By Guest Blogger Thomas G. Stephens Jr., CPA, CITP, CGMA | K2 Enterprises

---

Many have written and reported about Cloud security – or the lack thereof – causing numerous business professionals to express concerns about whether they can store potentially sensitive data in Cloud-based facilities over which they have little, if any, control. However, by taking just a few simple measures most professionals can likely reduce the risk associated with storing data in the Cloud to a reasonably acceptable level. In fact, in many cases, you may find that the risk associated with storing data in the Cloud is actually less than storing data locally – particularly so for smaller businesses.

Know Your Cloud Service Providers

Prior to contracting with a Cloud service provider or storing your data in the Cloud, perform your due diligence on the companies with whom you are entrusting your data. You should ensure that these organizations recognize and practice appropriate data management and security principles. One of the approaches you can take to confirm that a company exercises best practices relative to data management and security is to determine if the company has undergone an SSAE 16 audit and, if so, what type – SOC 1, SOC 2, or SOC 3. Additionally, you should determine whether the audit was performed at a specific point in time – a Type 1 report – or whether tests were conducted over a period of time (at least six months) – a Type 2 report. Other industry certifications you potentially should inquire about include ISAE 3402, ISO 27001, and FISMA.

If your company is subject to specific industry regulations – HIPAA, for example – you must ensure that your Cloud service provider is aware of the regulations specific to your industry and is already capable of satisfying them. You should take all measures necessary to thoroughly vet your potential Cloud service providers and determine if any of their offerings are not compliant with the relevant regulations in your industry. For instance, continuing with the HIPAA example, only portions of Google’s Apps for Business are HIPAA-compliant.

Use Strong Authentication Measures

A strong first line of defense can go a long way in protecting data stored in the Cloud. Thus, you should use strong authentication measures whenever you login to your Cloud service providers. If your Cloud service provider offers it, you should use multifactor authentication. Multifactor authentication involves logging in to a service using the “something you know, plus something you have rule.” For example, you might login to your Cloud service provider with a username and password combination – something you know – in combination with a code generated by a key fob – something you have.

If your Cloud service providers do not offer multifactor authentication, then ensure that you are using a “long and strong” password to login and that you use a separate password for each Cloud service provider. According to the experts at The SANS Institute, your passwords should be at least fifteen characters in length and contain at least three of the following five types of characters:

• Lower case characters
• Upper case characters
• Numbers
• Punctuation
• Special characters such as asterisks, ampersands, and percent symbols.

Insist On Data Encryption

You should store sensitive data only with Cloud service providers that encrypt the data while it is in transit between your computer and the Cloud-based storage facility and while it is stored. You should choose Cloud service providers that allow you to maintain control of the encryption key. With your data encrypted using a strong encryption algorithm, it is all but impossible for someone who hacks into your account at your Cloud service provider to decipher, and therefore view or use, your data. Further, because you maintain control of the encryption key, no rogue employees of your Cloud service provider can see your data.

Retrieve Your Data Periodically

Virtually all reputable Cloud service providers utilize redundant storage facilities, making it highly improbable for data to be permanently lost in the event of a system or hardware failure. Nonetheless, you should become thoroughly familiar with the procedure for recovering your data from your Cloud provider, just in case a situation arises where you no longer want your data stored there. You should go through the process of retrieving a copy of your data from the Cloud provider periodically. This helps to ensure that, should you ever need to do so, you would be able to retrieve your data. It also means that in addition to your data being stored in the Cloud, you also have an archive copy available to you locally in case of a catastrophic event affecting your Cloud service provider.

Educate Your Team

Perhaps above all else, educate your team about the absolute business requirement for securing sensitive data. First, your team should understand the risks associated with local data storage. For example, team members should recognize the dangers of copying data to unencrypted flash drives or external hard disks and the dangers associated with sending confidential information in unsecured e-mail messages. Additionally, your team should recognize the threats associated with the current Bring Your Own Device (BYOD) and Bring Your Own Cloud (BYOC) phenomena. In fact, you likely should implement policies that clearly spell out what each team member’s responsibilities are in a BYOD scenario. Similar policies should be in place to prohibit team members from storing organizational data in their own personal Cloud-based storage facility. In the absence of such policies, sensitive data can leak from your organization and you may no longer be able to control, secure, manage, back-up, or recover this critical information.

Our data is one of our most important assets and because of this, we must exercise due professional care to ensure its continual availability to all who need access to it. If we choose to store data in the Cloud, the fact that we generally will not have direct control over the physical storage facilities presents a different set of challenges than if we store data locally. However, by dealing with reputable vendors, using strong authentication measures, insisting on data encryption, retrieving data from the Cloud periodically, and educating our team members on the importance of data security, we can greatly increase the probability that our data will remain safe and secure, even though it is stored in a location over which we do not have direct physical control.