How to Guarantee Data Security When Data is in an External or Public Cloud

Written by

There's no doubt that shared cloud hosting offers many direct advantages to businesses, particularly those without extensive on-site data infrastructure. It's inexpensive, it's easy to access, it doesn't require maintaining your own hardware, and you've got experts on-call if there's ever an issue.

The big issue, of course, is security and privacy. Even the question of whether local or cloud-based hosting is more secure is hotly debated. No matter how many protections cloud vendors put onto their files, there's still the basic fact that a company is handing over its data to another business for handling.

For many, this is hard to swallow. Questions of privacy and data sovereignty are still the biggest factors holding many companies back from embracing cloud-based services.

While we'd say that, overall, a well-run cloud operation is likely to be at least as safe as your own servers, security is still an important issue. So we have some tips on helping safeguard your data as much as possible when on public\shared cloud servers.

1 - Thoroughly vet every potential partner

The more legwork and research you do beforehand, the more likely it will pay off later down the line. Don't take claims for granted. Ask for documentation of claimed security adherence policies or of adherence to major security standards. Look into the company's history to see how long they've been in business, and whether they've suffered any public attacks.

If possible, get recommendations from other businesses in similar fields as your own. Their own experiences may be one of your best guidelines.

2 - Don't feel compelled to only use one vendor

A lot of (X)-as-a-Service vendors try to be ‘jacks of all trades’, offering to solve every one of your cloud data, storage, and application needs. This isn't necessarily the best approach. While it may take a little more work to set up initially, it's entirely possible to work with multiple cloud vendors in parallel. In many cases, this will get you a superior service package, as well as avoiding issues with having all your eggs in one basket.

3 - Hold back your most critical data

Don't feel comfortable putting your employee records or customer purchase histories in the cloud? Then don't! You can still keep such crucial protected information local, while still using the cloud for less mission-critical services.

4 - Overshoot your needs

Not every business has to adhere to the same strict standards as, say, a company handling medical information protected under HIPAA. However, a cloud provider which is certified to provide HIPAA-compliant security would most certainly be able to meet your security needs and then some. It would cost a bit more, but buying a measure of security that's a level or two above your minimum requirements will also buy a lot more peace of mind.

5 - Encrypt, then encrypt some more

Really feeling paranoid? Use a cloud storage service that supports end-to-end encryption, and also encrypt your data separately prior to upload. It will slow down transfers somewhat and, of course, require decryption routines and probably passwords on your local machines, but doubly-encrypted data is going to be nigh unbreakable. Even if it's stolen, it'll be useless to the thieves.

6 - Get Serious About Human Security

The plain fact of the matter is that human mishandling of data, passwords, critical mobile devices, and other secure materials contributes to far more data breaches and attacks than hardware or software cracking. All it takes is a single leaked password, and every dime you've spent on data security becomes completely irrelevant. Train your workforce on:

  • Proper data handling, storage, and disposal. Ideally, subscribe to a data-destruction service to guarantee safe disposal.

  • The importance of NOT keeping critical data on mobile devices that leave the building. If this is unavoidable, the devices should have the strictest possible security.

  • Good password policies. Estimates are that 90% of passwords can be cracked within seconds. And, of course, never write them down.

As a quick-and-dirty method of making strong-but-memorable passwords, try pass-phrases instead, such as lines from a favorite movie/poem/novel. As long as it isn't blatantly obvious (like a Star Trek fan using "BeamMeUpScotty"), such phrases are going to be inherently pretty secure due to their length. Even better if the phrase contains words which can be converted to numerals or symbols, like "4Score&7YearsAgo." Of course, if your provider doesn't support long passwords, they probably aren't worth your time.

Don't fear the cloud, but remain cautious

In the words of President Reagan, "Trust, but verify." Cloud computing systems CAN be just as secure as local hosting, as long as you're smart about research and implementation.

What’s hot on Infosecurity Magazine?