1) Where is their data being processed and stored?
2) What laws and regulations apply?
3) Who has access to the data?
4) How is access controlled?
5) How is data protected during transit and at rest?
While contracts and user agreements may contain important security and privacy provisions, access to the data is also subject to the laws of the jurisdiction in which the data is physically located. Storing your data in a country other than your own exposes the data to at least two different legal systems. If the company storing the data has a physical presence in a third country, there could be more complications. Users of cloud services need to understand these implications, especially when confidential information is involved.
While we don’t expect end users to fully assess the physical and logical security of the datacenter, it is worth noting that not all cloud services are created equal. Some run in modern, high-end data centres and take advantage of cutting-edge cloud services themselves. Others run on shoestring budgets in a closet in someone’s basement. At a bare minimum, users should ask basic questions about the environmental, physical, and access controls in place.
Another fundamental issue is who has access to your data. While agreements may make promises such as “data will not be disclosed except as required by law” — which in itself has proven problematic in some jurisdictions — users of cloud services need to consider whether the service provider will use the information for their own purposes (such as to target advertising) and the type of access that support personnel have. Given current trends in global outsourcing users should also understand that while their data may be stored in their home country, it may be accessed by personnel who are physically located elsewhere.
Most cloud services are designed to be accessed from any web browser or mobile device. While this is often desirable — or even the entire point of the service — it makes user authentication critical. There is considerable variation in the strength of different password systems. While a properly implemented password system may be good enough for less sensitive information, users should look for cloud service providers that provide two-factor authentication to help mitigate risks associated with static passwords.
There are two fundamental ways to protect data: physical possession and encryption. Storing data in the cloud places it physically in the hands of someone else, leaving encryption as one of the few ways we can exercise direct control over our data. The best scenario is when the end user has sole possession of the cryptographic keys, rendering data inaccessible to others including the service provider. As the use of cloud computing continues to grow, these types of solutions will become more popular. Until then customers need to continue to ask questions about how their data is protected in transit and at rest.
When it comes to cloud security, the best control we have is user education and awareness. While we can’t expect to make users experts on cloud security, we can educate them on the issues and help them ask the right questions.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…