This article is for all employers using Justworks.
Cloud platforms can help protect your data, but it’s important to understand all aspects of the cloud to utilize it in the best way.
Cloud services give companies of any size the ability to host their service and store data on the internet. With the cloud, businesses are no longer saddled with the large upfront cost of standing up their own data center with their own hardware. Some cloud solution providers offer pay-as-you-go models that allow even the smallest business to stand up infrastructure that can quickly and easily be scaled to meet demand as the company grows.
Although cloud hosting is often more cost effective and resilient than on-premise hardware, there are unique risks that come with hosting services in the cloud. The more you know about the cloud platform you’re using, the more likely you are prepared to protect your information assets in the cloud.
Benefits of the Cloud
There are many benefits in using the cloud, the most impactful are scalability, affordability and availability. You can start with the cheapest server options to keep your monthly costs down. And with just a few clicks, you can easily add higher performance servers and services to meet increased demands as your business grows.
The cloud is also accessible and easy to use. Software as a Service (SaaS) platforms provide ready-to-go solutions that essentially require little or no technical experience to setup and configure. Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) require more technical experience than SaaS to deploy. Smaller businesses typically prefer SaaS or IaaS solutions.
Cloud providers all have data centers in multiple availability zones and regions, enabling failover and high availability for the businesses that require them. Cloud platform tools can also make collaboration simpler and allow teams to work remotely across geographic regions.
Risks Associated with the Cloud
Although the cloud has immense benefits, it’s important to consider the risks that come with being on the cloud so you can be clear whether they conflict with your business strategy.
Provider's Security & Privacy Practices
When deciding to host your business in the cloud, you are handing over some controls of your systems and data to the cloud provider. You should review how the cloud provider manages security, research privacy practices, review security and availability incidents, and check if they have compliance attestations like SOC 2 and certification like ISO 27001. These reviews will help evaluate the maturity of the cloud provider's services and how well positioned the provider is to secure their environment and protect their customers.
Location of the Data
Your business may be required to only store data within certain locations or jurisdictions within the United States or elsewhere depending on:
- The industry your business is in
- Regulations you come under
- Client contract (especially government clients)
The location of your data must align with the regulations and requirements that apply to your business.
Compliance and Regulatory Requirements
Do not assume the cloud provider that hosts your business solution is responsible for everything in their cloud service. The Shared Responsibility Model is often used by cloud providers. It delineates the cloud provider’s responsibility versus the customer’s responsibility. From the perspective of regulators, you are responsible and accountable for the data, regardless of whether your data is stored in your own data center or in the cloud.
Accidental Misconfiguration
The benefits of using a public cloud provider such AWS or Google Cloud include agility, security, and availability. Configuring a cloud environment can be complex, and if not done correctly, can inadvertently introduce vulnerabilities that lead to data breaches.
Steps You Can Take
Now that you’re aware of some of the benefits and risks associated with cloud hosting, let’s get into some actionable steps you can take to secure your business.
Keep Minimum Data
Do not collect data that’s not absolutely necessary for your business. Do not store any data longer than necessary. The more data you have in your care the more risk and liability you have to protect them.
Manage Access
It’s essential to make sure you know who has access to your cloud console and all instances and services you have deployed. Establish role-based and least-privilege access control. In addition to strong passwords, add multi-factor authentication to further assure that only authorized individuals have access to your systems and data.
Protect your Endpoint
Endpoints like laptops must be secured as they are often entry points for cybercriminals. If a bad actor gains access to an endpoint and executes malicious code, they can obtain access to your cloud environment to launch wider attacks.
Encrypt Data and Manage Encryption Keys
Data encryption is the process of transforming data from its original plain text format to an unreadable format, such as ciphertext, before it is transferred to and stored in cloud-based applications. This is known as data in transit and data at rest, respectively. Authorized users can leverage the encryption key to decode the data, transform the concealed information back into a readable format. Keys should be shared only with trusted parties whose identity is established and verified through some form of multi-factor authentication.
Keep Backups
Having backups allows easier recovery in the event of data loss due to data corruption or ransomware attack. It’s important to know how long it will take to recover data, as well as what data can be recovered. Another important step is to have offline copies of your backup. For added protection, some companies backup their data to a separate cloud provider, or in some cases, multiple additional providers.
Know Your Third Parties
Earlier in the article we highlighted the importance of reviewing the security practices that your cloud provider follows. It is also necessary to get a sense of how seriously your other third parties take security. Periodical assessment should be conducted on your third parties to gain confidence that they follow recommended security best practices to protect your data in their care.
We’ve covered many of the basics here and there’s more to learn about data security in the cloud. Consider reaching out to a cloud security expert for more information on how to get your business up and running securely.
Disclaimer
This material has been prepared for informational purposes only, and is not intended to provide, and should not be relied on for, legal or tax advice. If you have any legal or tax questions regarding this content or related issues, then you should consult with your professional legal or tax advisor.