How are you addressing Cloud security?
The following was originally published on January 24, 2016 on Seacoastonline.com.
Many companies are actively moving the data and systems to the Cloud. This move makes sense for many, due to cost or availability as it’s often quite costly to build the infrastructure you need internally versus leveraging Cloud infrastructure from industry titans like Amazon and Microsoft.
Amazon’s Cloud infrastructure, known as AWS or Amazon Web Services, was the first to gain traction in the market. Microsoft’s Azure has definitely caught up to AWS and offers some additional features and services that have attracted a significant amount of companies moving their infrastructure to the Cloud.
Then there are the thousands of Cloud-based applications and services that a company can subscribe to, whether it is CRM, file sharing, email or accounting. With all this activity moving to the Cloud, how are you addressing Cloud security to insure your data is protected? But first, what exactly is this thing called the Cloud? Simple, it’s a server that is not located in your office. That’s the most simplistic, yet accurate definition of the Cloud.
One of the largest Cloud security issues has to do with where the physical data center is that hosts your company data. The Cloud, in addition to being a computer than is not in your office, is also a large, mostly non-descript building where literally thousands of servers live in specialized rooms that are temperature controlled, secured with biometric access controls, recorded video monitoring and massively redundant power systems and Internet access. They often look like a large warehouse, until you look a little more closely at what’s immediately around and on the building.
After the passage of the Patriot Act, in the wake of the tragedy of Sept, 11, 2001, just about any company that is owned by a foreign concern took steps to be sure their sensitive data was not stored in the Cloud if the servers are physically located within the United States. Why? Because the new laws allow, under the right circumstances, law enforcement and intelligence authorities to access that data for purposes of national security threat analysis. Europe and Canada have, in some cases, considerably stronger privacy protections for corporate data that are in conflict with United States law. This is one significant area of Cloud security concern for multi-national companies.
Another is the rapid increase in the use of file sharing services like Drop Box, Google Drive, Microsoft OneDrive, etc. Many companies are deploying these and other file-sharing technologies, to make data more accessible to increasingly mobile and remote workforces. Instead of requiring all company data to be stored on internal company servers, file-sharing services let companies place data in what may appear to be local folders on the user’s computer that then seamlessly synchronizes that data to the Cloud and all who have access instantly have access to these files.
The issue becomes how you are managing and auditing who has access to what files and folders, how is it secured on the individual computers, the Cloud server and while the data is in transit between these various systems. If a computer is lost or stolen or an employee leaves or is terminated, how will you recover the data they have on their computer, remove all company data from their computer(s) and revoke their access? This needs to be done in an efficient and effective matter or this would expose the company to significant risk of data breach and loss.
Like all security related issues, the primary risks come from internal staff, not necessarily external threats. Educating and training your users to properly understand company policy and to safely guard the data they have access to is critical. This also has very direct financial impact on the company.
As data breaches have become more prevalent, so has the matter of securing cyber insurance to protect your company from potentially crippling costs if you experience a breach or loss. While initially these coverages were affordable, premiums are starting to climb at an alarming rate, in some cases doubling year over year. Why? Because you may not have appropriate systems, policies and safeguards in place to mitigate your risk. This will only become more complicated, so don’t put your head in the sand and hope this doesn’t apply to you. It does.
It’s important to get an objective or qualified review of your Cloud security practices to insure you are doing the right thing and have the right coverage in place to help protect your business should you ever experience a security event. Here’s to a safe year.