Whether you’re a business with sensitive data that requires organization or an individual with an affinity for personal programs, avoiding “the cloud” seems nearly impossible these days. But using cloud security—a remote, Web-based data storage system—comes with just as many risks as it does benefits.
“You see it on the news every day: constant attacks on people’s networks and information systems,” said Lonny Anderson, chief information officer of the National Security Agency (NSA). After all, the No. 1 question their team gets about the system centers on whether the cloud is even safe.
Thus, taking an additional few simple steps can help minimize potential hacking, phishing and the like within the model.
Mesh your needs with your cloud provider’s
Neal Ziring, technical director of information assurance for the NSA, pointed out that making one’s security needs clear at the onset of a cloud computing contract is essential. Knowing who’s responsible for what, especially in the event of a hack, is equally important.
Breaking things down into two buckets—what you expect the cloud provider to do and what you still expect to do for yourself, and putting that in writing—may be the simplest way to go about dividing responsibility.
Being organized
In a cloud environment, being explicit about the rules of data can also help ensure safety, said David Hurry, the cloud strategist for the NSA. Tagging data that places it in context offers one way to keep information organized. Namely, recognizing that in a cloud system, organizing items not only based on their structure but also on their function is crucial.
Review your contract closely
What information gets logged and what doesn’t? How long is information retained? Who gets to share and see what data, including how passwords are protected? What protection is in place, and how is the person controlling those data being monitored? That’s just a handful of questions that should be answered in a cloud security contract. Having a crisis control plan of sorts for when a data breach may occur, and ensuring that notifications are made in a preset manner, is another area to consider, Anderson said.
Take hands-on steps to protect yourself
“For individual cloud users, most critical is practicing good security hygiene on the systems under your control and the cloud services you employ,” Ziring said.
Hurry added that encryption is only part of the larger security model that individuals and companies can use. “It (encryption) alone won’t be sufficient,” he said. “It offers strength, but it’s how you use it and where you put it and manage it that matters.”