Staying Safe in the Cloud by Joe Gutierrez, Director of Information Technology
Posted on October 27, 2015 by Richard Berkowitz, JD, CPA
Businesses large and small are increasingly “moving to the cloud” to keep their data easily accessible while staying ahead of changing technologies. To be sure, this corporate refrain is nothing new, but many businesses making the transition lack a clear understanding about the risks and rewards they should consider before making the leap to the cloud.
What is the Cloud?
The cloud is a network of servers that allow users to store and access data and programs via the Internet rather than on a computer hard drive or servers physically located onsite in an office or home. The most recognizable cloud services are Apple iCloud, Google Drive and Microsoft 365, which allow users to store, backup and synchronize large amounts of data across all of their devices with the click of a button and without a significant investment in hardware to host their own data centers. Users pay for what they need, and the service providers take care of all matters relating to cloud administration, maintenance and updates.
Protecting Data from Dangers in and around the Cloud
Along with all of the conveniences of cloud computing, including improved cost efficiency, capacity, accessibility, back up and data recovery, come a range of challenges. Foremost, the cloud environment lacks a comprehensive set of security standards, leaving businesses with the difficult decisions to entrust their sensitive data to third-party providers that may or may not have adequate controls in place. To minimize their exposure to risks, businesses should first assess their own needs, compliance requirements and security protocols before taking steps to thoroughly investigate cloud providers. Key issues to consider include:
Data Location and Physical Security. Where is the data stored geographically? Is the data replicated outside the country? Does the provider have a backup plan in case of disaster or interruption in services?
User Access. How does the cloud provider manage user access? What redundant connectivity protocols are in place to ensure cloud services can continue operations in the event of an outage or disruption to the cloud infrastructure?
Digital Security. How and how often does the provider perform security testing? What encryption policies does the provider use to protect data, both in motion and at rest? How are encryption keys managed? What controls are in place to ensure customer data is hidden from a providers insiders and from its other customers?
Incidence Management. Does the provider maintain logs of security attacks? What systems are in place to respond to security breaches and mitigate damages?
Compliance. Does the provider have experience meeting the unique data security and regulatory provisions of a particular business? Has the provider earned certification or completed a third-party audit of its claims? Do customers have a right to audit?
The Contract. Never sign an agreement before reading the contract terms, especially when considering that providers can limit their liability for any unauthorized access or use, corruption or loss of customer data. Moreover, businesses must vigilantly monitor their selected providers’ efforts to meet their service level agreements
The decision to move to the cloud should not be made without careful assessment of the multitude of providers nor without consideration for a business’s own needs and risks. Malicious attacks are a real danger to data security. However, many of the most recent headline-making incidences did not involve the cloud but rather compromises made on the user level. Therefore, businesses must employ strong security measures on the enterprise-level, including adoption of rigorous policies to educate all users within an organization and those that have access to its mission critical data.
About the Author: Joe Gutierrez is the IT director of Berkowitz Pollack Brant Advisors and Accountants and a noted speaker on issues relating data management and security within professional service firms. He can be reached at the CPA firm’s Miami office at (305) 379-7000 or via email at firstname.lastname@example.org.