MS One Drive

[Terry D EA]

Seeking opinions regarding MS One Drive. Is this a safe and secure way to store client data, backups of files, etc. There are times that I travel to my client's place of business and having access to spreadsheets and other data without having to use a thumb drive. Seems like One Drive would save time. I have DropBox as well and wonder which one is really better.

[Randall]

I can't speak for the safety of client info.  I haven't used it for client info but then I don't go to client offices anymore.  I do use it for some personal info, spreadsheets tracking my spending and other things.  But there is no info like SSNs or account numbers out there.  I use the One Note app for some personal things too, but usually just putting in quotes from things I read to have them available for recall.

 

[Lee B]

Unless you are a cyber security professional, it's impossible to know what is secure anymore.

All of the large businesses and government agencies that were hacked this month failed to keep their software updated.

They were all using an outdated version of some File Transfer Software called MoveIt which allowed the Russian Hacker Group to access their important data.

Even then they should have had multiple layers of encryption. Just because the software you're using hasn't been hacked yet doesn't mean it's secure.

 

[Lee B]

"In early June, sporadic but serious service disruptions plagued Microsoft’s flagship office suite — including the Outlook email and OneDrive file-sharing apps — and cloud computing platform. A shadowy hacktivist group claimed responsibility, saying it flooded the sites with junk traffic in distributed denial-of-service attacks.

Initially reticent to name the cause, Microsoft has now disclosed that DDoS attacks by the murky upstart were indeed to blame."

"On June 8, the computer security news site BleepingComputer.com reported that cloud-based OneDrive file-hosting was down globally for a time."

[Terry D EA]

Thanks cbslee. Your comment pretty much answers my concern. So, no sensitive data of any kind on OneDrive. I guess if I use anything at all it will be DropBox. I have always felt Microsoft does too much snooping. I'll continue with all the sensitive stuff on an external device in my office. I know the only method of security is two machines. One that contains all the sensitive data, and is used to prepare returns among other client related functions, and stays offline until it is time to transmit. I mean completely unplugged from the internet. The second computer would be used for research and other work. It's just plain crazy.

[Lee B]

Unfortunately, it's the messed up reality that we are living in now.

[Lion EA]

My husband is music director at a church that uses DropBox, but never for sensitive data. He got a message yesterday from Norton (maybe, whatever he has for security on his desktop here at home) that his DropBox password has been compromised. It's the same for all 3 church employees (him, admin, priest) but never any PII. They use it to send the bulletins to each other for proofreading, that kind of thing. I won't use DropBox for my biz.

[DBerg]

I have been using OneDrive for about two years to backup files. Every storage option has their faults and most of it starts with how good is your password to access the account.  If you re-use passwords then the likely hood of your data being comprised goes up. OneDrive also has a feature called Person Vault
https://support.microsoft.com/en-us/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4?ui=en-us&rs=en-us&ad=us

My suggestion is no matter what you decide (google One, one drive, icloud, AWS, dropbox, etc) use a strong password or phrase one that you have never used before. Then enable multi-factor authentication, (if possible with a authenticator app if they allow it). Don't save passwords in your browser(chrome, firefox, or ms edge). I still keep a book of passwords (is this the best, probably not, but considering LastPass and others like it have been hacked or had issues over the past year, I figure this is the best way to keep my data secure)

 

 

 

[Medlin Software, Dennis]

Self encrypt the data before upload is also a good step. Then, if the storage itself is accessed, your data remains unusable unless someone also breaks your encryption.

Try to be just a little more secure than your neighbors and the baddies will pass you for the easy score. 

[Pacun]

I will only say this: Onedrive is more secured than your computer. 

[Medlin Software, Dennis]

25 minutes ago, Pacun said:

I will only say this: Onedrive is more secured than your computer. 

Likely true. But, the current hardware security, including bitlocker and similar, when used, is darn good enough for normal use. 

[Pacun]

On 6/22/2023 at 10:16 PM, Medlin Software, Dennis said:

Likely true. But, the current hardware security, including bitlocker and similar, when used, is darn good enough for normal use. 

Likey true. But what's the percentage of preparers using bitlocker?

My point is that if most of the companies and the government are trusting onedrive, it must mean something.

[Medlin Software, Dennis]

2 hours ago, Pacun said:

Likey true. But what's the percentage of preparers using bitlocker?

My point is that if most of the companies and the government are trusting onedrive, it must mean something.

User count has no correlation to safety. In fact, the more popular a storage method is, the more likely the baddies and script kiddies are looking at it.

[Lee B]

 

"Last month, U.S. government safeguards identified an intrusion in Microsoft's cloud security, which affected unclassified systems. Officials immediately contacted Microsoft to find the source and vulnerability in their cloud service," wrote Adam Hodge, the acting senior director for press at the White House's National Security Council, in a statement. "We continue to hold the procurement providers of the U.S. Government to a high security threshold.

Tech giant Microsoft disclosed on Tuesday evening that it discovered a group of Chinese hackers had broken into some of its customers' email systems to gather intelligence."

[Pacun]

That was spionage and 25 companies were affected.  No matter where you data resides if one of your employees hands its password or ways to infiltrate your company, this will happen.  As long as there are users with less brain than the scammers, these problems will exist. 

[Medlin Software, Dennis]

Access to the stored data is a k own risk. The safety is in self encrypting before storing the data. Some of the backup companies claim they encrypt with no access to the key, but just in case, self encrypt. 

[Medlin Software, Dennis]

After some reflection, and yet another issue with a customer not remembering their password, I am removing the application level password capability from my software.  Why?  Because real security is controlling access itself.  Lock up the computer.  Hardware access control.  Operating system access control.  Access control keys, recovery keys stored off site under lock and key themselves.

In my customer's cases, the complaint will inevitably be when the owner wants to have secure data on a computer they let their employees access.

It will be interesting to see the customer feedback, and arguments against.  The #1 will likely be "I cannot afford a separate computer", which is tough to sell to me, since a modest computer can be had for much less than a year of data breach insurance.  Plus the number of customers who install a "second" copy on a different computer for "travel, home use, etc.".

One good point was to add 2FA.  But that comes at a cost (internet access at all times, and a cost per access), which is still fallible (email spoofing, stolen phone number, lost, stolen, or borrowed phones).

---

When I added the application level password, we were in the days of Windows 3.1, and there was no real security in the hardware and OS, and most did not want to pay for the access control applications of the end of the last century.  Now, it is tough to get a computer without hardware control and the OS having access control as well.