Some are still very sceptical about it, while others use it without giving much thought to the potential risks: Cloud services. In our blog article, we would like to show you how to find a balance between handling and protecting not only your data, but also that of your customers, responsibly.
Email providers refer to the paid cloud when the email inbox starts to get full. Smartphone providers refer to the cloud when the phone's storage space is no longer sufficient. In addition, the cloud is a popular backup storage. If the device is defective, the data can be restored very easily. This creates a secure feeling!
Since both private and business everyday life is becoming more and more digitalized, and this also requires more and more data storage, it is likely that even more people will choose their own private or business cloud variant in the next few years - not only because it will no longer be possible to store all data locally at some point due to current and new technologies, but also because the clearly convincing advantages of a cloud solution are slowly making the sometimes justified doubts fade away.
In the business context, data is often simply passed on to customers and partners via a link. This link then points to the cloud, which contains the data. Appointments can also be coordinated via a cloud. Here, a cloud not only enables more flexible working, faster access to the latest documents and professional data exchange with customers and business partners - it also gives the user the reassuring certainty that a hardware defect does not have to mean a complete loss of data.
For others, a cloud provides a test and development environment. Pretty versatile! - And it's also flexible and simple - and not just because the data is always and everywhere available.
Cloud services are one thing above all: simple and practical. The cloud makes it possible to store private and business data centrally, to access it at any time and to transfer it to others in a straightforward way.
Ultimately, "the cloud" is online storage or an application available online - or a combination of both, which is therefore no longer located directly at the user's premises, but - quite simply - on one or more servers in the provider's data center. Assuming the provider has a data center - otherwise he may have rented this space. The data is therefore in a central location and access is possible regardless of location and device - often by several (authorized) persons.
All quite practical and once you get used to the system - also very comfortable.
But back to the secure feeling! Can you actually rely on any cloud to be secure?
It's already been hinted at. Acceptance of the cloud is growing. It is slowly becoming "normal" to store one's data here. Be it vacation photos, the appointment planner, birth dates and telephone numbers of friends, acquaintances, colleagues or customer data. Project plans, certificates, etc. - everything is in the cloud. Even video conferencing runs over it. The question is:
Would you theoretically be able to show this information to anyone without feeling uncomfortable? - because that's exactly what could happen if the cloud you choose is not the most secure.
Now, if you say, "No, I don't have any sensitive data in the cloud," we'll say, "Maybe you do!" - namely, if your backup is in the cloud. Do you always have an overview of everything that is uploaded here? All contact data is surely only a part of it. And: it is ok and makes sense. But only if these partly sensitive and personal data are also protected accordingly.
A simple password for your cloud is definitely not enough for optimal security! There are several components that must "interact" intelligently here. One is the way in which the cloud is used. On the other hand, the type of application (software) and the behavior of the provider are also important. How responsibly do all parties involved handle the data?
After all, if all these security components are not covered - and there is a data loss or even an attack by cyber criminals, this can even have financial and legal consequences for you.
And, do you still feel safe?
Before we explain how you can protect yourself and your data in the cloud, we would first like to clarify in general terms what you should actually protect yourself from.
There is a difference between your data simply being "gone" - deleted, disappeared - and it being read by cybercriminals and misused for criminal purposes. Neither is pretty and can lead to negative consequences (costs, criminal charges, damage to your reputation, loss of revenue, etc.) - all the way to the end of your business.
So you should be protected from two things: Data loss & cybercrime.
And who protects you and your data? - You yourself! And your cloud or hosting provider!
So there are two levels on which both you and your provider need to act.
To further evaluate security-related aspects, you should also know the types of "clouds", how to use it in general. After all, the above scenarios do not completely describe the phenomenon. So here is a brief "cloud systematization":
Here, storage facilities, network components and other resources are primarily made available to the user via the Internet
Applications, i.e. software, are made available to the user via the Internet.
Here the user gets access to a cloud environment. The infrastructure is provided in which applications can be tested and developed, for example. Both hardware and software play a role here
Looking at these 3 types, it should already be clear that security must be established at several levels. On the one hand, this concerns data transmission and storage and, on the other, the security of the software used. Here, too, one has to start at several points.
Cloud security must therefore be created on the one hand on the provider and user side and on the other with regard to the IT infrastructure (data center, server, data transmission) and on the software level. But what does this look like in concrete terms?
Perhaps the most important point first: Choose a provider with whom you can be sure that your data is in good hands.
You can tell this by the fact that this provider takes the following points into account!
Many providers offer you ready-to-use cloud solutions in different variants. Here it is not only important to pay attention to the performance features such as storage space, etc.. Therefore, we would like to tell you a few more features that you should definitely pay attention to for more cloud security.
Anyone who wants to have secure and permanent access to their data should also take a closer look at the availability and data and failure safety of the data center in which the cloud "resides".
