This post was originally published here (The TechSoup Blog)
Cloud-based applications and services are super convenient. After all, they let you work from practically anywhere using almost any device, and they make it easy to collaborate with coworkers. But before you take the leap, you need to think long and hard about the security and data privacy implications that go along with cloud services.
Before You Move to the Cloud
Deciding to move to the cloud is the easy part; the hard part is actually doing it. Here are a few things to keep in mind as you weigh your options.
1. Consider If You Can Do It Yourself (and If You Should)
In some cases, you can host certain cloud services yourself. For example, you can use SharePoint to host and share files instead of going with a third-party cloud storage provider like Box. But should you?
A lot depends on your technological resources. If you’re a large organization with plenty of technical resources and expertise, you may be able to manage a self-hosted cloud service. But for many small to medium-sized organizations, going the third-party route may be the way to go. After all, companies like Box, Dropbox, and so on have an entire staff and significant financial resources dedicated to keeping your data secure, and to protect against data loss.
2. Research a Cloud Service’s Security Credentials and Record
Any time you place data on a server online, there’s some risk involved. And although most major cloud service providers do a reasonably good job at encrypting data, you’ll still want to research a provider’s security credentials and infrastructure to get a better idea of the steps they are taking to protect your sensitive information.
Does the provider use strong AES 256-bit encryption? Are account login and password details protected in such a way that if a would-be hacker got that information, it would be unusable? Does the provider have a history of major security breaches or missteps? How is the provider protecting data against state-sponsored hackers? These are just a few of the questions you should keep in mind when searching for a cloud service provider.
3. Find Out Who Owns Data You Upload — and Who Can Access It
Some providers do a better job at disclosing data ownership than others. In the case of Microsoft Office 365, it’s as clear as day. According to Microsoft, “You own your data and retain all rights, title, and interest in the data you store with Office 365.”
If you do not retain full ownership of any data you upload to a cloud service, or if company employees are permitted to access your data, you might want to look elsewhere. Along the same lines, if a company tries to obfuscate data ownership rights, perhaps it doesn’t offer the cloud service for you.
4. Keep Regulatory Requirements in Mind
In some cases, you may have to conform to certain regulations pertaining to data privacy, security, and residency (HIPAA is one such example). Before you choose a cloud provider, you’ll want to check to see what regulations apply to you. Figure out whether you can use a given provider or service while still conforming to applicable laws and regulations.
Once You Make the Move
Once you move to the cloud, you still need to stay vigilant to make sure your data stays secure. Here are a few steps to take to make sure the wrong people don’t access it.
5. Avoid Sharing Accounts Whenever Possible
Sharing accounts might be convenient, and it might save you on licensing fees, but doing so can be a security liability. A jilted former employee could use a shared account to steal proprietary information. A former employee could still have shared login information stored on a laptop that gets stolen.
To guard against these sorts of scenarios, give each of your employees their own accounts with appropriate permission levels; be sure to deactivate those accounts when employees leave your organization.
6. Practice Good Login Security
Passwords are often the weakest link in data security. After all, the best security in the world is useless if a nefarious actor guesses your password. With that in mind, you’ll want to take steps to ensure that your staff members use strong passwords. Using a mnemonic device or passphrase is one way you can create strong passwords that you can actually remember.
In addition, use two-step authentication whenever possible. With two-step authentication (also often known as two-factor authentication), in addition to typing your password, you must also enter a unique one-time-use access code. These codes are usually sent your way via text message, but some services let you receive them via phone call or a smartphone app.
7. Keep an Eye on Who Has Access to What
The biggest threats to your data aren’t always from cybercriminals and other intruders; sometimes, they come from within an organization. With that in mind, tighten up your permissions so only the people who need to access certain pieces of data can access it. For example, your entire staff likely does not need full access to your organization’s donor or customer database. Instead, grant access only to those who need it to do their job.
8. Review Your Cloud Options and Security Practices Regularly!
Technology moves quickly, and so does cloud security. Always look for new ways to improve your cloud security practices and implement them as appropriate. A little vigilance and effort on your part can go a long way toward protecting your organization’s most valuable data.
Learn More About Security and Cloud Computing
- What Are the Benefits and Drawbacks of Cloud Computing? Cloud basics for nonprofits and libraries.
- 12 Tips to Being Safer Online: A printable PDF guide from TechSoup.
- How to Evaluate Cloud Security: What to consider when selecting a cloud vendor.