Many organizations question the security of information kept in the cloud. The internet can be a dangerous place for data, but no more so than your own computer, where your data faces many of the same threats—in fact, a good cloud storage vendor is likely to protect your data better than you’d reasonably be able to do on your own. With a little planning, it’s possible to take advantage of the benefits offered by the cloud while making sure your organization’s data is as safe as is practically possible.
The first step is to define what data security means to your organization—what you want to keep safe—and then identify the threats facing it to assess both the level of protection you’ll need and the assurances you’ll want from your vendors. This will involve some due diligence on your part, but don’t worry. You won’t have to reinvent the wheel. Thanks to existing standards and third party verification, you’ll just have to do a little homework.
Information security comprises three simple ideas: confidentiality, which refers to the prevention of unauthorized access to data and systems; integrity, which means protecting data from unintended change; and availability, which is the accessibility of your data, because secure information is useless if you can’t get to it when you need it. A good solution for keeping your data safe in the cloud will address all three.
What are the risks to your data? Computers and the information they store and process are vulnerable to myriad threats. Hackers and viruses are the obvious ones, but a rat feasting on server cables can also wreak havoc—and so can an employee who accidentally deletes a critical file. A comprehensive list would fill volumes, but a few common risks include the following:
- Environmental threats. Severe weather can cause outages or knock servers offline. Downed lines from a freak autumn snow storm last year left millions in the Northeast without power for several days.
- Unauthorized users. Firewalls and intrusion-detection systems can protect outside users from changing your data or accessing confidential information like human resources and payroll, but the largest risks often come from an organization’s own employees.
- Technical failures. Damage to the equipment that stores, processes and transmits information can range from someone tripping over and disconnecting a cable to a catastrophic server crash.
- Malicious software. All computers, especially those connected to the internet, are vulnerable to attacks, viruses, worms, Trojans and other malware that can exploit weaknesses and damage data.
None of these threats is unique to the cloud. In fact, a good cloud storage vendor will provide far better security than you’re likely to have in-house. The key to keeping your data safe is to ensure that the appropriate protections are in place, and then verify that they are properly maintained.
Selecting a Vendor
When considering data storage vendors, asking the right questions can help ensure the safety and security of your information. But you don’t need to learn a new language of technical jargon or personally inspect a company’s data center to verify that all advertised security measures are truly in place. Cloud vendors, particularly those who support corporate clients as well as nonprofits, are increasingly subjecting themselves to independent audits to address both customer concerns and regulatory requirements. A successful audit serves as validation of due diligence in protecting their customers’ information security interests.
But it’s helpful to know more about the criteria such audits look for, as well as specific questions you can ask of vendors to address your own concerns.
First and foremost, vendors should assure you that they’re protecting your data from loss. Where and how is data stored and backed up, and what are their plans for maintaining system availability in the event of a disaster? What happens if the data center catches fire? How often are backup and recovery plans tested? An untested plan is as good as no plan at all.
Sometimes we’re the biggest threat to our own data—will you be able to retrieve your budget spreadsheet if you accidentally save over it? Make sure your vendor provides access to several versions of your files.
In addition to loss, your data should be guarded from unwanted access. Devices like firewalls and intrusion detection systems can make it difficult for a hacker to steal your donors’ credit card information over the Internet, for example. But since they can’t protect against an unauthorized person walking out of the data center with backup tapes containing your information, ask your vendor how they control physical entry to their data centers. This should include limiting and monitoring their own employees’ access to your data—and, if the information you store is particularly sensitive, consider asking about encryption options.
You’ll also want to determine how much control you’ll have over your own employees’ data access. Internal users have unique opportunity to damage your data, intentionally or otherwise. Make sure you can assign access privileges to your staff.
Because data is portable—when your grants administrator works from home, for example, your data travels to and from her computer—your vendor should also take steps to protect it in transit. This is almost always achieved through encryption, which you can check from your web browser by looking for two things: a URL that begins with “HTTPS,” and web browser security icon.
A good vendor will be able to address your questions to your satisfaction. But if your needs are not unique, you can save yourself some work by selecting a vendor that’s achieved third-party verification. Many Certified Public Accounting firms perform SAS70 or SSAE16 audits, which examine a vendor’s controls and processes to ensure they comply with regulatory standards for securely handling, storing and transmitting data.
Is your organization subject to rigorous external requirements or certifications for data security, like the Health Insurance Portability and Accountability Act, or HIPAA, which includes provisions for the handling and protection of private information? Selecting a qualified vendor offers a means of outsourcing data security to meet such requirements for far less effort than it would take to get certified on your own.
Organizations that accept donations or payments online via credit cards are particularly vulnerable to information and identity theft. Compliance with Payment Card Industry Security Standards (PCI DSS) are an assurance that your cloud donor management or online payment processing vendor has taken the appropriate steps to minimize the risk of credit card fraud.
As computing grows increasingly internet-dependent, it’s become more and more difficult to avoid the threats facing your data, regardless of where you store it. While cloud computing offers a number of compelling advantages for organizations, it’s not without risk. The best way to reap the benefits while still protecting your organization’s data is to stay informed, ask the right questions, and take steps to assure yourself of its safety and security by choosing the right vendor to entrust it to.
This article originally ran in a different version in the March 1 issue of The NonProfit Times.