hardcore. 128-bit encryption is effectively unbreakable using current technology. 448-bit encryption is unbreakable using any any technology we can imagine for the next couple of decades, at least.

Most importantly, CrashPlan encrypts your files before transmitting them to CrashPlan’s servers, meaning that even if you are backing up from an insecure wireless access point in a coffee shop, your files should be safe from snoopers.

CrashPlan also let’s you set a private password, so that nobody can restore your backups without the password — not even the most-privileged administrator at CrashPlan. That’s about as secure as the cloud (or anything else) gets.

Putting the pieces together

This is a quick blueprint for a sensible approach to securing your files, syncing them across your computers (or sharing them with your co-workers), and backing them up locally and to the cloud. It is a sensible approach to security, but not the most secure.

If you have specific reasons for needing elevated security (you handle IP in highly competitive industries or defend accused terrorists), there are more secure ways to store, sync, and backup your files. Most require some advanced skills. Frequent commenter and LAB member William Chuang is a security hawk who doesn’t like my recommending Dropbox, and if you aren’t intimidated by things like setting up your own file server and VPN, check out his comments on Lawyerist, his posts in the LAB, and his blog. His criticisms are valid; I just don’t think they mean you shouldn’t use Dropbox.

For everyone else (read: pretty much everyone), encrypting your files, keeping “current” files in Dropbox, and backing everything up locally and to CrashPlan will provide very good security, both from malicious hackers, accidents, and disasters.


The Small Firm Scorecard example graphic.

The Small Firm ScorecardTM

Is your law firm structured to succeed in the future?

The practice of law is changing. You need to understand whether your firm is positioned for success in the coming years. Our free Small Firm Scorecard will identify your firm’s strengths and weaknesses in just a few minutes.

Leave a Reply