Cloud computing has made our data more portable than ever before. Cloud service providers store our files on multiple servers, and all we need to access them at any given time is an Internet-enabled device such a smartphone or tablet. We don’t have to carry around a hard drive anymore just to have our data readily available whenever we need it.
At the same time, we can easily work with a group of people when all members have access to the same files. We no longer have to meet physically when we can put in our contributions to a project from a remote location.
But what is trade-off for this convenience? Is it security? How safe is our data in the cloud, anyway?
Cloud Service Providers
It’s understandable to feel anxious about the security provisions of cloud service providers. You’re relinquishing control of your information and allowing a third party to manage it, and that’s a big deal. And if the information in question is enterprise data, then that’s all the more reason to be especially careful about moving to the cloud.
Different cloud service providers employ different security measures. Thus, some are more secure than others.
If you plan to transfer enterprise data to the cloud, confirm that your chosen provider has solid provisions for each of the four pillars of security:
Application Security
Because the cloud is essentially a shared resource divided among several users, it’s critical that these subdivisions don’t overlap and compromise the data inside them. Your organization’s account should not be available to another organization, and vice versa. Most cloud service providers protect accounts through authorization systems and multi-level authentication processes. Your organization can select who can have authorized access; in turn, these people who are granted authorization need to have their login credentials verified.
Infrastructure Security
Your organization’s enterprise data needs protection in all aspects. A cloud service provider’s data centers should be under tight security 24/7 — think trained guards, electronic surveillance, and alarm systems. These data centers house valuable and confidential data, so their premises should have the same kind of physical security international banks have.
In terms of digital protection, ask if the cloud platform has built-in firewalls and if it provides multi-factor authentication (MFA) to protect the platform’s account settings and resources. In typical multi-factor authentication, the first factor refers to the usual username-password combination, while the second factor refers to a one-time authentication code users will receive on their mobile device.
It’s a good sign if your chosen cloud service provider has an ISO/IEC 27001 certification. This means that its risk management system passed strict ISO/IEC standards encompassing many domains, including but not limited to physical and environmental security, asset management, and access control. Ask for copies of reports produced by third-party auditors to confirm the authenticity of all certifications.
Lastly, look for a cloud service provider that applies redundancy on its resources to ensure uninterrupted service. Copies of your organization’s files should be stored in several servers across different locations, so that even if an unexpected downtime or a natural disaster occurs in one area, your enterprise data is still supported by the remaining servers. The same goes for other resources such as power source, firewalls, etc. No matter what happens, you’ll have secure access to your files anytime you want.
Data Security
Can the cloud service provider of your choice make sure that your organization’s data is safe from external and internal threats in every step of the process? What kind of data encryption during transmission does it apply? Are all points of potential data compromise identified and managed?
Encryption is necessary to keep your enterprise data safe during transmission. Wireless network transmissions should be encrypted via 2048-bit Secure Sockets layer (SSL). Also, network transmissions between devices using cloud-based services should use strong encryption methods such as Advanced Encryption Standard (AES) with a key size of at least 256-bits.
Even when safely stowed away in storage, enterprise data can still be compromised without encryption. Thus, stored files should also be encrypted with with similar encryption methods to keep them safe, even when not in use.
Security Management
A cloud service provider hosts and manages your data, but that doesn’t mean that it has the same kind of access as you do. Administrative controls should be in place so that employees of a cloud service provider can’t tamper with your information. Thorough background checks and strict non-disclosure agreements should also ensure that they won’t even try.
One common assumption organizations make when moving to the cloud is that they are no longer responsible for the prevention of security breaches. They fully rely on the cloud service provider to ensure that their enterprise data is safe.
But in reality, cloud computing security is only as strong as the weakest link. Even the most stringent security measures can be undermined when people use weak passwords, share login credentials, or fall prey to social engineering. One of the biggest threats to data security is still ignorance, and knowledge is the best way to combat it. So when your organization moves to the cloud, get proper training for your staff to make everyone understand their roles in protecting data integrity.
—
Convene is a board portal solution that provides enhanced security features for boards to protect confidential data and information. Convene is accredited by major international organizations for its security standards and optimal processes.
Mark is an experienced Cybersecurity Consultant at Convene. He is knowledgeable in aspects of information security and data privacy. Propelled by his commitment to network security, Mark has written extensive guides on cybersecurity best practices and a playbook on improving an organization's IT systems.