1. Availability
First, check with your cloud provider just where your data will be held. Leviathan found that many cloud providers operate only a single data center, meaning they lack redundancy and are highly vulnerable to physical disruptions.
From Hurricane Katrina to the explosion of a Shaw Communications building in 2012, there are numerous examples of data centers being compromised by unexpected events. Indeed, the Leviathan paper points to examples of entire countries being taken offline, such as when a 2008 Suez Canal accident caused widespread outages in Pakistan, Egypt, India, Kuwait, Lebanon and elsewhere.
The message is clear: businesses must use providers that offer geographic redundancy, with data hosted by centers in different regions, “ensuring that data is replicated not just across a city, but across a continent or an ocean.”
2. Staffing
Cybersecurity experts are hard to find. Leviathan notes that globally, there are over one million cybersecurity positions unfilled (defined as being vacant for over one month). This means security staff are hard to find, and expensive to hire. A better solution is to use a cloud provider with a dedicated team.
Indeed, this is often a key selling point: cloud providers employ teams of experts with up-to-date skills, not to mention state-of-the-art security systems that would only be economically viable for the largest organisations.
There may be certain skills, functions or tasks you want to keep in-house, for regulatory or other reasons, but even if you only use cloud providers for non-sensitive data and tasks, they provide a level of security expertise that’s hard to match.
3. Vulnerability management
No system can or will ever be completely secure and Leviathan emphasizes that, as high-profile attacks on both online and physical retailers and service providers have shown, cloud-based storage is not immune to the threat of cyber-crimes.
We know that criminals are always probing networks, websites and applications, looking for vulnerabilities they can exploit. This is where patch management, intrusion detection and protection systems, firewalls, sniffers and more – the full array of security technology – comes in to play.
But as any security expert will tell you, system maintenance is a vital link in the chain. Regardless of the solution you choose, you need to consider how vigilantly your network is maintained, considering security patching and updates, perimeter rule changes, and preventative measures such as intrusion detection systems. It’s a constant battle; as the Leviathan report states, “the defence, like the adversary, must be continuous, growing, and tireless; anything less will not suffice.”
Other considerations
Of course, there are other factors which affect data security. User security – including passwords, biometrics and other authentication measures – is vital, as even the best security systems can be rendered powerless by careless users and poor policies.
There’s a constant interplay between all elements of your security regime. No single system or procedure can provide full security for your users and data, but there’s no doubt that ensuring your data is hosted in multiple secure locations, maintained by expert staff and protected from would-be thieves is vital. So, play it smart – find a cloud provider that can demonstrate its availability, staffing and vulnerability management credentials. Combine this with good internal procedures and technology and you’ll have the security of knowing you’ve done all you can to keep your business safe.