Keep Your Data in the Cloud Safe
The cloud is everywhere, anywhere and nowhere, and
it’s getting harder to prevent people from using unsecure
commercial cloud services. It’s time to get on board! Here
are some tips on how to keep your data in the cloud safe.
Set Policy: The first step to cloud management is ensuring your organization has a clear policy regarding cloud computing as part of your overall set of information security policies.
The cloud computing policy should:
- Insist that terms and conditions be reviewed appropriately
- Comply with the firm’s acceptable use policy
- Adhere to any laws and regulations
The policy should also include a list of preapproved cloud services. Blocking all cloud services won’t work: Clients often share files using cloud storage platforms, and marketing teams utilize social media, for instance. While there is merit to only giving specific groups access to cloud services, this adds management complexity. And blocking social media could affect morale.
Assess Risk: When you know what services you will allow, conduct a thorough risk assessment. This should include:
- An evaluation of security
- How authentication works
- Where and how credentials are stored
- How the data are stored and transmitted (encryption at rest and in transit)
- What features are available and how they work (litigation hold, discovery, data retention, data deletion, etc.)
Also conduct a security and risk assessment or audit of the supplier. This could be a simple questionnaire to determine whether the organization has implemented adequate safeguards to protect your data.
Integrate and Centralize: Rather than using standalone services such as those designed for personal use, choose options that can integrate with your organization’s current authentication mechanisms while providing
centralized management and auditing. This will improve the overall user experience and make management easier, and it should give you the ability to prevent unauthorized access to to data. Integrating with multifactor authentication mechanisms is also a good way to add a layer of security.
Like general authentication credentials, multifactor authentication should be
centrally managed.
Review the Terms: Review the provider’s terms and conditions to be sure
you maintain ownership of your data and that no one but you and those you allow will have access to your data. Encryption keys for data at rest should be unique to your organization and inaccessible to unauthorized persons. In addition, it is important to understand where your data reside and the resulting laws to which you may be subject.
Add More Precautions: Look at data loss prevention (DLP) solutions to monitor and prevent accidental leaks of sensitive information. Although not limited to the cloud, there are many network and hostbased DLP solutions that can prevent users from uploading and subsequently sending files through channels such as social media, hosted email services and cloud storage. DLP solutions intercept traffic and compare it against a rule set.
Educate Users: Education and awareness will be tremendously helpful
in ensuring compliance with company policies. Make sure your user base
understands what is expected of them.
SAFE IN THE CLOUD
Using these steps will go a long way to helping keep the cloud and its inherent
risks under control.
This article was first published in ILTA’s Winter 2015 issue of Peer to Peer titled “Security, Up High and Down Low” and is reprinted here with permission. For more information about ILTA, visit www.iltanet.org
