Data Security in the Cloud
A recent small business cloud computing survey from Microsoft found that a chief concern of potential SMB cloud customers is the security and privacy of their data. A full 70% of small businesses are concerned about where their data is stored. Just over half of all SMBs cite data privacy as a potential deal breaker for adopting cloud services. And only 36% of businesses think their data is as or more secure in the cloud than their current on premises solution.
Most data security and privacy concerns revolve around four general scenarios:
- Hackers compromising data center servers that contain customer or proprietary information.
- Hackers “sniffing” improperly secured network traffic.
- Data center employees accessing (and possibly sharing) confidential information, especially within a corporate espionage or financial cyber crime context.
- Employees losing improperly secured laptops or mobile devices with saved credentials for accessing cloud services.
Thankfully, simple and relatively inexpensive solutions exist for all of these concerns.
Local Data Encryption: Most cloud storage services offer end-to-end data encryption as a standard feature. Unfortunately, relying on a storage provider’s encryption could still leaves data vulnerable to data center employees or hackers who directly compromise the data center’s servers. The simplest method for cloud storage customers to ensure data security is locally encrypting files before uploading them to the cloud. Programs like BoxCryptor allow one-click encryption of individual files or folders.
Encrypted Backup Services: For customers who rely on the cloud for automated backup (without the hassle of individually encrypting files) a third party backup tool can provide an additional layer of security. For example, Duplicati will locally pre-encrypt all designated files using a single user-provided encryption key before automatically archiving and uploading data to a cloud storage provider of the customer’s choice.
Email Encryption: Companies that share confidential information via email should seriously consider PGP for Outlook or GnuPG for Thunderbird. These products encrypt individual email messages using 256-bit AES encryption. Users who prefer webmail can also use FireGPG for Mozilla Firefox to encrypt their email. Email messages encrypted with PGP or GnuPG require that message recipients know the sender’s unique encryption key to decrypt and read the contents of a message.
Third Party Services and Appliances: An entire industry has sprung up around data security in the cloud. Porticor is an example of one such company. The Israeli startup combines a virtual cloud appliance and key management service to securely encrypt data stored in the cloud for Microsoft and VMware cloud applications. Porticor enables companies to run applications in the cloud while keeping their data encrypted.
A number of third party apps, such as Lookout Mobile Security, also exist for locking or wiping mobile devices that may contain saved credentials for cloud services.
HTTPS vs. HTTP Web Services: Many websites offer both HTTP and HTTPS versions of their apps. HTTPS combines the standard HTTP web protocol with the SSL/TLS encryption protocol to provide secure end-to-end data transfer over the Internet. Users concerned with data security should select services which offer the much more secure HTTPS protocol.
When properly deployed, most of these solutions are all but foolproof, but they do require both employee training and commitment. For such security measures to be effective, businesses must invest time and effort into communicating the importance of data security and reinforcing standard security routines.
By Joseph Walker