Is The Cloud Secure?
One of the biggest concerns companies have when considering moving their business to the cloud is privacy and security.
“Will I be able to access my data when I need it?”
“Can I protect my vital company data from hackers or unauthorized users?”
These are the important questions that need to be answered before you shift your business to the cloud.
But the most important step in evaluating the Security Risks of the Cloud is to assess the Security Risks that exist right now within your business. Many business owners will cry, “The Cloud is not secure!” … and later that evening a “bad-guy” will throw a brick through a window and steal their server and all of their back-up disks … Another business owner is uneasy moving to the Cloud, because their data is stored “somewhere else” while their business data is taken off-site each evening by the office manager. The tape is kept in her purse, sitting on the front seat while at the gas station, or in her shopping cart while shopping … neither of which are “secure situations”.
Are there Dangers and Risks by moving your business to the Cloud – ABSOLUTELY YES, but there are Dangers and Risks if you don’t move to the Cloud too – and the reality of the dangers and risks on the Cloud are much less.
In order for a business to make sense of the issues that surround Security and the Cloud, the business must first understand what needs to be protected and why. The following sections deal with these questions in detail.
First – Assign value to your Assets
(data, operating systems etc.)
One of the first things you should do is identify the critical assets that are being considered to be hosted in the cloud. These may include applications such as CRM (customer relationship management), data, accounting, private customer information, operating systems and even hosted servers.
It’s important to ask yourself how valuable the assets you are considering moving to the cloud are, and what would happen if you couldn’t access these assets online for an extended period of time. When you assign a value to your assets it is easier to decide what level of security you may need.
Assessing your Liabilities
What happens if your system is breached and you lose sensitive data, or if it is stolen? If the data or info is proprietary to your company, liability is not an issue, but what happens if a customer or patient or consumer information is stolen or is missing? You must realize that if there is a breach and data is lost it’s not the cloud provider who is on the hook. So it is absolutely critical that you do your due diligence when choosing a cloud provider!
In many industries, health care and banking being great examples, the government along with industry regulations have established security level standards on how electronic data must be handled. In some rare cases, you may not even be allowed to use cloud services, or there may be major restrictions, like not being able to store data in another country.
What is your Risk Tolerance?
It’s a subjective and difficult procedure, but you must take some time and decide how much you’re willing or able to afford or risk. And of course your decision will depend on what your liabilities are, what industry you are in and what assets you need to protect.
Another extremely important consideration for your company is what are the costs involved in securing your data and assets. The more security controls you currently have with your on-premise network, the more expensive cloud security may be required.
How to protect and secure your data on the cloud
Securing your data, whether it is on your Smartphone, workstation, personal PC, on the cloud or traveling between any of those places should be one of your top concerns when choosing a Cloud Provider. You need to make sure that your Cloud provider has all of the systems in place to protect your company.
Encrypting your data; Encryption is the process of transforming data so it cannot be read or accessed without a specific key or password. It is critical that your data be encrypted both when it is traveling in cyberspace … and when it is just sitting in The Cloud
How is your data being separated from other customers? Are you in a public cloud or private cloud? This is an important question, especially when you realize that you cloud provider has many different customers, and you want to be one hundred percent sure that your data is being kept separate from all of the other customers.
How does your Cloud provider secure their own data?
Understanding how your Cloud provider protects its own data, will give you a very good idea on how secure your company will be. What safeguards has the company put in place to protect your data from unauthorized employees of the cloud company getting access to your data? What internal procedures and policies do they have in place to protect your data?
Keep in mind that your data is not only vulnerable to online hackers, but your data must be secure from physical harm as well. What security procedures does your Cloud provider have in place to stop potential thieves from breaking in and walking off with the server that houses all of your data? Does your Cloud provider have 24/7 security, video surveillance, and how does it monitor everyone that has access to the building?
All users must have Proper Authentication
It is critical that all users that have access to your cloud data are authorized and they are actually who they say they are. Your Cloud provider must guarantee you that all users accessing your data will go through a security authentication procedure. This procedure includes passwords, unique usernames…and even a digital certificate. Your Cloud provider must also have security measures in place that detect unauthorized users from fooling the system, this includes things like too many failed password attempts automatically freezes the account or shuts the user out!
“Two-factor” Authentication is also something you should insist upon. This process requires all users to not only give a secure password, but also answer a security question that is specific to them. The best two-factor process includes a password and then something that user’s possess like a drivers license number, ID number or passport number.
Authorization–Accessing only the data that they are authorized to use Proper authorization includes only allowing users the ability to access data that the company specifies. This stops employees from not only accessing unauthorized data; it can keep them from editing data, or changing applications in any way.
Monitoring and tracking user activity
Who is accessing your data in the cloud, when did they access it, and from what device? Allowing you to track all of these is critical to protecting your data, and you should only choose a Cloud vendor that can provide you with these tools. For example; if you have multiple employees accessing a single document, who was the last person to edit it, when did they do it and from what device?
Compliance Laws and Industry Standards
What are the legal requirements that you as a company must follow when collecting, processing and storing information within your industry? A great example is the HIPPA mandate, which stands for Health Insurance Port ability and Accountability Act. This act strictly limits what can be disclosed about each individual patient and who has access and authorization to these records.
As well, the Rights to Financial Privacy sets strict standards on who has access to personal financial information and in most cases consumers must receive a notice and give authorization before information is released to any third party. Before you hire a Cloud provider be sure to ask them what their compliance standards are, what their experience is with your type of industry, and how they will guarantee that your company follows all compliance laws and standards for your particular industry.
Stuff Happens – Disaster and Business Continuity Planning
Even though major natural disasters happen rarely, there is just no way to be 100% sure you won’t have to go through one … and the truth is, even a relatively small disruption to your business can have devastating consequences to your future! How do you protect your company from these disruptions? The answer lies in The Cloud!
The challenge for small business owners is to surrender
direct control of precious data in order to make it more secure!
You can actually find more protection from disaster and loss of data with Cloud Computing. Most companies are very aware of how important it is to back up their data on a regular basis … but following through on this procedure and creating a secure backup plan is a whole other story! If your backup is onsite, you’re just not as secure as you think you are.
With cloud computing, your data seamlessly lies in multiple offsite servers, and in different location in the United States (or around the world), and this includes your data and all your applications. If a disaster occurs, your data will be protected and can be accessed quickly
The 11 security questions you should ask before you hire any Cloud Provider
- How is your data center physically protected?
- Where will my data be stored?
- What encryption techniques do you use?
- How do you authenticate users?
- Which of your employees have access to our data?
- Are you experienced with all compliance laws and standards?
- Who owns the rights to the data?
- Have you had any security breaches in the past?
- What type of reporting and auditing procedures do you offer?
- What type of disaster recovery options do you offer?
- What happens if I decide to terminate our relationship?
Making a smooth exit if necessary
Even with the best intentions of both parties, things happen that could cause you to look for and hire a new Cloud provider. You may even decide you want to go back to an on-premise network. Either way, it is imperative that you can easily and quickly transfer your date from your current provider.
Require the Cloud Provider to give you their procedures on how the transition would happen, how long it will take and what fees if any are incurred. And be sure to ask exactly what format that data will be in, so you are assured an easy transition.