The cloud has been around for a while and is really starting to take off! Here are some thoughts on security that may be useful and help you get your head around your security exposure.
Originally presented to the Washoe County Bar Association April 12, 2012.
End User Devices
This is where most data security issues originate. Individuals do not have the resources, patience, time and focus to assess and counter all the vectors for loss. This area is the greatest threat. At the same time it is the area you have the greatest control over. Review the following recommendations and see if they apply to you:
Set a password or pattern lock on your computer, phone or tablet.
- Set the complexity with a mix of upper/lower case, numbers and/or symbols.
- Don't make it so complex it will annoy you out of using a password/pattern!
- Set the device to lock after a period of inactivity. A minute or two on a phone or tablet, 10 minutes or so on a computer.
- Use different passwords for different services.
- Change it periodically. Every 90 days or so, even if only changing 1 digit.
Setup systems to locate your devices if lost or stolen.
- Use iCloud's "Find my iPhone" tool. www.icloud.com.
- For Android www.avgmobilation.com -or- www.LocateMyDroid.com.
- Windows Mobile can be located using www.windowsphone.com.
Consider procedures and systems to lock or wipe your devices remotely.
- Supply employees a company phone or tablet. Personal devices used in the work place raise the issue of; can you reclaim or purge your data on a terminated employee's personal device?
- The web tools above allow the remote wipe of those devices.
- Likewise Microsoft Exchange Email Servers have built-in tools perform remote wipes.
Build a culture of privacy and confidentiality.
- Implement technology acceptable use policies.
- Have employees sign non-disclosure agreements.
Encrypt your device
- BitLocker is built into Windows 7 Ultimate and Enterprise Versions.
- PGP Whole Disk Encryption is for both Mac and Windows.
Phone encryption is an issue fairly well handled in this PCWorld article:
Share files using an online service that offers encryption, both in transit and when stored online.
Keep your anti-virus up to date.
- Anti-virus is not perfect, but even if it can't remove a virus, it may still alert you that it is there.
- www.avg.com offers a free version for home and personal use. If you are using it for the office, please spring for the business edition!
Again your risk of data being compromised it fairly low in transit. The prevalence of data encryption is high. If data is sniffed (electronic eavesdropping) in transit, it is often due to poor practices on either the Cloud end, or more often the user side. The major risk in Transit is outages. Think of a road crew digging through your phone lines.
Questions to ask:
- Is your data encrypted from your device to the Cloud?
- Can you encrypt your data before you send it?
- Are their multiple paths for data to your company? E.g. Telephone, cable, and/or wireless?
- Do you applications cache a copy of data locally, or are you dead in the water without a connection?
Cloud providers are generally secure, and the risk to your data is low to moderate. They tend to be larger and have significant resources to protect your data. They have the policies and procedures in place to build a culture of professionalism, and by extension, security. While they are generally hard to crack, it still happens, and when it does the number affected can be in the thousands or even millions.
Questions to ask...
Regarding loss -
- What is the provider's backup and retention policy? E.g. If you delete or damage a file, will they have a copy from yesterday, a week ago, a month ago?
- Is data replicated to multiple locations?
Regarding improper access -
- What security precautions do they have in place to prevent improper access?
- Is data encrypted using a key or password you supply? Then it is likely they cannot read you data.
- What physical security do they have?
- What are your rights if your data is compromised?
- Will they notify you? How?
Regarding privacy -
- Is data encrypted using a key or password you supply? Then it is likely they cannot read your data.
- What is their policy on privacy?
- Do they mine your data? E.g. Google scans Gmail to place context sensitive ads alongside. Here's an entertaining take on Gmail http://www.youtube.com/watch?v=TDbrX5U75dk.
Ownership/Intellectual rights -
What rights do sites have to use your intellectual property? E.g. Photo sharing on Yahoo Groups grants Yahoo the rights to use, modify, reproduce, redistribute and publicly display them as Yahoo sees fit.
- Are they established? E.g. Amazon will have more resources to protect your data than a mom & pop business, and Amazon will most likely be around in 5, 10, 20 years.
- Are they reputable? E.g. Think AIG, established, but in the end not reputable.
- Are they regulated? E.g. The medical field has stringent security requirements with HIPAA. If you want to set up security in your business, HIPAA provides a stringent set of parameters you may want to start with, and work back from.