Q: How secure is my data in a cloud-based storage utility?
A: The short answer: It depends on you. If you use software-as-a-service providers such as Salesforce.com, Office 365 or Dropbox to store your documents in the cloud, those companies take a certain amount of responsibility for the security of the data they maintain on your behalf. What they don’t take responsibility for is your lack of company protocols regarding access to said files.
Hemma Prafullchandra, CTO and senior vice president of products for HyTrust, a Mountain View, Calif., startup that provides security and compliance software for the cloud, says most cloud-based applications use safeguards to protect how data is transferred to the servers in their physical data centers and to back up and recover data. But even the larger cloud-storage providers don’t require clients to use strong passwords that are reset every 90 days.
We asked Prafullchandra for more advice on keeping company data secure.
How do I know my business’s data will be safe once it’s uploaded to the cloud?
Choose a cloud service that provides data protection both in transit and when data is at rest—including during backups. Also, ask your provider if they have had any past or recent breaches, and if they have, what they did to avoid a repeat. Keep in mind that different safeguards such as encryption might be required for the type of data you transmit, process and/or store in the cloud.
OK, but how do I encrypt my data?
There are a number of applications available, but you want to use one that allows you to manage your own keys (strings of data required for encryption and decryption). The encryption algorithm used by the application to encrypt your data should use the Advanced Encryption Standard and have a minimum key length of 128 bits. While it may be easy to install and configure the application yourself, other solutions, such as the generic Enterprise Key Management solution, often require professional installation and integration with your applications.
How do I kick the tires of a potential cloud-storage provider?
In addition to asking about recent breaches, exercise the processes they have for password reset and recovery, data recovery and technical support. It’s just like your routine checks of your burglar or fire alarms—you want to test those capabilities to verify that the providers do what they claim.
Assuming I do all the above, what is the biggest remaining threat?
Be aware that your biggest threat may be from a malicious or disgruntled employee who is hellbent on stealing confidential or sensitive data—which is why your own in-house security and user account login and password management need to be tight. Be very cautious about and track who has access to what.