Business to Cloud: Protecting Your Company’s Information
Using the cloud is a cost-effective means of obtaining technology services for many businesses. It’s scalable, easy to set up, and easy to access.
When files are stored in the cloud, employees can access company data from any device at any time. Files can be shared with colleagues within the business and also with your business partners, no matter where they’re located.
Without appropriate security measures, however, company employees and partners may not be the only ones accessing company data in the cloud. Files in the cloud are outside your company’s network perimeter, making it more difficult for you to apply controls and monitor who is accessing company files.
Cloud service providers offer some security measures, but companies still have the bulk of responsibility for protecting their customer’s information. Companies need to protect their own intellectual property and other information in the cloud, as well.
Find Out What Your Employees Are Doing
The first step in protecting your data in the cloud is to discover which cloud providers your employees are using. Most companies keep files with multiple cloud providers: In addition to enterprise-grade cloud providers that your company’s IT department may have formally approved, your employees may be using various other free file-sharing cloud services. A shadow IT discovery process may be necessary to find which services are being used so that your company’s corporate information security measures can be applied to them.
You’ll also want to identify the type of information that employees are sharing in the cloud. Some information may be all right to place in the cloud as long as access is highly limited, while other information may require encryption or removal of some data before sharing is allowed. Some data may be so sensitive that it’s not appropriate for it to be in the cloud at all.
Assess Safe Cloud Providers
Once you know where employees have data, you can choose one or more secure cloud providers and require employees to migrate files over from non-approved sites.
Investigate cloud providers to understand the security they apply. Each provider should be able to give you information about their data center security policies. Make sure you understand the physical location of your files and whether they’re on shared devices. Review contracts and terms of service to make sure your business retains ownership of data uploaded to the cloud and that the cloud provider has no rights to use it for any purpose.
Evaluate potential cloud providers’ self-assessments or third-party security audits. Many cloud providers have certifications that verify their environments are in compliance with standards such as ISO 27001, PCI or HIPAA. This is especially important for businesses in highly sensitive industries such as finance or health care, which should only use providers certified for compliance with industry standards.
The Cloud Security Association has a cloud controls matrix that can guide you in assessing the security of a cloud provider. The matrix considers more than a dozen factors related to security, including data center security, key management, and identity and access management. In some cases, companies may choose to implement a private cloud environment to ensure that there’s heightened security for sensitive data.
Use Technology to Secure Data
Sensitive data, such as Social Security numbers and protected medical information, should use encryption or tokenization before it’s uploaded to cloud storage. Some cloud providers offer encryption, but they manage the keys and therefore have access to your secure data. Companies can consider using a cloud access security broker (CASB) to provide encryption, with the company managing its own keys.
CASBs also provide functionality such as granular file access controls and audit logging, which help companies manage and monitor access to data in the cloud. CASBs include data loss prevention (DLP) functionality to ensure that only data that can be safely used in the cloud is uploaded to the cloud. CASBs also monitor cloud files for malware, protecting the company from the risk of malware entering the company through files accessed in the cloud. Most CASBs will integrate with a business’s existing DLP and security information and event management (SIEM) software, allowing rules to be defined once and applied consistently across all environments.
Create Cloud Usage Policies and Educate Employees
Although encryption and CASBs are effective tools, defining cloud usage policies and educating employees is as important as implementing a technical solution. Require strong passwords for access to systems inside your network and define granular access controls — employees can’t share or expose data they can’t access.
Make sure that your company policies let employees know which data may be put on the cloud and which data may not be shared, and also the steps they need to take to protect sensitive information when it is shared. Inform employees of the approved cloud services and block access to unapproved cloud providers.
Basic cybersecurity training, such as the importance of strong passwords and not falling for phishing scams, will help employees protect company information in the cloud. Employees should understand the risks of downloading files from the cloud over public Wi-Fi or to shared, public computers.