Strictly speaking, public and private clouds fall under the previous heading regarding service providers and software as a service, however due to its rise in popularity and unique set of challenges associated to it, it is discussed separately.
Cloud services have probably transformed and benefited the small to medium size businesses in a much more significant way than it has the larger organisations. Cloud services have brought down costs, simplified the management of software and allowed access to technology that was previously unavailable to small businesses largely due to the expense and infrastructure requirements. For many, cloud services are simple, hassle free and turnkey solutions to their problems. However, cloud-based computing and associated services are probably one of the biggest lurking security threats in the world and the “black box approach” of cloud providers will not protect you if your data is compromised. When it comes to security the chain is only as strong as the weakest link and in the case of cloud computing this is a pretty long chain.
- As discussed in the previous section make sure you comply with the PoPI Act’s conditions relating to cross-border transfer of data. Make sure you understand your cloud provider’s business model and systems architecture. Who has access to your data and can they effectively monitor and control this? Many cloud providers cannot.
- Secure mobile devices connected to remote services and make sure you comply you’re your company policies. Information often gets out because people take the liberty of copying information onto their own device for purposes of sharing it or making their own lives easier. Do not copy personal information onto devices and make sure you protect it with pass codes or tracking software in the event of it being lost or stolen.
- Only make use of secure services and invest in digital certificates where necessary (I.e. make sure the address of web services has an “s” as in “https” and is not just “http”). Using plain text (“http”) means that any party with access to the traffic between your PC and the server can intercept and view your data.
- Just because it is cloud does not mean it is better or easier. Sometimes it is best to keep things simple and manage your own solution than going with a cloud option just for the sake of it. There should be a sufficient reason and/or a substantial benefit from going with the cloud approach.
- Less is more. Where possible, try to consolidate services so you limit your risks and the number of relationships you have to maintain. Don’t always go for the cheapest options. Be negotiable (willing to change) when it comes to functionality. If you can find one solution that can manage three of your requirements, e.g. email communication, workflow and time management, then don’t sign up for three separate services and duplicate your data when the benefits do not warrant it.
- Limit and automate sharing of information. Separate data and share only what is necessary to perform the job. Where possible, configure cloud systems to read from the primary source so data is kept in sync automatically. This approach will remove unnecessary data administration and enhance security as data is not exposed to more people in the process of updating it.
- Make sure the cloud provider’s backup or data retention strategy does not conflict with your own and allows you to remove personal information when you need to. IF your customer asks you to remove or de-identify their personal information it includes attending to this on the cloud systems, which may not be possible if this is not part of their strategy. E.g. if you delete a document on Google Docs, is it really deleted?
- Unlike local network, or office based solutions, cloud systems are typically always on. This means that where before you may have only been exposed to attacks from your local network or during certain times of the day your applications and data are now online 24/7. Make sure your software and solutions are sufficiently protected to handle this type of exposure.