If you’re choosing a secure cloud storage provider to take care of your most sensitive documents, the safety of your files will naturally be your top priority. Any major platform offering encrypted cloud storage for businesses will claim to be secure — but scratch the surface, and you’ll find that not all cyber protection is created equal.
In this article, we’ll talk about the questions you need to ask to ensure your cloud storage really is secure, touch on how encrypted file sharing can differ between providers, and explain why data protection should go deeper than just two-factor authentication.
There are three main areas that you should investigate before choosing a provider:
A) How often does the provider provide updates to the service?
B) How mature is the provider’s information security management system?
C) How much control do you have over your data? How is your data encrypted?
Regular updates are vital for any secure cloud storage platform: not only to patch potential vulnerabilities but also to enhance user experience.
Most secure cloud storage providers will give you access to files via your desktop, mobile, and the web.
Luckily, you can use these desktop and mobile applications to check update release dates. You’ll be able to find the information either through the App Store or Google Play or at the digital signature’s timestamp. The frequency of updates will say a lot about the company behind the product, and how dedicated they are to shipping new features or offering security fixes.
Security management maturity
Evaluating the maturity of a company’s security management processes can be a tricky business. Each organization is different and will need to put effort into different areas depending on their risk profile. For example, some companies may need to focus more on physical security, others more on detecting internal threats while others on preventing external cyber threats. Evaluating any information that a company has related to compliance, as well as checking for an ISO-27001 certificate, is a good start. Your security team should also understand the service of the provider and identify any risks that it can cause to your business.
By looking at your own organization’s needs, you should also be able to ensure your provider’s security system is mature enough and established to fulfill your requirements.
Every company is different and will need extra security in different areas depending on its risk profile. Some companies may need to focus more on physical security, some will need to look at detecting internal threats, while others will need to prevent attacks from external actors.
Before approaching a provider, you should have an idea of whether your company’s cloud or file sharing needs to meet certain regulations: for example, if it needs to be FINRA, GDPR, HIPAA, or ITAR compliant.
You should also know what kind of files you will be storing — whether you’ll be focused on sharing financial paperwork, storing legal documents, or managing human resource files — and how many people will have access to those files. Secure cloud storage for small businesses will look different from that at larger firms.
Once you have nailed down these requirements, you should also be able to visualize how secure cloud storage will slot into your daily workflows. At this stage, you should also be able to decide if you need a provider who can offer extra functions, such as the ability to send documents that need a digital online signature or create password-protected files.
The biggest question you need to ask your provider is who will see the data that you upload. All providers will claim to use some sort of encryption — usually AES 256-Bit Encryption, otherwise known as AES265 — but this is rarely the whole story.
Most platforms will use at-rest encryption: where your data cannot be read while stored on a data center hard drive, but where the provider itself will still have access to your files. For the highest level of security, you need to choose end-to-end encryption, which guarantees that not even the provider can access your documents. This end-to-end encrypted architecture is far more complex to implement, which means that it is a service that only a handful of providers, such as Tresorit, can offer.
One way to check whether a provider has end-to-end encryption is to see whether they offer a password reset feature. If they do, it means that your provider will have to access your data and your organization’s confidential files.
For more information, you can check out Tresorit’s complete guide here.