What is the cloud and just how safe and secure is business data?
‘Your data will be stored safely in the cloud’ is a phrase that we hear frequently. But what is the cloud and just how safe and secure is the business data we choose to store in it?
The cloud is simply a network of computer servers stored in a data centre. Instead of storing your information on your laptop or desktop, or perhaps a server in your office, you transfer the information over the internet to a data centre, run and managed by a third party. As with most things in technology, there are distinct types of cloud. A private cloud is one that is wholly dedicated to one organisation, and a public cloud is one that is shared by multiple organisations.
‘Software as a Service’ (SaaS) allows a software provider to develop and build applications using the cloud and then make them available to customers via the internet. Cloud computing is the cornerstone of many applications used by businesses, whether for storing documents or for processing accounts and payrolls, for customer relationship management systems – the list is seemingly endless.
Providing appropriate due diligence is performed on the provider, and you implement basic security controls, the cloud delivers a myriad of business benefits. These range from cost effective computing services through massive economies of scale, remote collaborative working, a rich variety of services to satisfy the requirements of any organisation – regardless of size or sector, as well as speed of access.
When considering cloud services for business, a common question is ‘how safe and secure is it?’ Well... it depends.
Providers of cloud-based services such as Microsoft, Amazon Web Services (AWS) and many others spend millions of dollars to ensure that their systems are safe and secure.
Other companies will use the data centres provided by these technology giants to host and power their services. If you want to find out more, head to the websites of your cloud service providers and look in the small print, usually at the bottom of the website, for details of how they secure your information. Companies that have invested in certifications such as ISO 27001, ISO 27017, ISO 27018 and SOC2 take security seriously. They are independently audited on an annual basis to ensure that they can meet the stringent standards of controls.
However, whilst the cloud providers may take steps to protect the data that we place into the cloud, we all, as users and subscribers, have a role to play if we are to ensure that the data remains safe.
Sounds complicated? Well, imagine your office or house is the equivalent of the cloud environment. You may have invested in an expensive alarm system, window locks, mortice locks, perhaps a security patrol to check in every now and then. Then you discover that someone in your household has put a key under the plant pot, or the cleaner has shared the alarm code with a friend, or that a window has been left open and so on. Despite all the investment in security that you made; someone has compromised it.
Cloud security requires the user to take basic steps to ensure the system remains safe and isn’t compromised. For example:
Aside from access to the system, consider authorisations within the system.
So, whether you’re considering the use of cloud-based storage, or you are already using cloud services, it is important to assess the security provided by prospective/existing cloud service providers. As a leading business insurer, we have produced a basic checklist of factors to consider and what should be expected of cloud providers, which can be adapted to suit your business needs. You can download it here.
Whilst a checklist of requirements may seem daunting, any credible supplier should respond to them quickly and comprehensively or have the information readily available on their website. Don't be deterred, be persistent and if you don't receive the answers, then look towards another supplier.
Finally, if you choose to end a service with your provider, then remember to ask them to confirm the deletion of the data.
This guidance has been produced in partnership with Risk Evolves.
The UK National Cyber Security Centre has guidance on the use of cloud providers and choosing a provider here.
The UK Information Commissioner's Office (ICO) has guidance on the type of information that should be included in a contract with a cloud provider here.
Read ICO guidance on the use of cloud computing here.
QBE helps businesses build resilience through risk management and insurance.
Depending upon the size and complexity of the business needs, QBE customers can access a wide range of risk management services, self-assessment questionnaires and risk management toolkits which are focused on the key causes of claims, and on generating action plans for improved outcomes - including protecting employees, reducing risk and making claims less likely. You can find out more about how QBE helps businesses to manage risk here.