How secure is OneDrive? Microsoft’s cloud security explained

If you’re using OneDrive, you’re using Microsoft’s service to upload and share your files in their cloud. In this article, we’ll examine which data pro­tec­tion and security measures Microsoft im­ple­ments for its cloud service.

Is OneDrive secure?

Microsoft has stated that they use end-to-end en­cryp­tion with AES 256-bit standard for uploads, downloads and backups.

They also add another layer of security to OneDrive with two-factor au­then­tic­a­tion and the SSL/TLS en­cryp­tion standard. Despite offering rather robust data security through good en­cryp­tion, it’s not possible to com­pletely rule out the pos­sib­il­ity of third parties accessing your data. Microsoft does not offer zero-knowledge en­cryp­tion, giving Microsoft de­velopers and the U.S. gov­ern­ment access to data stored in OneDrive, if required.

What is OneDrive?

With OneDrive, you can store and organise your files, documents and other types of data (e.g., contacts, notes, passwords or photos) in Microsoft’s cloud. OneDrive is available for all Windows systems, but you need a Microsoft account to use it. Anyone using Microsoft 365 auto­mat­ic­ally has access to OneDrive.

You can choose to syn­chron­ise your OneDrive files across all your devices or for selected apps and devices only. You can also create automatic backups and col­lab­or­ate with others on the files by using sharing options. OneDrive has another advantage in that it comes with 5 GB of free cloud storage.

How is OneDrive encrypted?

Detailed in­form­a­tion about Microsoft’s security measures for OneDrive can be found on Microsoft’s website. Microsoft em­phas­ises that for ad­di­tion­al data pro­tec­tion and security, end-to-end en­cryp­tion using the AES-256-bit en­cryp­tion standard is employed. It would take several billion years to crack an en­cryp­tion like this, even with a su­per­com­puter. AES 256-bit is an en­cryp­tion method that is suf­fi­cient enough to protect your data against large-scale brute-force attacks. For ad­di­tion­al security and en­cryp­tion during data transfer between client and server, Microsoft uses the TLS en­cryp­tion standard as well.

Data access rights in OneDrive

As a OneDrive user, you still have con­sid­er­able power when de­term­in­ing who can access your OneDrive files. Similar to Google Drive, OneDrive gives you the ability to grant reading, viewing and editing rights to people. You can do this via the Share menu for each of your folders or files. Once you have selected a specific person or group of people, you can provide access to the document via a shareable link or by sending an email. You can edit or delete any of these rights at any time. This way, you always retain control over access rights and determine who can view and edit files.

Microsoft em­phas­ises that a Zero standing access policy applies to its access rights to your data. This means that even tech­ni­cians may only access your data in ex­cep­tion­al cases, with explicit per­mis­sion and under heightened security and main­ten­ance re­quire­ments. However, there’s an exception in place for U.S. gov­ern­ment agencies. As an American company, Microsoft is obligated to comply with le­git­im­ate requests from U.S. au­thor­it­ies and grant access to OneDrive data. Since U.S. laws such as the Cloud Act and the Foreign In­tel­li­gence Sur­veil­lance Act (FISA) set low thresholds for sur­veil­lance and data sharing, there is a risk that U.S. au­thor­it­ies can re­l­at­ively easily access your OneDrive data.

OneDrive and the Cloud Act

The Cloud Act was passed in 2018 and sig­ni­fic­antly expands the rights of U.S. au­thor­it­ies to monitor their citizens as well as all companies operating within its borders. U.S. companies like Microsoft are required by law to share data with gov­ern­ment­al agencies, even if the data is located on servers abroad. In order to access such data, the U.S. gov­ern­ment needs to have a warrant. There are some rare occasions though where a warrant or a subpoena is not required.

These new, wider-reaching sur­veil­lance rights have caused concern in Europe. In 2020, the European Court of Justice declared the EU-U.S. Privacy Shield invalid, as the U.S. no longer meets European data pro­tec­tion standards. Pre­vi­ously, the Privacy Shield ensured a secure transfer of data from the EU to the U.S. It has yet to be replaced by any new le­gis­la­tion. Microsoft has certified itself under the EU-US Data Privacy Framework, the successor to the Privacy Shield. However, since this is a self-cer­ti­fic­a­tion process, it is unclear to what extent users can rely on the company’s as­sur­ances.

How secure is OneDrive against cy­ber­at­tacks?

Microsoft generally provides solid and reliable security for cloud storage, similar to Google and Apple. This is es­pe­cially true if you use OneDrive for personal purposes or to store non-business-critical data.

