How to use the cloud safely – protecting information security in cloud applications

May 20, 2013  |  No Comments  |  by Thomas   |  Blog, News

Cloud computing has become a central component of business technology. The fact is that for small and midsized firms, using the cloud opens significant doors to productivity options they never had before. As cloud applications like Office 365 make moving to the cloud a compelling choice for businesses, there are still important questions executives should address before leaping into a new production model. This is because the cloud introduces its own set of security concerns and training needs to the business world.

  1. Establish firm organizational policy on what type of documents can and cannot be stored in the cloud, and what cloud vendors these documents can be shared with. There are soft and hard ways to do this, I’ll give you an example from the two extremes:
    • A clear written policy is the bare minimum. Your company hiring documents should include information to end users about how not to use company data. If you don’t at very least clearly define correct behavior, you have very little legal or ethical ground to defend yourself when an employee does something stupid.
    • Use process: There are technology tools to control information flow within your organization. For example, SharePoint allows you to clearly articulate companywide policies on accessing files. This gives users the ability to ‘check out’ documents they are working on or lets admins establish version history so Fat Fingered Fred can’t save over your mission critical excel file.

      Another example would be Exchange Online offers organization wide compliance tools that can ensure emails are not inappropriately used (e.g. that documents with client SSNs aren’t sent out to competing firms, etc.)

      Whether you decide to build an idiot-proofed fortress or to just trust your employees and state it in the handbook, you at least should take a moment and deliberately think on why you are making that choice.

  2. No mixing work and personal, specifically:
    • Don’t store personal documents on your company cloud environment.
    • Don’t store company documents on the same SkyDrive or DropBox account you use for home.
    • Be cautious downloading company documents from the cloud on personal devices.
    • Check organizational policy on downloading personal documents at work.

    If your firm does have a BYOD policy (bring your own device), the owner should review how they want to execute this BYOD policy with a consultant. For example, do your employees understand you have a legal right to wipe their personal data off their device if they have company data on it and misplace it? Are you as an employer comfortable doing this from a HR standpoint? (Leaving company data on a stolen device is not really an option, so make sure you are prepared for that scenario, as people do frequently lose phones and tablets)If you or your employee is considering using a cloud service such as Dropbox or Google Docs to store company information, check with your IT office first. You should only use cloud vendors approved by your organization, as sensitive information may be more vulnerable in certain programs.

  3. Given how many things we use passwords for, it is tempting to reuse the same one over and over and over…..don’t do it! If someone hacks your personal password, they could gain access to your company’s sensitive information. Create a unique password for each cloud account (and for that matter, all other accounts).

    Note that I recognize this can get insane to deal with, so I would recommend looking into password management tools. Just make sure if you use them, the main password to the manager is insanely secure. Otherwise you just gave any interested hacker a skeleton key to your life.

    To learn more, see our subsidiary EMRSoap’s post on creating secure passwords.

  4. Configure your cloud accounts to automatically not share any files or information with anyone your company IT hasn’t designated – you can always individually determine sharing on a case-by-case basis, but you don’t want to default to leaving your pants down.

    This is brought up as some services are secure by default (Office 365 is an example of one that errs on the side of caution), but other cloud products default to sharing or use of your data by default. (Gmail is a good example of that defaults to sharing your data). I.E. If you use Google Apps for your business accounts, which small firms do, take a deep breath and reconsider the logic of using a cloud service who makes their money by selling advertising and search data.

  5. Delete any unused cloud accounts or user accounts. There is no need to have extra access points waiting to be compromised. Similarly, remove access for any user who no longer needs specific information.
  6. Run up-to-date antivirus software, and make sure that it is set up to scan files before you download them from any public cloud sources. Even if you originally put that file there, someone else could have opened up the file, exposed it to a virus, and then re-uploaded it, virus and all. Make sure that you don’t put your computer or network at risk. Default to scanning all files before you open them. (Note that this is primarily with regards to public cloud stores, your company’s internal cloud services may be reasonably safe. Then again, there are also firms where this is blatantly not true, you’ll know better than I do whether your IT department is on their game).
    • Additional Note: If you are the type of user who constantly gets frustrated with Anti-Virus processes slowing down your CPU and you just turn the processes off. Consider heuristic based (behavior based) antivirus options instead. These inherently require less processing as they don’t endlessly que off of a virus database for their process. ESET is a good example of a strong heuristic based endpoint AV.
  7. Choose your cloud service based on your organizational needs. Some providers, like Office 365 for example, are willing to extend an extra level of protection for clients subject to HIPAA compliance. This will vary from service to service, so know what your organization needs first, and choose a cloud service second.
  8. If your organization is considering moving to the cloud, contact Office 365 Advisors. We offer expert consulting and services regarding Office 365 migration, use, and security. Contact an Office 365 Advisors representative today for more information.

Posted in Blog, News and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *