Cloud security remains a key concern for SMEs. This is understandable, as security breaches can have major negative repercussions for a business, including potential litigation and damage to reputation.
For most SMEs however, the risks need not outweigh the benefits of cloud services. It’s also important to remember that while most SMEs are not specialists in data security, cloud vendors need to be: they have a vested interest in maintaining the security of customer data.
Nevertheless, cloud customers remain ultimately responsible for the security of their data, and – with this in mind – SMEs thinking about shifting to the cloud should consider the points set out below.
Decide which data to transfer
Ask the right questions
There are now many service providers and types of service on offer, so shop around to find the cloud provider that best meets your security and other needs. Asking the right questions before you select a provider is vital.
If you are transferring personal data to the cloud, you are likely to be viewed as a ‘data controller’ of the data under EU data protection laws. This means that you will be legally responsible for ensuring that any processing of personal data is secure, and you will need to choose a cloud provider that gives sufficient written assurances about its security measures.
A good starting point is the Information Commissioner’s Office (ICO) guidance on the use of cloud computing (2012), which outlines different types of cloud models and raises questions to take into account during a cloud selection process. For example:
- How does the cloud provider store data (e.g. is it co-mingled with other customers’ data)?
- What assurances does the provider give with respect to security?
- Can it give you evidence of its security track record (e.g. written audits)?
- Does the provider have any industry accreditations (e.g. ISO 27001)?
- How does it monitor, report and deal with security breaches?
- Is encryption used/permitted?
EU data protection law regulates the transfer of personal data outside the European Economic Area (EEA), so – if you’re shifting personal data to the cloud – it’s also important to ask where the provider’s servers are located and what safeguards are in place there. Cloud providers should be transparent about this, and should offer appropriate assurances in the cloud contract. If your preferred cloud provider is likely to process your data outside the EEA, seek legal advice about the best way to comply with your legal obligations.
Check the cloud contract
Most SMEs will be presented with standard cloud contracts on a ‘take it or leave it’ basis. You will need to shop around to find the best terms for your business, remembering that – as ‘data controller’ of any personal data in the cloud – you must retain sufficient control over the personal data to meet your legal obligations. The contract should, for example:
- state that the provider will act only on your instructions
- give assurances as to the security of your data
- specify the limited circumstances in which the provider can access the data
- clarify your rights to access and delete the data; and
- set out how security is monitored and breaches are dealt with.
If your cloud provider permits encryption, consider placing encryption around any personal data ‘in transit’ between your IT infrastructure and the cloud provider’s, and ensure that the encryption used meets recognised industry standards. Also, consider whether the encryption should be used on data ‘at rest’ (e.g. where sensitive personal data is stored in the cloud).
Maintain control over your data
To maintain control of your data throughout its lifecycle, monitor and review your cloud provider’s security measures on a regular basis, and check any updated security audit reports that are made available to its customers.
Train your staff
Ensure your staff understand their responsibilities with respect to security; e.g. to keep their authentication details safe, maintain the security of encryption keys and adhere to access controls.
For most SMEs, and in most sectors, security risks associated with cloud services are not insurmountable provided that they are dealt with properly. As with any other IT project, the careful consideration of the risks in the early stage of planning and the implementation of sound ongoing risk management strategies are central to the success of any cloud project.