How to make your data in the cloud more secure
Authored by QBE Senior Risk Manager Jaini Gudhka
What is the cloud and just how safe and secure is business data?
‘Your data will be stored safely in the cloud’ is a phrase that we hear frequently. But what is the cloud and just how safe and secure is the business data we choose to store in it?
The cloud is simply a network of computer servers stored in a data centre. Instead of storing your information on your laptop or desktop, or perhaps a server in your office, you transfer the information over the internet to a data centre, run and managed by a third party. As with most things in technology, there are distinct types of cloud. A private cloud is one that is wholly dedicated to one organisation, and a public cloud is one that is shared by multiple organisations.
‘Software as a Service’ (SaaS) allows a software provider to develop and build applications using the cloud and then make them available to customers via the internet. Cloud computing is the cornerstone of many applications used by businesses, whether for storing documents or for processing accounts and payrolls, for customer relationship management systems – the list is seemingly endless.
Providing appropriate due diligence is performed on the provider, and you implement basic security controls, the cloud delivers a myriad of business benefits. These range from cost effective computing services through massive economies of scale, remote collaborative working, a rich variety of services to satisfy the requirements of any organisation – regardless of size or sector, as well as speed of access.
How secure is the cloud?
When considering cloud services for business, a common question is ‘how safe and secure is it?’ Well... it depends.
Providers of cloud-based services such as Microsoft, Amazon Web Services (AWS) and many others spend millions of dollars to ensure that their systems are safe and secure.
Other companies will use the data centres provided by these technology giants to host and power their services. If you want to find out more, head to the websites of your cloud service providers and look in the small print, usually at the bottom of the website, for details of how they secure your information. Companies that have invested in certifications such as ISO 27001, ISO 27017, ISO 27018 and SOC2 take security seriously. They are independently audited on an annual basis to ensure that they can meet the stringent standards of controls.
However, whilst the cloud providers may take steps to protect the data that we place into the cloud, we all, as users and subscribers, have a role to play if we are to ensure that the data remains safe.
Sounds complicated? Well, imagine your office or house is the equivalent of the cloud environment. You may have invested in an expensive alarm system, window locks, mortice locks, perhaps a security patrol to check in every now and then. Then you discover that someone in your household has put a key under the plant pot, or the cleaner has shared the alarm code with a friend, or that a window has been left open and so on. Despite all the investment in security that you made; someone has compromised it.
Steps to ensure cloud safety
Cloud security requires the user to take basic steps to ensure the system remains safe and isn’t compromised. For example:
- Do you use a strong password to access the system?
- Do you have multifactor authentication (MFA) in place? This requires the user to have two pieces of information to access the system, so that if one is compromised (e.g. the password is guessed), a second step is required (e.g. a code sent to a mobile phone or email address, biometric recognition) before access is provided.
Aside from access to the system, consider authorisations within the system.
- Who needs access to what? In the same way as you may have passports or valuables kept in a safe at home, ensure that access to the ‘crown jewels’ of your business is restricted.
- Regular review of access levels - Is there a process to administer user access, ensure removal of all leavers from the system or the modification of access if individuals move role?
So, whether you’re considering the use of cloud-based storage, or you are already using cloud services, it is important to assess the security provided by prospective/existing cloud service providers. As a leading business insurer, we have produced a basic checklist of factors to consider and what should be expected of cloud providers, which can be adapted to suit your business needs. You can download it here.
Whilst a checklist of requirements may seem daunting, any credible supplier should respond to them quickly and comprehensively or have the information readily available on their website. Don't be deterred, be persistent and if you don't receive the answers, then look towards another supplier.
Finally, if you choose to end a service with your provider, then remember to ask them to confirm the deletion of the data.
Risk management services for QBE customers
QBE helps businesses build resilience through risk management and insurance.
Depending upon the size and complexity of the business needs, QBE customers can access a wide range of risk management services, self-assessment questionnaires and risk management toolkits which are focused on the key causes of claims, and on generating action plans for improved outcomes - including protecting employees, reducing risk and making claims less likely. You can find out more about how QBE helps businesses to manage risk here.
QBE European Operations is part of QBE Insurance Group, one of the world’s leading international insurers and reinsurers and Standard & Poor’s A+ rated. Listed on the Australian Securities Exchange, QBE’s gross written premium for the year ended 31 December 2018 was US$13.7 billion.
As a business insurance specialist, QBE European Operations offers a range of insurance products from the standard suite of property, casualty and motor to the specialist financial lines, marine and energy. All are tailored to the individual needs of our small, medium and large client base.
We understand the crucial role that effective risk management plays in all organisations and work hard to understand our clients’ businesses so that we offer insurance solutions that meet their needs – from complex programmes to simpler e-trading solutions – and support them in minimising their risk exposures. Our expert risk management and rehabilitation practitioners focus on helping clients improve their risk management so that they may benefit from a reduction in claims frequency and costs.