Cloud-based storage is convenient for many businesses. After all, cloud storage vendors offer unmatched operational agility, speed, efficiency, flexibility, and productivity in their services. But to enjoy these benefits without drawbacks, you always have to keep a simple rule of cloud storage security in mind. Choose your cloud provider carefully and consider security according to your industry, company size, actual business need, and local data privacy laws. These aspects will determine whether your cloud storage poses additional risks or becomes a powerful ally for your company and its partners.
One of the most critical aspects of cloud security is to ensure that only authorized personnel such as you and your employees have access to the documents and files stored in the cloud. Ultimately, the responsibility of securing your cloud lies between you and the cloud storage provider. If you do plan to adopt cloud storage for your business, it is imperative that you take measures to protect your data through secure passwords, two-factor authentication, as well as limits and controls on access.
In the following article, we will collect essential cloud security concerns you have to deal with to retain complete control over your digital valuables, whether you choose virtualized cloud storage or store files in your own traditional data center. Also, we’ll list some best practices to improve cloud data security.
How secure is the cloud for your business?
In favor of scalability, flexibility, speed, and cost-saving compared to operating your traditional data center—it's tempting to turn a blind eye to the true nature of public clouds. All their advantages and great value for money come from the fact: they are shared and dynamic environments based on virtualization technologies. An important concern to discuss in connection with cloud data security.
You need to know your rented storage runs on virtual machines, possibly in a public cloud, and the hardware is shared with many other customers. Cloud providers use sophisticated technology to dynamically allocate resources to you when you need them. The downside of this is that resources can come from any location across the globe, and you do not know where your data resides or what other company you share the same physical server with.
While choosing a public cloud provider can be excellent from some aspects, there are specific industries where this setup is unacceptable. Problematic sectors are usually the ones with national security interests: healthcare, military, law enforcement, criminal justice. Fields, where knowing exactly where your sensitive information is stored (in the same country preferably) and, more importantly, having them encrypted, is crucial.
Generally, if your company needs to handle personal information (protected by GDPR) or credit card data (protected by SOX), healthcare information (protected under HIPAA), you must plan and think about what cloud service you are going to use and consider their security in advance.
First things first: what is cloud data security?
Like other fields of cybersecurity, data security in the cloud is a collection of various technologies, practices, and policies that protect data from unauthorized access, attacks, or maintains its integrity. Cloud data security deals specifically with the challenges of safekeeping data that is remote from your data center or computer. Focus areas are protection against malware, DDoS attacks, data breaches, hacking or other threats, preventing data leaks in virtualized environments, disaster recovery, and business continuity. Cloud services are run by experts at the top of their game because they have to comply with demanding SLAs (service level agreements).
That all sounds good. So, your main concern should be whether your cloud vendor is trustworthy and transparent about their security. Understanding how cloud providers differ in security practices is crucial before signing any contract.
Why all companies must take cloud data privacy seriously
Cloud data privacy should be a core element of your cybersecurity. Regulations and customers alike hold your business accountable for the personal data you handle. How and where you store it and your security measured (encryption, masking, etc.) are scrutinized.
While cloud solutions are preferable for some companies because they seem to be the jackpot solution to comply with strict data policies, the reality is often quite the contrary.
Why? Simply because of the inherent nature of the public cloud: its dynamic and flexible approach towards the location of your data. Which can easily become the source of cloud computing privacy concerns. As mentioned, your files in a public cloud could be anywhere on any server around the globe and are moved constantly between locations where there’s available free space at a given moment. This means your data could be zigzagging between different continents depending on free virtual server capacities. This might seem harmless, but in reality, it is a violation of HIPAA and the GDPR. For example, due to recent EU-US privacy shield issues, companies in the EU can no longer store personal information in the US.
