Is it safe to put data in the cloud and can it actually be safer than storing it on personal computers or on-premise business servers? Like all questions around risk, it depends.
Unless your company is hosting its own private cloud infrastructure, most cloud services are hosted publicly and are only accessible through the Internet, also a public place. From a security point of view, that means the same door that is open to services’ subscribers and users is also available (not open) to bad actors who are always trying to figure out a way to get through the door, undetected if possible. That is where the risk lies. If you store your data in any form on the cloud, is it safe there?
WHAT ARE THE RISKS?
The main risk is that the cloud company isn’t responsible and leaves the door open or maybe forgets that they left a spare key under the mat or didn’t put any surveillance cameras in place, you get the idea. If a company doesn’t invest in security, doesn’t consider security as part of their fabric then they will be more susceptible to attacks and thus put your data at risk.
Let’s say the vendor does get breached and the bad actors get your data. What would they do with it? More often than not, they would try to sell it on the dark web to others who will use the information to phish your customers or employees or contribute to a broader database where people’s profiles are built up and sold. Once the information is out there, it can be used in all sorts of ways and there is no taking it back.
So if we assume that no company is perfect and will eventually get hacked, what is the effect of losing your data in that breach? Does it matter if the information gets out there? Have you compromised your customer’s personal information? For some companies, this is not even a discussion. For instance, they store information about children in their database. They wouldn’t want to take that risk at all and might choose to protect the information on their own, in an environment where they have control.
THE BIG GUYS
There are a lot of cloud companies on the market. Most of them are very small and likely not well funded. That’s okay, but you need to understand what they are doing about securing your data. The bigger companies like Microsoft, Google and Amazon all provide many cloud services and invest heavily in security. They are also top-tier targets for attacks by those hackers looking for notoriety. They also provide security services to their customers as well. One could argue that with these providers your data is safer than if you tried to secure it yourself. There is an element of truth in that, but it comes down to that risk assessment and what you are willing to invest in security. How comfortable are you with someone else handling your data and what would happen if it did get out?
Doing it yourself has risks too. You will need the right skillset and experience to be sure you are doing your due diligence. It will require a security mindset that permeates all aspects of your business. Security done right requires a commitment. Quite frankly, it shouldn’t really even be a decision to make, every business connected to the Internet should be integrating a security mindset into their business, unfortunately, this is the world we live in today. Bad actors don’t just go after big-name targets anymore, they look for vulnerabilities everywhere and don’t discern who their targets are, they are just looking for any opportunity.
Let’s step away from the dystopian view on the cloud and look at the benefits. There are quite a few. Namely ease of use. You don’t have to set up a complicated storage system in-house or concern yourself with all the security mechanisms, it’s generally all taken care of assuming the host is doing it right. You also get direct access to your data no matter where you are which is quite valuable if you travel a lot, for instance, or work from home like many of us do these days. Many of these services also offer backups of your data, although don’t assume they do. For instance, Microsoft does not back up your OneDrive data for you or your Office data, that’s on you. Another benefit is that the bigger services, like Microsoft’s, could be set up to integrate with your corporate network. This allows you to leverage your internal infrastructure with a cloud provider’s offerings.
Many providers also offer 24×7 support and let you control many aspects of their service through convenient web control panels. For non-storage cloud solutions, the benefits are endless if you consider the solutions that are industry-specific to your business. Not having to roll out your own systems can make the difference between growing your business or staying stagnant.
One more note on making that risk assessment. If you are in an industry that has compliance requirements, which cloud provider, if any, may require some level of certification. For instance, if you handle credit card data, you may be required to be PCI compliant and this will restrict where you can store certain types of data. If you are a Department of Defense contractor, you are going to need to comply with CMMC which also has restrictions. Medical offices need to comply with HIPPA and so on. The point is that your industry regulations need to be considered as part of your cloud decisions.
The decision to put your data in the cloud or not is an important one, but how you use the cloud is equally essential. Control what you can, like passwords, the credibility of the site or platform you use, and ask questions to understand privacy and cybersecurity practices. If you decide you can trust the provider with your data, there are likely many benefits your business can realize once you have made that critical risk assessment.