Setting Your Policies for Cloud Storage and Sync Services
The benefits and risks of cloud services
Almost every organization with a significant amount of data entrusts some of it to the cloud. On-site systems for data require constant maintenance and upgrading. An unexpected server failure disrupts operations. Increased data requirements force the company to get more hardware. A cloud service handles the maintenance for a predictable monthly cost, and good services have redundant hardware that minimizes downtime.
At the same time, cloud usage involves some risks. These considerations apply not only to services that store data, but to file syncing services. Even if data is only on the cloud server temporarily, many of the same considerations apply.
-
Entrusting data to a service, with no fallback, can lead to catastrophic data loss if it ceases to be available.
-
Handing data which someone else owns to a third-party service may violate contracts or legal requirements. There may be restrictions on what country information can be stored in, or the service may require certification.
-
The uncoordinated proliferation of cloud usage by different departments may lead to redundant and inconsistent sets of data. Different cloud services may not hold the same types of information, and they could diverge over time. Besides, having two services to hold the same data is an unnecessary expense and takes more work.
-
External and internal security risks could arise. A carelessly maintained service could be breached. Criminals using phishing and other techniques try to steal passwords. A poor setup of accounts may give access to employees who aren’t supposed to have it.
The limitations of free services
Free cloud services with good reputations may be a good choice for non-critical situations, However, they aren’t suited for highly sensitive data. They don’t give you a service level agreement (SLA), and they’re geared more toward ease of use than security. They can terminate or change their offerings without any obligation to you.
Without an SLA, a service isn’t suitable for situations that require formal guarantees. When a business receives a copy of a partner’s confidential data, it promises to protect its security and integrity. It can hand the data only to a cloud service that makes the same promise. The same applies to information that falls under regulations or standards such as PCI, HIPAA, or GDPR. The terms and conditions of free services usually say, in effect, “You can’t hold us responsible for anything bad.” Sensitive data should be entrusted to a cloud service only if it guarantees adequate protection in writing. Written, enforceable guarantees come only with paid services.
Drawing up a cloud policy
These are some provisions that you may want to include when creating a policy for cloud usage. Have a lawyer review your policy before putting it into effect.
-
Cloud usage must comply with all applicable laws and regulations. When in doubt, employees should seek confirmation that there are no legal problems.
-
The choice of vendors must follow any company-specific restrictions. The company might have a list of approved vendors or require that data be stored only in its home country. It may require specific contractual language.
-
The handling of data belonging to others must follow the conditions set by the owner. Data from a business partner may come with handling requirements that limit or exclude the use of cloud services.
-
Information sets must be assigned an appropriate level of sensitivity. A broad classification would include “public” (no restrictions on viewing needed), “confidential” (proprietary and requiring protection), and “sensitive” (requiring elevated protection). More levels can be assigned as necessary.
-
Sensitive information must be strongly encrypted. Encryption is necessary both in transit and in storage. The policy should specify what constitutes acceptable encryption.
-
Business units should first determine if a suitable service is already in use. If a department sets up a new service to do what another one is already doing, confusion will result. The two sets of information will have discrepancies. The company will be paying for two services, and employees will do twice as much work.
-
Internal access should be restricted based on need. The principle of least privilege says that people should have data permissions only when their job functions require them. Employees who don’t need access shouldn’t get it, and those who only need to read data shouldn’t be able to alter it. This minimizes the damage that a compromised account will do.
-
The consequences of non-compliance are specified. A policy needs to be enforceable. Employees should know the consequences of being careless.
Employee education and awareness
No policy has any value if employees don’t know about it, or if they read it once and forget it. Training is necessary so that everyone who makes decisions understands the policy and the reasons for it. They need to understand what it means in practice. If they aren’t sure what to do, they should know whom to ask.
For most employees, the advice is basic but important. It amounts to “Don’t set up your own cloud accounts without talking to a supervisor.” People with decision-making authority need to understand the policy in more detail. They need the guidance to decide what services to use, whether something suitable is already in use, and how they should configure them.
The IT department should keep track of the cloud storage and file sync services the company is using and be ready to make recommendations. When everyone uses the cloud in a coordinated way, usage will be more secure, reliable, and economical than if everyone is making decisions in isolation.
White Mountain IT Services will help you to set up a cloud policy that will get you all these benefits. We’ll talk with you to understand what your needs are and base our recommendations on your requirements and budget. Contact us today to set up a consultation.