Cloud software offers enormous benefits, from cost-effectiveness to remote access anytime, anywhere. However, these benefits can be a double-edged sword.
How can you ensure the confidentiality, integrity, and availability of your data in the cloud? Do your due diligence! In many cases, the cloud can offer the same or even better security and privacy than your on-site system—but you must plan ahead, and choose your provider carefully.
Before you begin…
Know What Data You’ll Store
What types of information will you store in the cloud? Will you be uploading client case details, personal information such as Social Security Numbers, tax returns or health information? Create a list of the kinds of data you’ll store in the cloud, and document what you will—and won’t—upload to your cloud repository. Madison Iler, director of advisory services for LMG Security, warns, “Watch out for ‘data creep.’ Over time, your organization may add new types of sensitive information to your cloud repository. It’s important to keep your list of data types updated.”
Understand Your Cybersecurity Requirements
Now that you know what data you’re uploading, look up requirements for securing it. This may include federal laws such as the HIPAA Security Rule (available at HHS.gov), state and local data breach notification laws, and any contractual obligations you have with clients. Pay attention to the definition of Personal Information (or similar) in any states where your clients may reside. If you serve clients in regulated industries, such as the financial sector, your clients may require you to adopt specific cybersecurity practices like multi-factor authentication.
Evaluate Cloud Providers
Once you’ve documented the types of data that you’ll store in the cloud, and researched your cybersecurity requirements, compare and evaluate cloud providers. When you talk to a cloud provider, make sure you’re speaking to a person familiar with their IT practices (not just a first-level sales representative). Remember, you are entrusting the provider with your sensitive data. If the provider will not answer your questions clearly or give you documentation, keep looking.
Here is a handy checklist of topics to include:
1. Access and Sharing
Who has access to your data in the cloud? This may include the cloud provider’s employees, third-party contractors, vendors and affiliates. Don’t assume that the provider won’t share your data with third parties. They may even analyze it and sell the results. Unless the provider’s terms of service say otherwise, assume that your data will be shared with anyone. Ask for documentation that the provider conducts background checks on staff or contractors with access to your sensitive materials.
How do you verify the identity of users who access your cloud portal? Ideally, make sure your cloud provider supports two-factor authentication. Remember, when your data is in the cloud, it can be accessed from anywhere. If you must rely on passwords alone, find out if the cloud provider can enforce minimum length and complexity requirements for your organization’s users. Ask about synchronizing passwords or other authentication with your existing infrastructure, to simplify things for your team.
Is your data encrypted “at rest” while it’s stored in the cloud? What about “in transit,” when it is sent over the Internet? If your data is encrypted at rest, find out who has access to the decryption keys. Make sure that the provider uses strong, well-known encryption algorithms and key lengths. If you’re not sure how to check, call an experienced cybersecurity practitioner for a quick answer.
Once you upload your data to the cloud, does the provider have legal rights to use it? Check the provider’s terms of service carefully to determine if they have any ownership or licensing rights. Also, make sure that if the terms of service change, you have a chance to review before giving up any rights.
Where is your data physically located? If it is in another country, this can have significant privacy and security implications. You may assume that your data is stored domestically, but providers frequently have servers around the world. Ask yourself: How do you know that your data isn’t physically stored on a computer sitting in a teenager’s living room in Brazil? This might seem like a silly question, but if you don’t have any documentation that says otherwise, you haven’t done your due diligence… yet!
Cloud providers frequently back up your data or replicate it to multiple servers. You may not always have access to these backups as a customer, but for security purposes, you should know if they exist, how they are secured and how long they are stored. Make sure you have a backup plan, and that you can get quick access to backups if you need them. Karen Sprenger, COO for LMG Security, advises, “Test the backups and the restore process regularly. If you aren’t testing, then you don’t really have backups.”
7. Monitoring and Logs
Who logged into your cloud portal, and when? What data was accessed? Ideally, your cloud provider should keep records and provide them for you to review, so you can make sure your data is not being misused. This is especially important for sensitive, regulated data such as health information or financial details. Find out what access records your provider maintains, how long they are stored (very important) and how you can get access to them on a regular basis.
8. Termination of Service
Make sure that you can export your data if you choose to switch providers, so you’re not stuck. If you do terminate the service, find out whether the provider securely deletes your data, or if not, how long it will be retained.
9. Security Assessments
Security is ultimately your responsibility. Find out if the cloud provider has regular cybersecurity assessments conducted by a third party. If so, how often? Request that the cloud provider share a summary report or a letter of attestation from the third party to verify that the testing occurred, that it was performed by a qualified vendor, and there are no critical or high-risk security issues. If the provider refuses, shop around! As a customer, you are entitled to see verification that the cloud provider is properly securing your sensitive data.
Make sure your cloud provider is willing to sign a contractual agreement that clearly states they will comply with the regulations that apply to you. Many cloud providers routinely sign agreements stating that they will comply with HIPAA, ISO 27001, NIST standards, PCI standards or other common regulations. Some even advertise that they will do this. Remember, if you’re uploading sensitive information to the cloud, you need to make sure your cloud provider is held to the same standards as your own organization.
11. Incident Response and Breaches
Data breaches happen. The question is, will you know about it before it hits the news? Find out whether your cloud provider will notify you in the event of a suspected or confirmed breach involving your data, and how quickly they will notify you. How will they communicate with your team in the event of a cybersecurity issue (email, phone, physical mail)? Who should you notify if you suspect an issue, and will they investigate?
Remember, your cloud provider’s responses represent a snapshot in time. Make sure you understand their contractual obligations to you, and how you will be notified of any changes in their cybersecurity or compliance practices. Conduct a formal risk assessment of any cloud service prior to use. Once you choose a cloud provider, review and revisit your cloud cybersecurity and compliance practices at least annually.
About the Author
Sherri Davidoff is the founder and CEO of LMG Security, a cybersecurity consulting, research and training firm in Missoula, Montana. She will be presenting at the ABA TECHSHOW on “Securing Client, Colleague and Co-Counsel Communications” and “Engaging 3rd Party Cybersecurity Services.” Contact Sherri on Twitter @SherriDavidoff or at firstname.lastname@example.org.