A cloud is by far the safest place for your data. Clouds live in giant data centres operated by large organisations. In most cases they are built like fortresses. Guards patrol outside. Security cameras watch everything. No-one is going to break in and get physical access to your servers. No-one is going to plug a USB memory stick into your cloud and steal your information. Few school offices are as burglar proof.
Despite this, security remains one of the biggest fears and an argument against moving to the cloud. There are risks, but there are many things you can do to minimise threats.
Almost every security problem linked to cloud computing is down to the way cloud services are used, not the services themselves. Cloud computing contracts reflect this. The companies operating cloud services can only guarantee so much security. This means responsibility lies with you and the people you delegate to manage cloud services.
Problem number one isn’t a straightforward security issue at all. Moving to the cloud means learning different work practices and new security routines. None of them are hard to grasp, but they are conceptually different and you can’t expect people to pick them up in a vacuum. People can make mistakes. It may pay to invest in training the staff who will use your cloud. It won’t hurt you to gain new skills at the same time.
There are a few basics you should consider:
Passwords and accounts
Limit the number of people who can use the cloud service to the bare minimum. Make sure that people’s access is limited to only the applications or specific services they need to use. This applies even for people that you trust and you might want to think about including yourself in the list of people with limited access.
This can be about trust. After all it is possible people might abuse access privileges. Yet it’s just as likely people can blunder around in unfamiliar places and either wreak unintentional havoc or do the digital equivalent of leaving the front door open to all and sundry.
You need to establish a strong password policy. This means training people not to use obvious names or words… hackers are skilled at guessing these. Likewise avoid simple short passwords. Hacker tools can help criminals find their way past easy passwords. Make sure people use different passwords for each cloud service they log on to. Set up your systems so that users must change their passwords regularly.
You might choose to invest in a password manager like 1password or LastPass. These can remember those secure complicated alphabetti spaghetti passwords far better than a human brain and are safer than leaving passwords on Post-It notes. Password managers are also good for creating new safe passwords to order.
Multi-factor everything
Some cloud services will give you the option to use multi-factor authentication. Use it wherever you can and make sure your entire team does too. There are a variety of ways it can work, the most popular involves getting a code through a text message or entering a code with a special authenticator app.
This makes it near impossible for someone to log-in to your cloud accounts if they should get hold of or guess your password.
Keep yourself and staff up to date on the risks
Most computer crime isn’t about hackers wearing balaclavas sitting in darkened rooms finding their way into systems, it’s about tricking people into voluntarily handing over the information needed to gain access.
Phishing is when you are sent a plausible looking email asking you to do something that might compromise security. Spear-phishing is the same thing, but when the sender knows enough about you to look credible. There’s also something called social-engineering, which comes in a variety of forms including telephone calls.
Knowledge is the best protection against all of these, but even then intelligent people can be fooled. Don’t worry about appearing paranoid, mistrust everything that can be verified.
There are a number of useful resources to help you keep up to date with security threats. Many are strictly for security experts or focus on overseas problems, the government’s www.cert.govt.nz offers down-to-earth plain English advice.
Use monitoring services
Many cloud services can give useful information that can help you know more about how people use your cloud service. So, if you get a report showing someone is logging on a 3:00 AM from Kiev, it might pay to investigate further. There are lots of tools that cloud providers offer and these can include security products.
Consider commercial security products
Just as there is an industry providing tools to protect personal computers, there are products and services to guard against cloud risks. In many cases the two are aspects of the same thing. If crooks get malware onto your PC, that can give them an entry point onto your cloud.
Some of the most dangerous things that can happen are invisible. Criminals might take control of computers or cloud services in order to launch anonymous attacks on other targets. It may pay to keep all your computers and device software up to date and to invest in security software. Many of the best packages include tools that can help guard against phishing and similar threats.
All of these steps are to do with people. It’s not enough to inform or train people and leave them to get on with their jobs, digital security is about a state of mind, it needs constant care and attention.
It’s also about attitude. If you’re reading this, then you have a leadership role of some description. That means you’ll also need to show leadership when it comes to online security. If you set the right example, others will follow.