What is the cloud and just how safe and secure is business data?
‘Your data will be stored safely in the cloud’ is a phrase that we hear frequently. But what is the cloud and just how safe and secure is the business data we choose to store in it?
The cloud is simply a network of computer servers stored in a data centre. Instead of storing your information on your laptop or desktop, or perhaps a server in your office, you transfer the information over the internet to a data centre, run and managed by a third party. As with most things in technology, there are distinct types of cloud. A private cloud is one that is wholly dedicated to one organization, and a public cloud is one that is shared by multiple organizations.
‘Software as a Service’ (SaaS) allows a software provider to develop and build applications using the cloud and then make them available to customers via the internet. Cloud computing is the cornerstone of many applications used by businesses, whether for storing documents or for processing accounts and payrolls, for customer relationship management systems – the list is seemingly endless.
Providing appropriate due diligence is performed on the provider, and you implement basic security controls, the cloud delivers a myriad of business benefits. These range from cost effective computing services through massive economies of scale, remote collaborative working, a rich variety of services to satisfy the requirements of any organization – regardless of size or sector, as well as speed of access.
How secure is the cloud?
When considering cloud services for business, a common question is ‘how safe and secure is it?’ Well... it depends.
Providers of cloud-based services such as Microsoft, Amazon Web Services (AWS) and many others spend millions of dollars to ensure that their systems are safe and secure.
Other companies will use the data centres provided by these technology giants to host and power their services. If you want to find out more, head to the websites of your cloud service providers and look in the small print, usually at the bottom of the website, for details of how they secure your information. Companies that have invested in certifications such as ISO 27001, ISO 27017, ISO 27018 and SOC2 take security seriously. They are independently audited on an annual basis to ensure that they can meet the stringent standards of controls.
However, whilst the cloud providers may take steps to protect the data that we place into the cloud, we all, as users and subscribers, have a role to play if we are to ensure that the data remains safe.
Sounds complicated? Well, imagine your office or house is the equivalent of the cloud environment. You may have invested in an expensive alarm system, window locks, mortice locks, perhaps a security patrol to check in every now and then. Then you discover that someone in your household has put a key under the plant pot, or the cleaner has shared the alarm code with a friend, or that a window has been left open and so on. Despite all the investment in security that you made; someone has compromised it.
Steps to ensure cloud safety
Cloud security requires the user to take basic steps to ensure the system remains safe and isn’t compromised. For example:
- Do you use a strong password to access the system?
- Do you have multifactor authentication (MFA) in place? This requires the user to have two pieces of information to access the system, so that if one is compromised (e.g. the password is guessed), a second step is required (e.g. a code sent to a mobile phone or email address, biometric recognition) before access is provided.
Aside from access to the system, consider authorizations within the system.
- Who needs access to what? In the same way as you may have passports or valuables kept in a safe at home, ensure that access to the ‘crown jewels’ of your business is restricted.
- Regular review of access levels - Is there a process to manage user access, ensure removal of access where an individual is leaving as well as modification of access if a user is changing roles?
So, whether you’re considering the use of cloud-based storage, or you are already using cloud services, it is important to assess the security provided by prospective/existing cloud service providers. As a leading business insurer, we have produced a basic checklist of factors to consider and what should be expected of cloud providers, which can be adapted to suit your business needs. You can download it here.
Whilst a checklist of requirements may seem daunting, any credible supplier should respond to them quickly and comprehensively or have the information readily available on their website. Don't be deterred, be persistent and if you don't receive the answers, then look towards another supplier.
Finally, if you choose to end a service with your provider, then remember to ask them to confirm the deletion of the data.
More information
This guidance was first produced by QBE in the UK in partnership with Risk Evolves.
For more information, we recommend reviewing the guidance posted on the The Canadian Centre for Cyber Security website, including their article Thinking of moving to the cloud? Here’s how to do it securely. https://www.cyber.gc.ca/en/guidance/thinking-moving-cloud-heres-how-do-it-securely
QBE policyholders, whether they purchase cyber or a different type of insurance from QBE, can gain access to QBE’s E-Risk HUB, powered by Net Diligence. On the E-RiskHub, there is a great article called “Cloud Risk Considerations” which includes detailed guidance from Ted Kobus, Brian Karp and John Mulhollan of Baker & Hostetler LLP.
