- ACE Team
Introduction to cloud security
What is the cloud?
You might have heard about ‘the cloud’ and wondered what it meant. In simple terms, it’s a way of describing data and applications that are stored online.
As little as a decade ago, programs were run directly from people’s computers. Users installed the software themselves onto the hard drive, usually from a CD-ROM. The data created by that software was also stored on the hard drive.
But as internet speeds have increased and data storage costs dropped, all of that has changed. Now many applications run at least partly online, from remote servers. And the data they generate is also stored on those servers.
Businesses all over the world are moving to the cloud. There are good reasons for doing so, which we’ll explain in this guide. Then we'll look at cloud security and provide some useful tips that may help make your data – and your customers’ data – safer in the cloud.
This guide provides general advice on cloud security and isn’t intended to cover everything. After reading it, you should be more familiar with ways to secure your data in the cloud. But before you jump in, remember that nothing is ever 100 percent secure. Always get professional advice if you have concerns about the security of your data (whether in the cloud or otherwise).
Five key benefits of cloud computing
There are some significant benefits to businesses using the cloud:
1. Lower IT costs but improved experience
Software upgrades, patches and backups are vital to keeping a business running. Cloud applications do most of this for you, saving on your IT support bill. And cloud software is often based on an affordable monthly subscription – not a big capital expense. Why manage IT in-house when you can have experienced professionals doing it for you?
2. Faster updates
Cloud software is being developed all the time. New features are added and bugs are fixed as quickly as possible. This means you always have the latest software – no need to wait a year for the next version.
3. Access from anywhere at any time
Cloud applications aren’t tied to a single desktop computer. You can access your software and data from wherever you happen to be as long as you have an internet connection. With most programs, you can use a laptop, desktop, smartphone or tablet. Many newer applications will run in a web browser on almost any device.
4. Better business continuity
Power outages, fires, floods, burglaries, earthquakes – all of these are potential business risks. Cloud-based companies can recover faster from disaster than those with data stored on-site. They could be up and running within hours, instead of weeks or longer.
5. Greater agility
Cloud systems are often able to share data or integrate with each other. This means you can process your information in new and useful ways. For example, cloud accounting software can integrate with cloud point-of-sale software. This means that your sales totals, stock orders and customer and supplier data flows easily between systems. You’ll be able to serve your customers better and adapt to their needs quickly.
How is the data stored?
One of the common questions people have about cloud computing is, "How is my data stored?". In most cases it's stored on servers in big data centres, which are secure and managed 24 hours a day.
And what about the journey between your computer and those data servers? Professional cloud applications use secure, encrypted connections. That means your data is encrypted on your computer before it's sent to the server – and also when it comes back again. This means that nobody can listen in to what's being sent or received.
Cloud software companies take data security very seriously and work hard to protect their customers' data. So you might be wondering how data is ever hacked. It does happen, but it's something you can help prevent. We'll look at that next.
Five key ways you can make your data more secure
High-profile hacking cases in recent years have made some people nervous about storing their data in the cloud. But in nearly every case, it’s not as simple as the cloud being the problem. Often it's the way the cloud is used that causes issues.
Here are five ways you can increase the security of your data:
1. Make sure your passwords are secure
Many people use passwords that aren't secure. They might use their pet's name combined with their date of birth, or their child's name spelled backwards. Or they might use other combinations that seem clever but are actually easy to guess. Short passwords can be cracked by brute force, by giving a computer a word list and letting it try combinations of words. Longer passwords are harder to crack – but also harder to remember.
Remember to keep your passwords long, as random as possible, and unrelated to your own life. Use a different password for each cloud application. If you want something more secure than a password, you might want to use a passphrase instead. Passphrases are typically about 20 to 30 characters long and usually harder to crack than passwords. While these need to be meaningful, try not to use your birth date or username.
You can use password manager software to help you remember multiple logins and to generate strong passwords. You only need to remember one password to access the manager, which securely stores all of your other usernames and passwords for you.
2. Use multi-factor authentication
In addition to requiring a username and password to log in, some software solutions offer multi-factor authentication. This type of solution is also referred to as two-factor authentication, two-step authentication or two-step verification, depending on the approach used. Multi-factor authentication places an additional layer of security on your login. This means that in addition to your standard login, you're required to provide another factor to authenticate your identity. This could be a unique code generated by a separate application, service or device, or something unique to you – like your fingerprint or voice. This reduces the risk of your account being accessed if your password is compromised.
3. Take advantage of login and online activity monitoring
Some cloud applications provide additional information about how their system is being used. Review the additional security services they provide and take advantage of them – every precaution you take makes a difference. For example, some online services display details of when you last logged in to their service. If you notice this is incorrect, or from a suspicious location, then raise it with the appropriate party. Remember: tools like this are provided as a service – they're there for you to use.
4. Use anti-malware (also known as anti-virus software)
Malware (short for malicious software) can get onto your computer, laptop, tablet or smartphone and do something malicious like stealing your data. It usually means that the user of the device has clicked on a link or attachment in an email, or visited a website that’s not secure. If there’s a link or attachment that you don’t know or trust then don’t click on it.
Once malware is on your machine, it might log your user ID, password or credit card information and send it to a hacker. Or it might quietly take over your computer and use it to attack other machines.
Malware is designed to be hidden, so you're not likely to notice it by chance. Make sure you use anti-malware on your phone, laptop, desktop and tablet. And always ensure that your anti-malware and any other software you have is kept up to date.
Make sure you get your anti-malware from a reputable source. This is because often what can look like genuine software, is actually malware in disguise. If in doubt, run virustotal.com as a preliminary check. Malware is one of the easiest ways for hackers to get access to your device, so it's important to take this seriously.
5. Be aware of phishing or other hacking methods
Hacking can happen through people, not just computers. For example, imagine a phone call: "Hello, it's Mary from IT support. We're upgrading your software but it looks like your password has changed since last time and we can't get in to do the upgrade. What's your new password?" This type of hacking attempt is called social engineering.
Another method of hacking is called ‘phishing’ and this happens by email. Often the email will contain links that the hacker wants you to click on. Without training, your staff might give away vital security information via phone or email.
In any of these cases, the cloud isn't the problem. The same attacks could be carried out on data stored in-house. In fact the risk would be even greater, because burglary or theft could also be issues. It's easier to steal a USB stick or a laptop full of data than it is to steal information in the cloud. The problem is usually in the way the technology is used.
Train your staff about online safety and good security practices
You wouldn't let your staff drive a forklift truck or work in sales without proper training. The same should be true of computer equipment and software.
Whether your business uses a smartphone, laptop, desktop or tablet, staff should be trained in data security best practices. They should also be taught how to choose secure passwords and identify phishing scams.
A full data security policy is beyond the scope of this guide, but it's something every business needs. There are online resources that can help you draft one, and plenty of security companies can advise you too. Check out this resource by Get Safe Online.
Remember, an unsecured computer is an open door into your vital business data. Make sure all the doors are locked.
Cloud security is all about your attitude
Cloud data storage can be more secure than storing data on your own business premises. There's less risk of loss or theft, more flexibility and the ability to recover quickly from a disaster.
But nothing can be perfectly secure on its own. The way you use something affects its security. For example, you wouldn't leave your car unlocked in the middle of a town at night. Make sure you take cloud security seriously by:
using sensible passwords
protecting your computing devices against malware
training your staff to identify risks and phishing attacks
complying with all laws about data storage in your area