SMEs: Security In The Cloud

Cloud Security For SMEs

Cloud security remains a key concern for SMEs. This is understandable, as security breaches can have major negative repercussions for a business, including potential litigation and damage to reputation.

For most SMEs however, the risks need not outweigh the benefits of cloud services. It’s also important to remember that while most SMEs are not specialists in data security, cloud vendors need to be: they have a vested interest in maintaining the security of customer data.

Nevertheless, cloud customers remain ultimately responsible for the security of their data, and – with this in mind – SMEs thinking about shifting to the cloud should consider the points set out below.

Decide which data to transfer

Review your data first to determine whether there is any which should not be shifted to the cloud (e.g. if your privacy policy does not allow certain personal data to be transferred) and create a clear record of the categories of data you intend to transfer.

Ask the right questions

There are now many service providers and types of service on offer, so shop around to find the cloud provider that best meets your security and other needs. Asking the right questions before you select a provider is vital.

If you are transferring personal data to the cloud, you are likely to be viewed as a ‘data controller’ of the data under EU data protection laws. This means that you will be legally responsible for ensuring that any processing of personal data is secure, and you will need to choose a cloud provider that gives sufficient written assurances about its security measures.

A good starting point is the Information Commissioner’s Office (ICO) guidance on the use of cloud computing (2012), which outlines different types of cloud models and raises questions to take into account during a cloud selection process. For example:

  • How does the cloud provider store data (e.g. is it co-mingled with other customers’ data)?
  • What assurances does the provider give with respect to security?
  • Can it give you evidence of its security track record (e.g. written audits)?
  • Does the provider have any industry accreditations (e.g. ISO 27001)?
  • How does it monitor, report and deal with security breaches?
  • Is encryption used/permitted?

EU data protection law regulates the transfer of personal data outside the European Economic Area (EEA), so – if you’re shifting personal data to the cloud – it’s also important to ask where the provider’s servers are located and what safeguards are in place there. Cloud providers should be transparent about this, and should offer appropriate assurances in the cloud contract. If your preferred cloud provider is likely to process your data outside the EEA, seek legal advice about the best way to comply with your legal obligations.

Check the cloud contract

Most SMEs will be presented with standard cloud contracts on a ‘take it or leave it’ basis. You will need to shop around to find the best terms for your business, remembering that – as ‘data controller’ of any personal data in the cloud – you must retain sufficient control over the personal data to meet your legal obligations. The contract should, for example:

  • state that the provider will act only on your instructions
  • give assurances as to the security of your data
  • specify the limited circumstances in which the provider can access the data
  • clarify your rights to access and delete the data; and
  • set out how security is monitored and breaches are dealt with.

Encrypt data

If your cloud provider permits encryption, consider placing encryption around any personal data ‘in transit’ between your IT infrastructure and the cloud provider’s, and ensure that the encryption used meets recognised industry standards. Also, consider whether the encryption should be used on data ‘at rest’ (e.g. where sensitive personal data is stored in the cloud).

Check your privacy policy

If you plan to shift personal data to the cloud, you may need to amend your privacy policy if it doesn’t currently allow you to do so.

Maintain control over your data

To maintain control of your data throughout its lifecycle, monitor and review your cloud provider’s security measures on a regular basis, and check any updated security audit reports that are made available to its customers.

Train your staff

Ensure your staff understand their responsibilities with respect to security; e.g. to keep their authentication details safe, maintain the security of encryption keys and adhere to access controls.

For most SMEs, and in most sectors, security risks associated with cloud services are not insurmountable provided that they are dealt with properly. As with any other IT project, the careful consideration of the risks in the early stage of planning and the implementation of sound ongoing risk management strategies are central to the success of any cloud project.

Louise Taylor

Louise Taylor, Senior Associate at international law firm Taylor Wessing, advises both customers and suppliers in all aspects of IT law, with a particular emphasis on IT contractual work, e-commerce, online issues, software and website development, cloud computing and advising on issues relating to new and emerging technologies. She has specialised in technology law for 15 years. Louise is qualified as a solicitor in both England and New Zealand. Before joining Taylor Wessing in 2006, Louise was a senior associate in a leading commercial law firm in New Zealand, and also worked at the BBC in London for a number of years (first for BBC Radio and then New Media & Technology). Prior to that she was a solicitor in the commercial and IT teams of one of New Zealand's largest law firms. Louise regularly presents and contributes to various publications on cloud computing and other technology and data protection issues.