kulinetto / Pixabay

In September, the credit reporting company, Equifax, admitted to a huge security breach that exposed the sensitive information, including name, social security numbers, birth dates, credit card information, and addresses of as many as 143 million Americans, along with an unspecified number in the UK and Canada. And the worst part of this breach is that many people don’t even know that they had a relationship with the company.

So how does such a breach happen?

According to Equifax, the breach occurred through a website app in the U.S., but has not elaborated further. Equifax maintains its data in the cloud, as most businesses do today. And yet, that did not protect this huge enterprise. It may not protect any business, actually, for there is always the type of risk that resulted in the Equifax breach.

Data Protection is Essential Today

In days gone by, companies maintained their data in-house, on their own systems. They assumed that their internal IT infrastructure, along with backups that were often stored off-site, would be sufficient.

So, if there was a “crash,” data would never be lost. These types of data security backup solutions were often expensive and complicated, and most lacked encryption.

Breaches can occur through something as simple as employee sloppiness. And then, of course, confidential data is exposed.

What Types of Data Need to Be Protected and Secured?

Depending on the business sector, there is a wide variety of data that should be protected and secured:

  • Obviously, e-commerce enterprises need to protect all of the personal and financial information of their customers
  • All businesses need to protect and secure personal information of their employees. This includes health information, according to HIPAA rules and regulations.
  • Health care providers must secure all patient information, again according to HIPPA regulations.
  • Often, companies have proprietary information that they must protect from breaches by competitors.
  • Contracts and financial/accounting data must often be kept confidential

Enter the cloud – a method of protecting company data in a digital environment, usually through a hosting Software as a Service (SaaS) enterprise that promises data protection for businesses through a variety of measures that result in “cloud security.”

There are variations of cloud computing, including Platform as a Service (PaaS) and Infrastructure as a Service (IaaS), but the overall concept remains the same.

What is Cloud Security?

The basic concept behind cloud services and security is that a hosting entity has a certain amount of secure storage space, and organizations can backup their data or house all of their critical and confidential data in that space through a contractual arrangement with that host, eliminating on-site, less secure storage.

The host, in turn, is responsible for securing data in the cloud, based upon the details of that arrangement. In this respect, cloud computing is a more secure method of data storage and protection, at least in principle.

The question becomes, is data security in the cloud foolproof? And the answer in “no” given the data breaches that we have experienced in recent years. Protecting data in the cloud will mean that the CIO (Chief Information Officer) and/or the Chief Information Security Office (CISO) will have to actively research and pursue cloud data security that will be the best “fit” and meet their organization’s needs. It’s complicated.

Government Legislation and Regulation Further Complicate Security in Cloud Storage

Given the data breaches in recent years, governments have stepped in to set regulations for security and protection that impact cloud infrastructure and cloud applications.

The EU has adopted the General Data Protection Regulation (GDPR) providing a common set of rules for protecting personal data across the continent. Among some of its major provisions, the following are included:

  • Businesses must have privacy policies and the technology in place to protect personal and financial data of individuals with whom they do business
  • There are fines imposed for failure to comply with the regulations
  • There are provisions for compliance reviews
  • Companies must report data breaches within 72 hours of the event and then must notify all impacted individuals and develop plans to assist them should their information be compromised.
  • There are also regulations relating to the international transfers of personal data outside of the EU

The GDPR impact on business is this: they must demonstrate that they have the technology in place to protect personal information, whether that data is stored in-house or in the cloud. This obviously also impacts cloud storage providers who must also demonstrate that they have security and protection technology in place.

In the U.S., regulations have not been as forthcoming. While the Consumer Protection Agency does have some measures in place, Congressional support has been lacking. The response has been to hold hearings after a data breach has occurred and holding enterprises accountable has not been notable.

The one area of strict personal data protection regulation has related to healthcare providers, where HIPPA laws are strict and solidly enforced.

The onus and the responsibility for data protection lies squarely with businesses. Even if they do not face government compliance issues, they will face issues with their customers and clients. Once trust is lost, it is lost.

Best Practices/Strategies for Business to Protect Data in the Cloud

There are some key strategies that businesses can implement to ensure greater data security, as follows;

Carefully compare the differences between public cloud, private cloud, and hybrid cloud storage. You will find that different types of data will be better stored in these different options. There is a lot of information out there on these options, so study them before you choose where to house different types of data.

Check Out Reputations. Before you choose any cloud service, make sure that you have researched their track record. While cloud services use much of the same technology, there are those that are not financially stable, and, if they go out of business, you could lose your data. It has happened back in 2014 when MegaCloud – an online storage solution – when out of business with no explanations.

Two-Step Authentication is Important. Most major cloud services offer this, and it does provide an additional layer of security. If hackers should get access to your password, they will not have the second layer to get in.

Always Use Third-Party Encryption for Transport. Data storage enterprises encrypt the data they store, but when your data is in transit to them, it is at risk. There are plenty of solid third-party encryption programs. It’s worth it.

Make Challenge Questions Unique and Uncommon. Do not pick generic challenge questions. They are too easy for hackers to breach. Choose obscure questions, or select nonsense answers to the generic questions.

Pick The Right Tools. In a recent survey of businesses that were using cloud storage, 60% stated they used VPN connections; only 34%, however, stated they were encrypting data at rest or cloud firewalls.

Control Devices. The increase in “bring-your-own-device” trend creates a real threat to data breaches. When individuals are allowed to access cloud storage with their own devices, the chances of hacking increase. There must be some procedures in place to limit and control this.

Cloud solutions for data storage represent a major improvement in security and protection of confidential data. Cloud security is essential to ensure business continuity and expansion.

But, ultimately, it is up to the individual enterprise to decide if such a deployment is right for them and, if so, partner with expert consultants on cloud security and implementation.