How secure is OneDrive? Microsoft’s cloud security explained

If you’re using OneDrive, you’re using Microsoft’s service to upload and share your files in their cloud. In this article, we’ll examine which data protection and security measures Microsoft implements for its cloud service.

Is OneDrive secure?

Microsoft has stated that they use end-to-end encryption with AES 256-bit standard for uploads, downloads and backups.

They also add another layer of security to OneDrive with two-factor authentication and the SSL/TLS encryption standard. Despite offering rather robust data security through good encryption, it’s not possible to completely rule out the possibility of third parties accessing your data. Microsoft does not offer zero-knowledge encryption, giving Microsoft developers and the U.S. government access to data stored in OneDrive, if required.

HiDrive Cloud Storage
Store and share your data on the go
  • Store, share, and edit data easily
  • Backed up and highly secure
  • Sync with all devices

What is OneDrive?

With OneDrive, you can store and organize your files, documents and other types of data (e.g., contacts, notes, passwords or photos) in Microsoft’s cloud. OneDrive is available for all Windows systems, but you need a Microsoft account to use it. Anyone using Microsoft 365 automatically has access to OneDrive.

You can choose to synchronize your OneDrive files across all your devices or for selected apps and devices only. You can also create automatic backups and collaborate with others on the files by using sharing options. OneDrive has another advantage in that it comes with 5 GB of free cloud storage.

How is OneDrive encrypted?

Detailed information about Microsoft’s security measures for OneDrive can be found on Microsoft’s website. Microsoft emphasizes that for additional data protection and security, end-to-end encryption using the AES-256-bit encryption standard is employed. It would take several billion years to crack an encryption like this, even with a supercomputer. AES 256-bit is an encryption method that is sufficient enough to protect your data against large-scale brute-force attacks. For additional security and encryption during data transfer between client and server, Microsoft uses the TLS encryption standard as well.

Data access rights in OneDrive

As a OneDrive user, you still have considerable power when determining who can access your OneDrive files. Similar to Google Drive, OneDrive gives you the ability to grant reading, viewing and editing rights to people. You can do this via the Share menu for each of your folders or files. Once you have selected a specific person or group of people, you can provide access to the document via a shareable link or by sending an email. You can edit or delete any of these rights at any time. This way, you always retain control over access rights and determine who can view and edit files.

Microsoft emphasizes that a Zero standing access policy applies to its access rights to your data. This means that even technicians may only access your data in exceptional cases, with explicit permission and under heightened security and maintenance requirements. However, there’s an exception in place for U.S. government agencies. Microsoft is obligated to comply with legitimate requests from U.S. authorities and grant access to OneDrive data. Since U.S. laws such as the Cloud Act and the Foreign Intelligence Surveillance Act (FISA) set low thresholds for surveillance and data sharing, there is a risk that U.S. authorities can relatively easily access your OneDrive data.

OneDrive and the Cloud Act

The Cloud Act was passed in 2018 and significantly expands the rights of U.S. authorities to monitor their citizens as well as all companies operating within its borders. U.S. companies like Microsoft are required by law to share data with governmental agencies, even if the data is located on servers abroad. In order to access such data, the U.S. government needs to have a warrant. There are some rare occasions though where a warrant or a subpoena is not required.

These new, wider-reaching surveillance rights have caused concern in Europe. In 2020, the European Court of Justice declared the EU-U.S. Privacy Shield invalid, as the U.S. no longer meets European data protection standards. Previously, the Privacy Shield ensured a secure transfer of data from the EU to the U.S. It has yet to be replaced by any new legislation. Microsoft has certified itself under the EU-US Data Privacy Framework, the successor to the Privacy Shield. However, since this is a self-certification process, it is unclear to what extent users can rely on the company’s assurances.

Certain states such as California (CCPA) and Virginia have passed their own data privacy acts that compel any companies offering services to their residents to comply with their data sovereignty laws In cloud computing. If you live in one of these states, your data is better protected than in states without such laws.

How secure is OneDrive against cyberattacks?

Microsoft generally provides solid and reliable security for cloud storage, similar to Google and Apple. This is especially true if you use OneDrive for personal purposes or to store non-business-critical data.

