Most cloud service providers have better resources than their customers to provide an adequate level of security. However, purchasing a subscription for cloud services is not equivalent to transferring all responsibilities to a third party. Whether the data is stored in the cloud or on a company’s network located in the company’s basement, the overall responsibility for the security of the data remains in the hands of the data custodian. Cloud customers remain primary responsible for the security of the data that they have collected from their own clients, visitors, or users, which often constitutes their most valuable assets. No matter where the data is stored or processed, data custodians must understand the nature and sensitivity of the data they collect, limit their collection and retention to only the data they need, use security measures and controls that are adapted to the data, train their personnel and suppliers on the ways to better protect this data, and stay alert and look for clues of potential vulnerabilities.
A recent FTC Blogpost, titled Six Steps Towards More Secure Cloud Computing provides a concise, valuable checklist for businesses that use or intend to use cloud services, so that they make their use of cloud services safer. The document is also a reminder of the golden rules concerning data security when using a third-party service provider. The FTC blog posts contains six recommendations.
- Security is your responsibility.
First and foremost: Keep in mind that if it’s your data, it’s ultimately your responsibility.
Using cloud service providers (CSP) to store or process your data does not mean you can also outsource security. Throughout the lifecycle of data in your company’s possession, security remains your responsibility.
Even if you rely substantially on your CSP’s security tools, you must have a written data security program that lays out your company’s process for securing your customer’s information, and that ensures that people on your staff remain knowledgeable about maintaining, monitoring, testing, and updating that program. You should train your staff on their obligations under that data security program, so that they perform fully and correctly the tasks set forth in your security program. You must also review your cloud contracts carefully to ensure they spell out your expectations and clearly establish who is primarily in charge of what.
- Take regular inventories of what you store in the cloud and how it is protected.
You cannot use your data if you don’t know you have it, and where to find it. This is why you need an “inventory” or a “data map”. Numerous CSPs offer tools such as dashboards or management consoles.
You cannot keep your data safe if you don’t know the security configurations and access rights that are attached to this data, and you ensure that they remain consistent with the sensitivity of the data you have stored. As you add data that may require more protection, re-evaluate your security settings and update them accordingly.
Actively test for misconfigurations or other security failings that could compromise your data. Maintain robust log files so you can continuously monitor your cloud repositories.
- Don’t store data that is not necessary.
There is a tendency to keep as much data as possible because cloud storage is usually less expensive than other storage methods. Anyone will attempt to convince you that they “need” to keep this data because they might need it for a future project. There are several problems with this.
- From a practical standpoint, except for archives, in most cases, old data is useless. It might be obsolete, incomplete, or unreadable.
- From a legal standpoint, retaining personal data when it is no longer needed could violate applicable laws. Numerous privacy or data protection laws on all continents require that personal data be kept no longer than necessary for the purpose for which the data was originally collected.
- From a contractual standpoint, it might violate contractual promises your business made to dispose of data at the end of a project, or on the occurrence of a triggering event.
- From a security standpoint, the more data you keep, the greater the probability that someone will want to steal it, misuse it, damage it, etc.
As you conduct a data inventory, be ruthless. Dispose of all data that is not necessary, and do so securely.
- Take advantage of the security features offered by the cloud service provider.
Most cloud service providers offer detailed guidance about their security controls and how to set up their services in a more secure fashion. Users should do their best to understand the options and configure those settings in the way best suited to their own operations.
- Understand the nature of the data that will be stored, processed, or used in the cloud.
- Evaluate the risk to this data: Is the data sensitive? Is it needed? Who should have or not have access to it?
- What means should be used to protect against the risks of unauthorized access to the data while it is held in the cloud?
- Make good use of encryption.
There are numerous benefits to encryption, assuming of course that it is conducted properly, and in accordance with up-to-date techniques. If you must retain certain data, but that data is seldom accessed, consider encrypting it. If data contains sensitive information, consider encrypting it, as well. The more data is encrypted, the less chances it has to be stolen, modified or misused.
- Stay alert: pay attention to credible warnings.
Some cloud providers offer automated tools to remind users about cloud repositories that are open to the Internet. Others may contact users with warnings to that effect. Security researchers may contact businesses when they find exposed data online. If you receive one of these warnings, pay attention. Investigate your cloud repositories and recheck your security settings.
~ ~ ~ ~ ~ ~ ~ ~ ~ ~
The FTC blog post provides a concise checklist of the duties and obligations that are vested on those who collect and use data and have them stored and processed in the cloud.
- Security is your responsibility
- Take regular inventories; know what data you have, and where it is
- Don’t store what you don’t need
- Take advantage of the security features offered by your cloud service provider to meet your own security obligations
- Evaluate the risk to the data, and use carefully the controls offered by your CSP
- Make good use of encryption
- Stay alert; security is a never-ending quest.
The FTC blog post not only provides business with easy to use guidelines on the most essential activities to be conducted when hosting or planning to host data in a cloud. It also provides a checklist of issues the FTC – or any state prosecutor acting under a state mini FTC Act – might raise when investigating the practices of an entity, such in the context of a security breach. In both cases, businesses should be careful to take the time to review and reflect on the action items listed in the FTC blogpost and ensure that they have carefully addressed all items in the blueprint.