Is your data safer in the cloud?

Cloud vs local: which is better for your data?
Cloud vs local: which is better for your data?

Many companies are looking to store their data in the cloud, but are rightly concerned about how secure it will be once there.

It is easy to conceptualise the security of data held on disks within a company's own infrastructure. You can see servers, and have spent many years taking precautions to ensure unauthorised third parties do not access data, but the cloud seems different. The data is stored in a datacenter, and that could be anywhere in the world.

The great allure of the cloud is that it can allow access to data from any device and any location. This is great for mobile warriors keen to access the very latest sales figures or that killer presentation, but for the IT manager this also means that potentially anyone else can access this data and use it for their own gain.

So how do you, the IT manager, make sure that data residing in the cloud stays safe, and away from prying eyes?

In light of the Prism allegations of mass surveillance of the internet, the need to keep private things private has stepped up several gears.

This means that in order to ensure peace of mind, security in the cloud should be as good as, if not better than, security put in place to protect data on premises.

It is human nature to conflate security with control. People with a fear of flying often have no problem driving to the airport, despite the greater risk of having a car accident than one involving the plane. This is because the person goes from being in control of the car to being a mere passenger in the plane. There is a clear loss of control, and this leads people to believe there is a lack of safety.

The key to regaining this control is to know your cloud data is in safe hands. When considering putting your organisation's data into the cloud, you must weigh up the risks.

First, is it necessary to store the data in the cloud? If you need employees or third parties to access your data without necessarily accessing your infrastructure, then the cloud is one of the best ways to provide that access. This is especially true if you have people needing access from a variety of devices. The days of just connecting to data stores from the desktop on the network are long gone.

You must first find out about the company you are entrusting your data with. Do they have well-trained staff, employ adequate backup systems and contingency plans should problems arise? Cloud providers invest a lot more in security and data backup than most small companies.

A datacentre with information security management processes that are ISO27001 certified will meet and exceed the security standards of those without this certification.

Another important point is where your data is held. In various European jurisdictions data protection laws regulate how and where data can be stored and who can access it. For instance, in Germany, a local cloud provider can refuse a request from the NSA to provide data but a US firm with operations in the same country could be compelled to hand data over under a US law known as Fisa (Foreign Intelligence Surveillance Act).

Many companies are waking up to this level of government intrusion and moving to encrypt data stored in the cloud but also making sure that the channels where data moves between an organisation and the cloud are also secured in a similar fashion.

Securing these channels in this way will also ensure that criminals also have a hard time if they attempt to steal data.

Using a security vendor that protects many customers in the cloud can typically do a better job of this than a small firm, because its expertise can be combined and applied for maximum effect.

A cloud provider monitoring its customers' assets can use its high-level detection systems and protections to spot and address any problem quickly as it has a large base that must be protected.

Another consideration is data portability, you might well be happy with a cloud provider, but if you need to move because the provider is going out of business or you have simply found someone better, you need to make sure that you can get that data back. Question your prospective provider about this - their answers should be clear enough to give you peace of mind.

Such protections mean that you can demonstrate to your customers and end-users that you have taken all possible steps to make sure all data entrusted to you is safe.

The cloud can be an asset to your small business, and most concerns over security tend to be down to the fear of giving up control of this data. But as long as the provider has a good reputation built on years of being in the business, and is safe and profitable, risks of data loss or compromise will be minimal.