Written by Tim Barr, Director of Sales and Marketing
Many venues are moving their IT to the cloud to reap both immediate and long-term benefits. However, in this day of cyber attacks, malware, ransomware, and increasing costs of cyber insurance, many venues are being forced to ask tough questions when it comes to securing their data that weren’t even a consideration a few years ago.
The US Government and the American Bar Association both encourage all private and public sector organizations to develop, implement, and maintain an appropriate cybersecurity program that complies with applicable ethical and legal obligations and is tailored to the nature and scope of the organization and the data and systems to be protected.
Following are five security questions based on today’s best practices that should be asked when considering a new cloud hosting solution or evaluating your current service provider.
QUESTION 1 Does the cloud provider offer cyber security measures strong enough in today’s dangerous world?
Just a few years ago we didn’t worry that much about cyber security, but today it’s the wild, wild west when it comes to cybercrime. What do strong security measures look like nowadays?
Multi-Factor Authentification (MFA)
MFA is to security as what wheels are to a bicycle. No one today should be without MFA from their cloud provider because without MFA in place, it could easily be argued that you are not making a “reasonable effort” to protect your data and could open you up to a lawsuit if there is a breach.
Email Protection
Email protection blocks spam and phishing attacks and is an important layer of protection to your inbox. Email encryption is another topic discussed below.
Network Security Monitoring
Intrusion detection allows the provider to detect potential threat activity like ransomware or other malware attacking the system.
Log Security Monitoring
Every software product has a log where activity is recorded. Log security monitoring collects, aggregates, and analyzes those logs to identify impossible logins, MFA bypass, attacks, and rogue agents. Log security monitoring and network security monitoring are proactive and follow the principle of “the best defense is a good offense”.
Phish Training
Training your workforce on security measures, including what phishing emails look like, and testing them with “fake” phishing emails allows you to find out who is susceptible to introducing malware.
Dark Web Monitoring
If your data is compromised and available on the dark web, it’s time to change passwords!
Make sure your Cloud provider is as serious about protecting your data as you are and offering you the protection you need to avoid a cyber attack.
QUESTION 2 Do I control my own data?
Some cloud providers state in their terms and conditions that the service provider controls hosted data to comply with legal regulations. Obviously, you own your own data, but based on the terms and conditions, the cloud service provider may have control over your data.
The best practice today for any organization is to have a private cloud provider that gives you full control over all aspects of your cloud instance including CPUs, servers, memory, storage, etc. providing full protection for your firm.
QUESTION 3 Is my data encrypted?
Encryption of your data in transit (as it is uploaded to and downloaded from the cloud) as well as encrypting cloud servers is vital and a well-accepted best practice today. However, you may wish to consider email encryption as well.
California Formal Opinion No. 2010-179, Pennsylvania Formal Opinion 2011-200, and Texas Ethics Opinion 648 (2015) provide that email encryption may sometimes be required. A July 2015 ABA article by Peter Geraghty and Susan Michmerhuizen notes “The potential for unauthorized receipt of electronic data has caused some experts to revisit the topic and issue [ethics] opinions suggesting that in some circumstances, encryption or other safeguards for certain email communications may be required.”
Microsoft O365 has encryption available, and if your cloud hosting provider is also offering O365, you may want to consider encryption through the cloud provider.
QUESTION 4 Am I at risk if another cloud client is hacked?
After a widely publicized data breach on a large cloud provider last spring, hundreds of clients were unable to access their “private” clouds. Why? The company appears to have set up “private” cloud instances for each user’s software, but then stored files on shared servers, apparently to reduce costs.
All clients were shut down because just one company got ransomware.
Though the majority of clients weren’t asked to pay a “ransom”, they were unable to access their data for days, weeks, and in some cases even months, creating havoc, inconvenience, lost productivity, and lost income.
Ask your cloud provider if your data is at risk should another of their clients get ransomware.
QUESTION 5 Is my cloud private, multi-tenant, or a hybrid?
The type of cloud you choose has ramifications for cost, service, and security. Just like in housing, shared cloud instances are the least expensive while private instances cost the most. Here’s an easy way to think of it:
Multi-tenant Cloud, where multiple clients share servers, is like a high-rise condo building where everyone has their own home that is under their own lock and key. Multi-tenant is typically safe, secure, and less expensive than a private home or private cloud; however, you are also susceptible to your neighbor’s good or bad behavior. If a neighboring condo catches fire, you may have significant damage through no fault of your own. If a neighbor’s cloud gets ransomware, you may also have significant damage through no fault of your own.
Hybrid Cloud, a “private” cloud with data on shared servers, is like detached condos with shared garages and common storage areas. Hybrid cloud can seem safer than multi-tenant, and it’s often less expensive than a stand-alone solution. However, you’re still susceptible if your neighbor’s attached storage unit catches fire and you have collateral damage, or as we saw last summer and discussed above if your cloud neighbor’s data gets ransomware and you’re sharing the server. I have personally spoken to companies that thought they were in a “private cloud” that was down from 10 days without the ability to even send/receive an email, and one CPA firm that was down three months!
Private Cloud is like a personal, stand-alone home on a large private lot that is unaffected by your neighbors. Cyber security is like a 10-foot fence topped with razor wire surrounding that lot, and managed services are like the lawn, pool, and cleaning services that you trust to come in and keep the house in tip-top shape. It’s more expensive than shared options but provides the most controlled environment, highest security, and best service.
All three cloud options work well and all three offer services and price points that fit specific clients. As with all businesses, it’s incumbent upon the firm to do a cost/benefit analysis. Does the higher security available with private cloud justify the higher cost, or do we accept the risk inherent with shared cloud services to benefit from the lower cost? Those are individual decisions for each business.
Conclusion
If we’ve learned anything in the past 18 months, we’ve learned that flexibility in the workplace is paramount, and cloud hosting provides that flexibility. We’ve also learned that cyber-attacks can cause significant damage, cost significant amounts of money, and position a company as the top news story of the day which none of us want.
Protect yourself. Whether you’re considering cloud hosting for the first time or evaluating your current hosting solution based on the changes in the environment we’ve all experienced this past year, ask the five questions above to keep yourself safe.