How to prevent leakage of data uploaded to a cloud
When users of Google and Yandex cloud services found their personal data publicly accessible, the news raised a major concern. Although the data which got indexed could be accessed through a link or contained a check mark on a “can be searched and viewed by public” field, the fact is that the confidentiality was breached. And this is a weak spot of cloud technologies. If you have trade secrets which will cost you a lot if leaked, it is better to learn about how it works, what it threatens with and what you should do.
Dark side of the Moon
Clouds are clearly easy to use but are still cloudy regarding security. We always have our data at hand and accessible from any gadget. Advantages for businesses are even bigger: companies can process and store data arrays without purchasing costly equipment or software licenses. Servers belong to a provider who monitors your workflow and facilities.
The problem is in giving a provider an access to your data — you can’t influence your provider. For example, you can’t check whether all the settings are configured properly, or whether there appeared a breach in the infrastructure due to some technical error. Impressive computing power and trade secrets lure hackers. There’s also the human factor — data can be leaked by employees of the provider or your contractor. Of course, a threat is ever-present. Even if you store the data, a leak can happen as well. But at least you will be in control of the situation.
Minimising risks: rent from a provider
Paid services are safer than a public cloud. You can rent it — pay a fee to a provider who supplies you with the software online, which operates at their facilities highly protected by a provider.
Although in 2017 Amazon leaked thousands of files containing personal data of the military, police, intelligence officers, and UN entities. A contractor happened to be the one to blame. The contractor was an HR company which used Amazon to send CVs. And there are a lot of such cases. Anyway if a problem occurs no one will say “We are a free service — don’t use it if you don’t like it.”
There are many similar offers in the market at various prices. What you should remember is the IT structure security triad: accessibility, confidentiality, integrity. Providing all these qualities takes money. The cheaper the service, the smaller the concern for security vendors have. Businesses operating with sensitive data — military or exploration organisations — can’t take risks. But if data security is not that critical, a paid cloud is an option. It is a good one for startups which want to strengthen their position first and then to spend on hardware and software.
If you want something done right — do it yourself
Your own cloud storage. This is the safest way to keep your data protected. And many companies vulnerable to data leak go this way. The price and implementation issues depend on needs. Which amount of data and of which format should be stored? Are there any specific requirements for processing speed, for example? What type of encryption is necessary? There are many criteria and nuances to price the option tailored to your needs.
Information security and risk management is a field which doesn’t lack some paranoia — servers are often purchased even for home use.
The bigger an organisation is and the more serious requirements are, the more expensive an opportunity to manage your own cloud storage with a high security level is. When the hardware is purchased, integration and implementation are the costly steps that should follow. Among the expenses there is also an environment support. A provider used to guarantee safety and functionality, but now you should make efforts to ensure it: you will need generators in case of power outage and specialists to support the system.
Divide and conquer
As confidentiality has become topical, the cloud technology market has diversified its solution range: whether it is the Federal Security Service, NSA — doesn’t matter; any data disclosure request isn’t satisfied — providers ensure confidentiality.
Regardless of which cloud services a company opts for, it is advised to filter and sort out information to keep all critical data inside a corporate perimeter, and keep in mind that the safest computer is an offline computer. Everything that goes to a digital space should be encrypted — so that the data would appear to be useless in case it leaks. It can be done with free tools, for example, with classic archiver, or licensed instruments.
Ensuring safety is an ongoing task
Taking one-time safeguard measures and forgetting about safety is a step to nowhere. Your own cloud demands that employees’ tasks should be controlled and educated continuously.
If staffers got used to store data on Google Drive, upload documents to work at home or during a business trip, they will keep using it. Or they can get concerned with security rules today, and tomorrow decide that nothing is about to occur if a public cloud takes onboard some more data. That’s why control is needed.
A monitoring system controls third party services including cloud storages. Special security policies will alert to a corporate file upload to a cloud, and, if configured properly, the solution stops such activity.
This regards preventive measures, because after a leak not a lot can be amended. If data protected by law gets shared on the Internet, the “right to be forgotten” can be applied (on Google, for example). But even if rights are asserted, information will be removed from a search engine, but not from sources where it was distributed. And if it gets into someone’s malicious hands, a company will focus on fighting consequences. Think twice before using a cloud — a wind can blow hard.