In 2020, the EU Court of Justice (CJEU) declared the EU-US privacy shield invalid. As a result, personal data cannot be transferred from the EU and Switzerland to the US. Any European company that uses Microsoft 365, for example, was forced to react to this new cloud privacy requirement since all their data used within the service can end up on US servers. But regardless of industry, anyone who rents Infrastructure, Platforms, or Software as part of a virtual cloud service will be affected by data regulations.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA)also sets out regulations that standardize how the personally identifiable information of patients has to be secured and maintained in hospitals. For cloud data privacy, this simply means that patient data cannot leave the organization without proper security measures.
The solution? Companies could choose cloud service providers who have data centers in a nearby geographic location where they are situated and choose private or virtual private cloud options. But such solutions come with added costs. Another option for smaller companies or even individuals is to safeguard their sensitive information with real end-to-end encryption solutions like those created by Tresorit.
Data integrity in cloud computing
While the main task with cloud data security is, in a nutshell, to safeguard your files from unauthorized access, data integrity in the cloud ensures that your data stays the same and does not get corrupted altered. No matter how brilliant your services are if you have no means to know whether data has been deleted or altered or are clueless about how alterations took place and by whom, your security, auditability, and credibility are at risk.
This makes data integrity essential, particularly in the world of cloud services, where whole teams have the power to alter files simultaneously, and hackers could alter or inject your files with malware during transmission without your or your cloud storage provider's knowledge.
To ensure data integrity in the cloud, you must have the means to eliminate the most common data integrity threats.
These could be unintended loss or alteration during data transfer (authentication of client server, encryption, and decryption), human errors, faulty authorization concepts, network malfunction, or data breach from a hacker group.
As a solution, you should always make sure to have the source of your data validated. Scan if your network or data has been corrupted. Where employees or customers can interact with your files, make every kind of alteration traceable and auditable. Access management should be based on separated roles and on the ‘need-to-know,’ ‘need-to-have’ principles. These, alongside constantly updated backups, can help you to cope with these challenges successfully.
Key components to improving cloud data protection
While all clouds are designed to cover various IT needs through virtualization of hosting storage, computation power, and work-related collaboration software – they can fundamentally vary in terms of their security levels. Reliability can vary based on how they’re connected to your company’s data center (internet or direct line) and the encryption methods they use during data transfers and at rest.
For improved cloud data protection, you should understand how different cloud categories work, what type of vulnerabilities they have, and how to handle them. Read our blog on the types of cloud service providers to learn more before checking the best practices for securing your data in the cloud.
How can you do more to protect data in the cloud?
Despite its complexity, some key components of cloud data security are worth keeping a close eye on.
- When it comes to geographical distance, a cloud provider that has data centers near you and allows you to explicitly choose where your data is stored is your safest option. This provides better business continuity, performance, trust, and legal security benefits.
- For the same reason, restrict, if possible, countries where data regulations are not taken seriously by the government or are known to lack security practices.
- Examine the connection type, gateway, and firewall services your cloud vendor provides. You should check for encryption technologies for data-at-rest and in-transit as well. Look out for keywords like AES encryption, SSL/TLS handshake, strict authentication and authorization methods, separation of roles, need-to-know basis, HTTPS. These are basic security measures and, if missing, should draw questions.
- Finally, if you want to protect your data, keep in mind end-to-end encryption (E2EE). With E2EE, you don't have to worry about your data, even if a security breach happens at your cloud provider. Every file you upload will stay encrypted.
How does cloud-based security work?
The role of cloud-based security services is to ensure that your information is safe and secured. Vendors restrict unwarranted access by providing encryption which ensures the security of the data stored in the cloud and offers various access controls. They also offer data recovery and backup options in case of any data loss.
In transit and at rest encryption
To implement data protection, data traffic is directed to the security cloud first, where it’s filtered before reaching the application system. During the transfer process, cloud storage vendors tend to utilize the TLS protocol to protect your files from eavesdropping. It uses a cipher, authentication, and key exchange to secure a connection.
Once the data gets out of this secure channel, it will be decrypted. Therefore, when your data arrives at the provider’s server, it can be accessed by a hacker or a rogue employee. It might be that the provider then re-encrypts your data before storing it on its disks; this is called at-rest encryption. However, as the service provider holds the encryption keys to your files, they, or anyone else who manages to get access to the keys, can decrypt your files.