OneDrive’s security measures against cy­ber­at­tacks and un­au­thor­ised access include:

• Password pro­tec­tion with a secure password
• Two-factor au­then­tic­a­tion
• AES 256-bit en­cryp­tion
• TLS en­cryp­tion
• Zero standing access
• Network pro­tec­tion through isolated networks and firewalls
• Mobile en­cryp­tion of data with the OneDrive app
• Account recovery (using email, phone number or security question)
• Account no­ti­fic­a­tions for sus­pi­cious logins
• Spam filtering for OneDrive mail and virus scanning through Microsoft Defender
• Ransom­ware pro­tec­tion (with Microsoft 365)
• Personal OneDrive vault
• Highly secure data centres
• Automatic backups
• Syn­chron­isa­tion of data with connected devices
• Auto­mat­ic­ally scanning updates for malware or illegal content
• End-to-end en­cryp­tion for backups, uploads and downloads

Where are OneDrive servers located?

Microsoft hosts their data in data centres in the United States, Asia and the European Union. You can see where your data is hosted in the settings of Microsoft Office 365. It’s not possible to choose a specific data centre for storing your company’s data.

The European Union’s data privacy law, the GDPR sets high standards for data privacy and security. Cloud storage providers located in Germany and Switzer­land are among the most secure in the world.

Is OneDrive compliant with the GDPR?

If you do business in the EU, you need to comply with the GDPR when storing and using customer data. Since OneDrive can transfer data to servers located in the U.S. without the Privacy Shield agreement as well as to servers in non-EU countries, OneDrive is not con­sidered compliant with the GDPR. Fur­ther­more, OneDrive terms and con­di­tions grant Microsoft the right to use stored data, meaning GDPR-compliant data pro­cessing is not guar­an­teed.

According to Microsoft, the storage and pro­cessing of OneDrive data takes place in geo­graph­ic­ally dis­trib­uted regions and avail­ab­il­ity zones. However, users cannot determine which specific geo­graph­ic region their OneDrive servers belong to. Another grey area: Microsoft scans OneDrive uploads, such as documents and photos, for security purposes, including malware detection and illegal content filtering. However, the technical basis for these scans and what happens to the analysed data remain unclear to users. It is therefore evident that OneDrive does not comply with the GDPR unless companies implement their own pro­tect­ive measures.

Is OneDrive secure for business and com­pli­ance?

From a data privacy and com­pli­ance stand­point, OneDrive poses several chal­lenges for busi­nesses handling sensitive customer or corporate data. While Microsoft provides robust security measures, busi­nesses using OneDrive must take ad­di­tion­al steps to ensure com­pli­ance with US and in­ter­na­tion­al data pro­tec­tion laws. One key issue is that Microsoft is a US-based company operating global data centrs, which means user data may be trans­ferred across in­ter­na­tion­al borders. This raises concerns, par­tic­u­larly for or­gan­isa­tions handling data regulated by GDPR or other stringent data privacy laws.

Companies that still choose to use OneDrive must include the following details in their privacy policy:

• Why is OneDrive used for data storage?
• What legal basis justifies data storage and pro­cessing?
• Has a data pro­cessing agreement (DPA) been signed with Microsoft?
• How can users object to data col­lec­tion and pro­cessing?
• Where can Microsoft’s ap­plic­able usage and privacy policies be found?

According to Article 28 of the GDPR, companies must sign a data pro­cessing agreement (DPA) with Microsoft if they store business-related data in OneDrive. This agreement must define:

• What personal data Microsoft receives
• Why data is shared with Microsoft
• How long Microsoft stores the data
• Which rights, ob­lig­a­tions, and liability clauses apply

To use OneDrive in com­pli­ance with GDPR and corporate reg­u­la­tions, follow these steps:

• Obtain user consent via opt-in for essential and non-essential cookies.
• Sign a data pro­cessing agreement (DPA) with Microsoft.
• Update your privacy policy with clear in­form­a­tion about Microsoft’s data pro­cessing practices.
• Review Microsoft’s Standard Con­trac­tu­al Clauses (SCCs).
• Document data transfer risks and ensure legal pro­tec­tion against data privacy vi­ol­a­tions.

What are some al­tern­at­ives to OneDrive?

If you have concerns about Microsoft’s data privacy measures and are still wondering which cloud service is the most secure, consider comparing cloud providers to find the right one for you.

Some of the most popular cloud providers include:

• IONOS with its secure HiDrive Cloud Storage
• IBM Cloud
• Microsoft Azure

A cloud storage com­par­is­on will help you assess the available features and maximise security when looking for OneDrive al­tern­at­ives.