Is your data secure in the cloud?
4 considerations to keep in mind when working in the cloud
Welcome to a new article on the data in the cloud series. If you have missed any of the previous articles, I recommend you to do a quick read and catch up since in this article we will continue talking about the cloud, and it is highly recommended to be in context. In the first article of the cloud series, we talked about the advantages and disadvantages of the cloud, and how it can help your business. In the second, we explained what the different cloud service models are and what you are responsible for in each of them.
In this article, I would like to share some ideas with you on an issue that has become a big concern for those who are thinking about working with cloud solutions: security. More specifically, we will talk about data security. I’m sure you are tired of hearing news about data center security breaches exposing sensitive data to the public. I’m also sure that it will come to mind how big companies use data to get to know their customers better. All this may come to mind when you hear about the cloud and it usually generates a lot of mistrust but, the truth is that your thinking is biased, influenced by all the press this issue makes.
Although security is a field that I love, I am not a security expert and my goal with this article is not to list a series of advantages or disadvantages that must be taken into account. My only objective is to offer some considerations you may have in mind and invite you to think about them. Feel free to leave your thoughts on the comments, I’ll try to answer to the best of my ability.
The cloud provider is (mostly) secure
If you don’t trust the cloud, ask yourself a question: do you keep your money in the bank or under the bed? In general, people keep their savings in the bank. Why? Because it is safer. Your house seems like an easy target for a thief, yet very few people would rob a bank. And why “mostly” secure? Because absolute security does not exist.
One of the reasons that many people cite as resistance to cloud migration is the “transfer” of data to the cloud provider. “My company data will be on a third-party server, why can’t I save it on my server? It’s more secure.” Yes, your company data will be on a server that is not yours, so what? Is your cloud provider going to steal your data? Going back to the example from before, does it make sense that your bank steals your money? In general, the very fact of storing your data in a cloud provider does not pose a security risk.
On the other hand, you may have doubts as to whether the cloud provider could see what you store in their cloud. In case of doubt, and before starting any activity in the cloud, I recommend that you read the terms of service, as well as the privacy policy of the cloud provider you have chosen. To call a spade a spade, as a service provider, accessing your customers’ data without their consent would be illegal. Make sure you don’t consent. Your content is yours, and nobody else’s.
Where is your data?
Another of the most frequently asked questions is where your data is. The cloud is a term that sounds so abstract that you can come to think that your data could be anywhere.
The truth is that cloud providers have a huge infrastructure and it is spread throughout the world. What I am going to say next can vary between different cloud providers, but most are organized like this.
The infrastructure of a cloud provider is organized in different regions spread geographically around the world. You can always choose in which region you are going to work, so you have control of where your data is. This way, you will be able to comply with the corresponding regulations.
When you choose a region, in addition to choosing the one that suits you best, you will have to bear in mind that not all regions may have the same service catalog, so, depending on the service you are going to use, you will be slightly conditioned to use a specific region. However, most of the “common” services are generally available in all regions.
You are a risk
When we talk about security, you should always keep in mind that the weakest link is yourself. An insecure password, a disabled multi-factor authentication, an unlocked computer, is enough to cause a security breach with terrible consequences. Companies like yours are increasingly aware of this and invest in training their employees to reduce the risk of a security breach. Similarly, as customers of cloud services, we are responsible for identifying who can access our data and who cannot.
To give you a quick summary, we, as customers, are responsible for the security in the cloud, while the cloud provider is responsible for the security of the cloud. For this reason, you will have to make sure that only the right people access the information giving the least access privilege so that they can perform their tasks complying with the corresponding security policies.
As you can imagine, depending on the service model you work with on the cloud, the configuration effort will be greater or lesser. You must be aware, in each case, of what you are responsible for. Managing a virtual machine with persistent storage is not the same as managing permissions on a Google Drive folder.
Data encryption
Another important topic is data encryption. Encryption is defined as the process of encoding information that converts the information into a representation that can ideally only be decoded by the receiver. We are not going to talk about cryptography in this article, as it is too broad a topic. The important idea you must understand is that when your data is encrypted, ideally it can only be read by the person who has the key to decrypt it.
When we talk about data encryption, there are two situations in which you can and should encrypt that data:
- At rest: when you have your data stored in a cloud provider and it is not being used it must be encrypted. This way, even if someone “robbed the bank”, they would not understand anything.
- In transit: when you are transferring your data between, for example, two servers, it has to be encrypted. This way, if someone were intercepting the communication, as in the previous case, they would not understand anything.
As we have seen, there are some considerations that we must make and think about before starting to work in the cloud. With the correct measures, working in the cloud is generally safe. The cloud provider will accomplish the necessary ones to make their infrastructure and services secure but, remember, it’s ultimately you who must ensure data security in the cloud by applying, for example, strict access policies or data encryption.
Thanks for reading the third article in the “data in the cloud” series 🤗.