There are many encryption algorithms ranging from the old DES to the newer AES. These encryption methods utilize complex algorithms to protect and conceal data. Cloud-based vendors use these methods to manage the identity of data and limit access from an unrecognized application that tries to access these encrypted files.
As you probably guessed, AES is the latest and most secure encryption algorithm. It provides several levels of security depending on the key length, which can be from 128, 192, or 256 bits. As a matter of fact, 256-bit is the most secure in the market, and as far as we know, nobody has managed to crack it.
While most cloud providers only use encryption at rest, it’s only client-side encryption that can guarantee the confidentiality of your files. In the case of client-side or end-to-end encryption, encryption and decryption happen on the user’s device. Files uploaded to the cloud never get decrypted on the provider’s servers as they do not hold the encryption keys. This means that even if rogue employees or hackers manage to get access to the provider’s servers, they won’t be able to decrypt your files.
Zero-knowledge authentication prevents others from reading and viewing your data. As a matter of fact, using this type of authentication provides you with a key access password. It means that the provider does not store encryption keys or user passwords in unencrypted or unhashed form. Therefore, it ensures that no one, not even the provider, can access your content.
The downside to this approach is that if you lose your password, it is permanently lost because the service provider can’t reset it for you. To lessen the risk, it is best that you consider using a password manager. Regardless, don’t forget to create a strong password that you can remember.
Only a few cloud storage providers in the market, one of which is Tresorit, adopt zero-knowledge authentication methods as part of their security features.
Two-factor authentication is an extra layer of security that prevents troublesome hackers from stealing your credentials. When you utilize two-factor authentication, the tool will make sure you enter a code after you log in with your password.
There are several ways to get the code. You can get it via email, phone call, or SMS, use a local mobile app, or even a physical token. This method complicates the hacking process as they need another verification code to actually access your account.
Most cloud storage vendors allow you to share your data with others by generating links to folders or files or by sending a collaboration invitation to others. With that being said, one of the main benefits of using cloud storage is the ability to share while restricting and controlling your shared content.
There are many ways you can properly control your content. You can implement folder permissions expiry dates, include password-protected links, and much more.
A ransomware attack can cause serious harm to your business. It is a type of malware attack created by hackers to search for your sensitive data and encrypt them. Hackers will demand a ransom for the key to decrypt your files. Hence, it is best to work with cloud storage vendors that offer ransomware protection services or perform well against such attacks.
Most cloud storage vendors offer versioning solutions to fight ransomware. However, the implementation of this solution is different according to each cloud storage vendor. For example, some offer unlimited versioning, while most usually provide 15 or 30 days.
Insufficient protection of your data in the cloud can cause significant harm to your business. If you’re looking to move to the cloud or already keep your documents there, think of how you can secure your data by researching and comparing the different security promises of cloud vendors.
Lastly, here are some handy tips to keep in mind when it comes to securing your data in the cloud:
- See to it that the cloud storage provider has convincing security policies in place. We can’t emphasize this enough. You need to do your research by reading their security policies.
- Browse the user agreement thoroughly to find out how your cloud storage service works. After all, you’re going to put your important data in storage, so it is imperative that you read the fine print. If you don’t understand or have questions, don’t be afraid to contact customer service.
- Stay up to date with useful security guidelines and best practices recommended by the Cloud Security Alliance. It is a not-for-profit organization on a mission to “promote the use of best practices for providing security assurance within Cloud Computing.”
- Create a robust and secure password that you will remember. Most of the time, loopholes are created by users themselves. One weak password can wreck your company.
If you can implement these tips as a part of your cloud protection approach and strategy, you are completely on your way to securing your data in cloud storage. After all, cloud security is not a trivial matter. It is time to get your cloud security in order.
This post is an updated and expanded version of the original which was published on June 25, 2019. The last update was completed on February 2, 2022, by the Tresorit Team.