Cloud Services: ticking the boxes
Alastair Murray assesses security considerations when using a Cloud-based arrangement
Many organisations have moved their office systems onto Cloud-based arrangements, deeming it both cheaper and safer to hold their precious data rather than maintaining an in-house server facility of their own. Since most Cloud service providers are large multi-national businesses, it is reasonable to assume their systems are secure. However, it is worth noting the majority of recent cyber break-ins have occurred on Cloud-based services.
In the early days of the covid-19, pandemic, firms sent staff home to work. Personal computers belonging to employees lacked the rigor of ‘office IT’ and their firewalls caused havoc with cyber and data security. Home-working security is improving but still remains vulnerable to attack with firms having to keep a close eye on their defences to maintain a watertight seal on this data.
Nearly a quarter of firms experienced some Cloud server incident in 2022, such as a misconfiguration, malware or ransom demand. Some of this is down to firms having more than one Cloud server; while seemingly the trend these days, it seems to make misconfigurations more likely. And while this has ushered in more flexible software systems, most have found running on multiple severs more complicated.
Cloud providers with all the right credentials like ISO 27001 and ISO 9001 certifications and Cyber Essentials Plus, CREST Certified or members of the PCI Security Standards Council ought to have everything covered. Nevertheless, it is worth asking.
Most vendors already have a good understanding of the various services currently on offer with which to select one that meets the needs of their firms and its management. However, contracting out your firm’s most precious data records and systems to a third party warrants a close eye on where and how it is being managed, if only for General Data Protection Regulation (GDPR) compliance reasons.
Your vendor should have scrutinised the wording of their Cloud providers terms and conditions, set-up all the necessary security measures, including multi-factor authentication and allowed for the in-house use of other subsidiary Cloud services like Dropbox and WeTransfer, often referred to as Shadow IT, to bring everything under one robust security regime for the entire organisation. Again, it is worth asking your vendor if this is actually the case.
The security of data and systems being held on your Cloud server must remain in focus though and not left to this or that assumption made about Cloud services in general. These are arranged on the basis of data storage needs only, with security coming later so it is vital to ensure all your storage and security needs are met. Nearly all the recent Cloud Service break-ins were suffered by firms who had not applied multi-factor authentication. In fact, there are so many firms who have not selected this extra layer of security that cyber criminals were falling over themselves to break-in! It is just too easy for them.
Moving systems and data to the Cloud, where most services are held on ‘shared’ servers, where there may be data belonging to several businesses on the same server, presents a far larger target for cyber criminals, allowing them to pick and choose who to go after, including many without multi-factor authentication turned on!
Cloud security should not be ignored and left to chance and warrants routine testing. If you have a contract with a local and/or large vendor which uses one of the big Cloud providers, most will be happy to run routine tests to ensure all is configured correctly. After all, you do not want to find you have been hoodwinked into handing over all your security credentials simply because they forgot to apply multi-factor authentication.
Cloud service terms and conditions are worth a looksee. The providers should have already done this, but it is worth some further examination before you sign on the dotted line as some terms may not suit. These can then be examined and thrashed out further to reach an agreement. It is also worth asking whether the provider you have chosen does not have a clause in their terms and conditions that allows them to outsource your data to a third party as this may cause compliance issues, or worst still a loss of data. Sub-contracting is quite common in this business, so it is worth checking how your data is being managed to ensure you are data compliant and management is happy.
Terms and conditions
Cloud-based services are all the rage at the moment and when arranged well provide the security and peace of mind management seeks. However, the speed at which Cloud services have grown some may be reluctant to question their vendor terms and conditions. If you have not already done this, you should as it may well confirm all is well, equally it could uncover some discrepancies which can then be ironed out.
One of the big misconceptions of relying on a Cloud-based server is your data is automatically backed up to another server and protected, completely safe from intruders. Unfortunately, this is not the case. Most of the big names in Cloud Server Security follow what is called the ‘shared responsibility model’ making the firm responsible for the viability of its own data. Many firms are unaware of this rather important aspect of Cloud storage which means data can be vulnerable to attack.
Each Cloud provider should have clear and transparent terms for their applications with tight security protecting personal and business data for each of their firms’. Protecting the integrity of your data is paramount, requiring the need for strong passwords, encryption and unique user names for all your data and documents, as well as multi-factor authentication which is an essential part of Cloud security.
The firm’s data controllers should be examining the pros and cons of their Cloud technology before going down this route and how and why it will benefit their firm. Its affordability may be the main reason, but this should not be at the cost of security.
Most firms now understand online safety requires vigilance. By navigating the now daily routine of cyber threats, malicious malware, ransomware and phishing attacks, Cloud providers must keep their firms away from these dangers. Regulatory compliance in the form of GDPR and cyber security now play a big part in the way management oversees and manage staff, data and cyber security, password control measures as well as the many new and clever techniques to control phishing and other external emails. While there are other risks to contend with, compliance and cyber security are now firmly top of the list.