For businesses, cloud services are kind of like clouds. At their best, they can be soothing and expansive. But for companies that fail to appreciate the security implications, their ethereal presence may hide dangerous storms within.
 
As cloud computing has become business as usual for many businesses, frequent news reports about data breaches and other missteps should make companies think carefully about how they secure their data. The Federal Trade Commission has six tips for businesses about making their use of cloud services safer – both for the company and for the consumers who rely on it to safeguard their information.

 

1. Take advantage of the security features offered by cloud service companies. Cloud providers offer detailed guidance about their security controls and how to set up their services in a more secure fashion. But it’s up to the business to understand the options and configure those settings in the way best suited to the business.
 
Keep in mind that it’s not a matter of a simple on-and-off switch. Configuring one’s cloud security requires making thoughtful decisions that align with the sensitivity of the stored data and how it is used. In addition, think carefully about who at the company needs what data.
 
Unless employees have a legitimate business reason, they shouldn’t have access to the cloud resources. Require multi-factor authentication and strong passwords to protect against the risk of unauthorized access. Furthermore, never hard code passwords in cloud-based applications or source code. That might save steps, but it’s the business equivalent of a "Hack me!" sign.

 

2. Take regular inventories of what is kept in the cloud.  Some companies’ cloud storage resembles a forgotten attic overdue for a spring cleaning. Whether data is stored in the cloud, on the company’s network, or in a file cabinet, data can’t be kept safe if its whereabouts is not known. That’s why up-to-date inventories are essential to data management. Many cloud services provide tools — for example, dashboards or management consoles — for just that purpose. But don’t just set it and forget it. In addition to staying on top of where data is, make sure that security configurations and access rights remain consistent with the sensitivity of what is stored.
 
As data that may require more protection is added, re-evaluate the company’s security settings and amp them up accordingly. Also, don’t take anything on faith. Actively test for misconfigurations or other security failings that could compromise the data, and maintain robust log files to continuously monitor the cloud repositories. Reports are common about sensitive data stored in a cloud repository that winds up on the internet, and no one wants their company name in the next headline.

 

3. Don’t store personal information when it’s not necessary.  One upside of cloud storage is that it’s often less expensive than other methods. But as people with big basements can attest, the list of things deemed "essential" tends to expand in direct proportion to how much storage space is available.
 
As an inventory is conducted of what is kept in the cloud, resist the temptation to hold on to data "just because." Instead, be ruthless in posing the question, "Do we have a legitimate need to store this information?" If the answer is no, dispose of it securely. No one can breach what isn’t there.

 

4. Consider encrypting rarely used data.  "There’s some information I don’t have to access regularly – back-ups, for example – but I do need to retain it." As part of a defense-in-depth approach to security, consider whether to encrypt that data at rest. Indeed, if the data contains sensitive information, encrypting that data is a basic principle of security regardless of where it’s stored.

 

5.  Pay attention to credible warnings.  Some cloud providers offer automated tools to remind a company about cloud repositories that are open to the internet. Others may contact customers with warnings like that. In other instances, security researchers may contact companies when they find exposed data online. If such a warning is received, pay attention. Investigate the company’s cloud repositories and recheck the security settings.

 

6. Security is the company’s responsibility. Using cloud services doesn’t mean security can be outsourced. Throughout the lifecycle of data in the company’s possession, security remains its responsibility. Even if a cloud provider’s security tools are relied upon, a written data security program should lay out the company’s process for securing consumers’ personal information, and for company staffers knowledgeable about maintaining, monitoring, testing, and updating that program. Yes, cloud contracts should be reviewed carefully to spell out the company’s expectations and clearly establish who is primarily in charge of what. But keep in mind that if it’s the company’s data, it’s ultimately the company’s responsibility.