Protect Yourself by Encrypting All Data Stored in the Cloud
In general, people who attend security conferences are more attuned to security risk than those who do not, so I'd trust their perceptions over those reported in a cloud service vendor-funded study. But then again, security vendors make their money off of security risk, so mix the results of surveys together, add a dollop of your own real-life experience and see what floats to the top, credibility-wise.
One of the biggest takeaways from the Sophos survey was that employees use cloud even when its security proposition is iffy and even when they don't have their bosses' permission. It's just too easy to exchange and share and store files in the cloud; you can't expect people to pass it up.
Chris Pace, a product specialist at Sophos, said you've just got to assume that users will take advantage of cloud services and prepare for the technology's inherent security vulnerabilities. Otherwise, ungoverned employee use could lead to data compromise.
His thoughts are that one of the most essential components in organizations' responsibility for securing data that goes to the cloud is file encryption that's done before the data leaves their grasp. The user gets a password to decrypt and the business keeps the keys. "It's their data, after all," he says.
Whether businesses are using cloud services without official sanction, thanks to employees, or whether they're using cloud because they (wrongly) think cloud will solve all their security problems, all organizations should be aware that all cloud services are not created equal.
Symform, provider of cloud network services, offers a few security issues to consider when choosing a service provider:
- Some clouds encrypt your data while it's in the cloud, but leave it in the clear while its being transported.
- Others, though they encrypt the data before storing it, transport the data to their data center via a single Internet connection, creating a single point of attack and potential failure.
- Cloud providers have distinctly different ways of generating, storing and managing encryption keys.
Pace recommends these other, simple precautions:
- Web-based policies using URL filtering;
- application controls that can be applied to cloud products; and
- data encryption that provides a layer of security across the board.
To which I would add one more bullet point:
- Keep backup copies of data uploaded to the cloud, lest you get MegaUploaded.