The security aspects include, for example, the permanent monitoring of various parameters by the provider, so that constant availability of the servers is guaranteed. After all, what good is data if it cannot be accessed at the decisive moment?
It must also be ensured that unauthorized persons cannot access the data center and therefore your cloud. This is done through various methods of access protection, such as camera surveillance.
The server on which your cloud is located must also be protected in the event of fire or storm damage. Data center operators can also take various measures for this case.
Furthermore, the power supply or data connection may be interrupted once for various reasons. In the event of possible failures or damage to lines, a redundant data connection or power supply must always be ensured. In addition, it also makes sense for such cases that the provider "mirrors" the data of its customers in order to have a backup available in case of emergency.
Of course, various security mechanisms such as good DDoS protection should be provided by the provider so that the data in the cloud can be secure and almost always available.
If you want to be sure that your own data is optimally protected against unauthorized access, you should first make sure that the cloud - i.e. the server with the corresponding data - is located in a data center in Germany or the EU. This is the only way to be sure that the German Data Protection Act and the EU Data Protection Regulation are applied. This rules out data retention, for example.
Care must be taken to ensure that encryption takes place in various ways - firstly in relation to the data and secondly in relation to its transmission. If this does not take place, it is particularly easy for hackers to intercept the information on its way from the sender to the recipient.
For this reason, transmission should not simply take place using the TLS protocol (SSL certificate), but by means of end-to-end encryption. Here, the information is encrypted at the sender and decrypted at the recipient.
To ensure that hackers and unauthorized persons do not have an easy time accessing your data, it is important that you can define users and access rights for the cloud and that 2-factor authentication can be set up for the login. It should also be possible to set a time limit for access links, for example.
In summary, all the functions that ensure that only the people who are authorized to access the data in the cloud and for whom the data is intended are useful.
What if not only the provider of a software would take care of the security, but an extremely large community of developers would be jointly responsible for this? The probability that security gaps could be discovered and fixed quickly would be enormously high! This is how open source software works. Contrary to what the average informed Internet user might assume, the term "Open Source" does not refer to the fact that the program is freely available - i.e. free of charge - but to the fact that the source code can be freely viewed, edited and used by third parties. This means that it is constantly being examined and further developed in terms of its security and therefore offers a sensible alternative to classic commercial software. As soon as a software - or even a cloud solution - is based on open source software, the probability that it is also particularly secure is quite high. An example of this would be ownCloud as open source software or the Nextcloud based on it, which serves as the basis for cloud applications.
How does the provider handle the data? When is it really deleted from all data carriers after the cloud is terminated or deleted by you? What data is collected in the course of fulfilling the contract? - Is this more than necessary? Who gets access to this data? - With all these points you should consider and check before using a cloud.
If you take a closer look at the general terms and conditions and data protection declarations of a wide variety of non-European online services, you will quickly discover that in some cases private information - even if anonymized - may be analyzed and processed by the providers or their partners.
Sometimes, even with the most user-friendly interface or after intensive independent research, questions or problems arise that you cannot solve yourself. In such a case, it makes a lot of sense and is therefore very reassuring if you can reach the provider of the cloud you are using as quickly as possible and receive a competent answer promptly - in the best case, directly from the provider. For example, good availability of the hotline and personal contact persons in customer service are positive indicators.
As is so often the case with IT and security, the user himself also plays an important role in the cloud. The user can also contribute to the security of the cloud through various measures. Here are a few tips for you as a user:
Only access your cloud via trusted networks. If you use a public network, be sure to use VPN access. This may require additional software on your device, which you can have set up by an IT administrator. You can use this connection to securely access your company network and your cloud from another location, for example.
Data requiring special protection should be specially encrypted or password-protected directly on the user's computer. Accordingly, the data recipient, i.e. another user, must be able to decrypt the data.
Always handle your data responsibly. This also means that you only give access to people who should and are allowed to use the data. The same applies to the links that grant access to the data.
Passwords should always be personalized and used accordingly. It makes little sense for an entire team to use the same password. In the event of an emergency, it is not possible to trace where the "data leak" was.
Your IT security concept or IT security policy, if you use the cloud for business purposes, should also contain information on the secure use of the cloud. This way, everyone involved knows how to handle the data securely.
Finally, it should be mentioned that you should always think about which information should be stored in a cloud at all and whether in some cases - for example, with particularly sensitive data - a local solution is not the better option.
In the end, everyone must decide for themselves to what extent the aspects mentioned are important - also depending on the respective project and the corresponding data. However, the decision should always be made consciously so that there is no "rude awakening" later and the joy of the selected cloud lasts for a long time!
Make a conscious decision in favor of a variant that meets the criteria that are important to you. In this way, you can not only enjoy the benefits of a cloud with a clear conscience - business partners, customers, friends and family members will certainly appreciate it when project-related or private information is in good hands - or on a good server.
If you have any questions about cloud and data security, the Keyweb team will be happy to help you at any time.