OneDrive’s security measures against cyberattacks and unauthorized access include:

  • Password protection with a secure password
  • Two-factor authentication
  • AES 256-bit encryption
  • TLS encryption
  • Zero standing access
  • Network protection through isolated networks and firewalls
  • Mobile encryption of data with the OneDrive app
  • Account recovery (using email, phone number or security question)
  • Account notifications for suspicious logins
  • Spam filtering for OneDrive mail and virus scanning through Microsoft Defender
  • Ransomware protection (with Microsoft 365)
  • Personal OneDrive vault
  • Highly secure data centers
  • Automatic backups
  • Synchronization of data with connected devices
  • Automatically scanning updates for malware or illegal content
  • End-to-end encryption for backups, uploads and downloads

Where are OneDrive servers located?

Microsoft hosts their data in data centers in the United States, Asia and the European Union. You can see where your data is hosted in the settings of Microsoft Office 365. The data of OneDrive for Business customers located in the U.S. is hosted in one of four different locations within the U.S. It’s not possible to choose a specific data center for storing your company’s data.

The European Union’s data privacy law, the GDPR, legislates high standards of data privacy and security. Cloud storage providers located in Germany and Switzerland are among the most secure in the world.

Tip

Want more protection for your data than provided under U.S. law? Need to be compliant with GDPR requirements in the European Union? HiDrive cloud storage from IONOS is a viable option. Your data will be fully encrypted and stored securely in our certified data centers in the U.S. and Europe. You can also choose the location of the data center to ensure GDPR compliance, if needed.

Is OneDrive compliant with the GDPR?

If you do business in the EU, you need to comply with the GDPR when storing and using customer data. Since OneDrive can transfer data to servers located in the U.S. without the Privacy Shield agreement as well as to servers in non-EU countries, OneDrive is not considered compliant with the GDPR. Furthermore, OneDrive terms and conditions grant Microsoft the right to use stored data, meaning GDPR-compliant data processing is not guaranteed.

According to Microsoft, the storage and processing of OneDrive data takes place in geographically distributed regions and availability zones. However, users cannot determine which specific geographic region their OneDrive servers belong to. Another gray area: Microsoft scans OneDrive uploads, such as documents and photos, for security purposes, including malware detection and illegal content filtering. However, the technical basis for these scans and what happens to the analyzed data remain unclear to users. It is therefore evident that OneDrive does not comply with the GDPR unless companies implement their own protective measures.

Is OneDrive secure for business and compliance?

From a data privacy and compliance standpoint, OneDrive poses several challenges for businesses handling sensitive customer or corporate data. While Microsoft provides robust security measures, businesses using OneDrive must take additional steps to ensure compliance with US and international data protection laws. One key issue is that Microsoft is a US-based company operating global data centers, which means user data may be transferred across international borders. This raises concerns, particularly for organizations handling data regulated by GDPR or other stringent data privacy laws.

Companies that still choose to use OneDrive must include the following details in their privacy policy:

  • Why is OneDrive used for data storage?
  • What legal basis justifies data storage and processing?
  • Has a data processing agreement (DPA) been signed with Microsoft?
  • How can users object to data collection and processing?
  • Where can Microsoft’s applicable usage and privacy policies be found?

According to Article 28 of the GDPR, companies must sign a data processing agreement (DPA) with Microsoft if they store business-related data in OneDrive. This agreement must define:

  • What personal data Microsoft receives
  • Why data is shared with Microsoft
  • How long Microsoft stores the data
  • Which rights, obligations, and liability clauses apply

To use OneDrive in compliance with GDPR and corporate regulations, follow these steps:

  • Obtain user consent via opt-in for essential and non-essential cookies.
  • Sign a data processing agreement (DPA) with Microsoft.
  • Update your privacy policy with clear information about Microsoft’s data processing practices.
  • Review Microsoft’s Standard Contractual Clauses (SCCs).
  • Document data transfer risks and ensure legal protection against data privacy violations.

What are some alternatives to OneDrive?

If you have concerns about Microsoft’s data privacy measures and are still wondering which cloud service is the most secure, consider comparing cloud providers to find the right one for you.

Some of the most popular cloud providers include:

  • IONOS with its secure HiDrive Cloud Storage
  • IBM Cloud
  • Microsoft Azure

A cloud storage comparison will help you assess the available features and maximize security when looking for OneDrive alternatives.

Was this article helpful?
We use cookies on our website to provide you with the best possible user experience. By continuing to use our website or services, you agree to their use. More Information.