Making the Leap to the Cloud: Is My Data Private and Secure? (Part 3 of 4)

October 25, 2013

Law in the CloudIn Part Two of this series we discussed the physical and electronic security that should be offered by your cloud computing provider’s data center. This week we focus on your organization’s role in protecting your data, and how you can work with your cloud computing provider to ensure they are meeting your data privacy and security needs.

WHAT’S YOUR ROLE IN CLOUD COMPUTING SECURITY?

As we’ve seen above, most cloud computing providers take extraordinary measures to keep your data safe on their end.

But the fact is, the biggest risk to your data comes from inside your organization, from misrouted data and other simple mistakes to outright data theft by employees.

Cloud computing offers much better protection from internal data loss than other communication methods because it gives you centralized control over your data. It’s much easier to establish and enforce policies for a cloud-based system than for the patchwork of email accounts, physical media, and thumb drives that usually results from on-site data storage. However, you are still responsible for establishing and implementing those policies effectively.

The tools you can use to manage access to data include:

• Administration modules – most applications have an administration module that allows a system administrator in your organization to grant user access rights and place restrictions on who can access which files and functions.

• Organization usage policies – usage policies are one of the most important tools you have for protecting your data. Can your employees access your systems in public locations where observers can view sensitive data? Can sensitive data be exported to unsecure media and distributed? Can sensitive data be emailed or transferred via unsecure methods?

Your cloud computing provider can work with you to establish good user policies. But ultimately, it’s up to you to make sure they’re communicated to employees and enforced.

WORKING WITH YOUR CLOUD PROVIDER

Trusting an outside company with something as important as your data can be a difficult adjustment. But if you choose your hosting company carefully and approach implementation with the right knowledge and expectations, the process can be surprisingly painless.

The most important thing to remember when you’re working with your cloud computing provider is that you own your data. The provider should manage the infrastructure and application availability, but they should not have access to your data without your permission.

Here’s a quick guide to the ins and outs of managing data between you and your provider:

• Your cloud computing provider may need to access your data. They should have policies in place to ask for your permission to access your data when support is needed.

• You should not assume that support personnel can access your files at will. Remember, you have the right to deny support personnel access to your data.

• Most cloud computing providers have data logs in place, so there is a record of who has accessed your data and when that access took place.

• It is important to read the privacy statements in your cloud computing provider contract agreements. These statements will outline how they maintain privacy of your data and what measures can be taken if it is violated.

• You should ensure that your provider will not use your data for marketing or promotional activities. In such cases, you should have the ability to opt in to such marketing communications.

• Remember, it’s your data, and you are ultimately responsible for the privacy of that data.