Here’s what to check to make sure your data and apps are secure in the cloud.
This article is sponsored by AWS - reliable, scalable, and inexpensive on-demand cloud computing services built to meet the requirements of the most security-sensitive organisations.
It would not be an exaggeration to call it "the cloud revolution" - cloud platforms and services such as Infrastructure as a Service (IaaS), Software as a Service (SaaS) and Platforms as a Service (PaaS) have enabled organisations of all kinds to take advantage of on-demand computing power, storage and tools that would previously be unimaginable for all but the biggest budgets. The cloud is an absolute no-brainer for charities running digital services, websites or infrastructure, but for organisations that handle sensitive constituent and donor data, security is the first concern. Storing data in the cloud is generally safer than keeping it locally for the simple reason that major cloud providers are held to strict standards to be able to operate, and these include being responsible for customers’ data in their datacentres. As a cloud infrastructure customer, you fortunately inherit the best practises of that vendor around policies, architecture and processes built to keep security-sensitive organisations’ data safe. However, there are a few vital checks you should make before taking the plunge with a cloud vendor:
A provider should be able to demonstrate their adherence to security standards and best practises by showing that they comply with industry-recognised standards. Security schemes like ISO 27001 or certification under the government’s Cyber Essentials Scheme are good ones to look out for, but there are multiple. The Cloud Industry Forum, a professional membership body for cloud providers, lists a few of the most common security certifications and regulatory standards on its website.
As well as verifying that your provider is doing things by the book, research how they actually go about putting them into practice, looking at their processes, data management polices and how they have dealt with reported incidents and risks in the past. The CIF Code of Practice framework has some useful guidance to help identify relevant security and data governance policies and processes as part of a provider assessment. For instance, look to understand the provider’s data loss and breach notification processes and ensure they are aligned with your organisation’s own policies and regulatory obligations such as GDPR. The NCSC’s Cloud Security Principles provide a detailed and systematic approach to determining whether a cloud service is a good match for your particular security needs.
Once you have a good understanding of how a cloud provider’s policies, processes and standards align with your organisation’s, make sure you read the small print. Ensure that the contract or SLA you are signing with them aligns with their stated security processes. Cloud contracts can be complex and it might be wise to get a third party IT specialist involved to check through it and challenge anything that seems amiss. Whether it is a standard online terms and conditions check box or a fully negotiated contract, it’s vital to check who is responsible for what, and also check in your terms and conditions what you can do if your provider fails to do what they promise in any way. CIF advises that: "Security requirements should be specific and measurable, since clauses which are too generic can add cost, have limited value and may be unenforceable."
You may or may not have control over where your data is stored or processed in the cloud, but this is one question it’s important to ask. Under GDPR, EU law requires that all data stored on citizens must be either stored in the EU so it is subject to European privacy laws, or within a jurisdiction that has similar levels of protection for data. The US is not deemed to have sufficient safeguards so a legal mechanism called ‘Privacy Shield’ is used, which means individual individual US-based cloud organisations must prove they will protect your data. See more on ensuring your cloud vendor is GDPR compliant on the CIF website.
Lastly, don’t forget that security is your responsibility too. While providers manage security of the cloud in their own datacentres, you are responsible for your own content, apps, systems and networks. Before moving to the cloud, take the time to review your security posture and what changes and controls need to be implemented to operate securely. The NCSC’s 10 Steps to Cyber Security is a good framework for any organisaton to follow. Encryption is also important, especially for data that is in transit between your own network and the cloud, and therefor vulnerable. Not only should you be ensuring that vendors encrypt data that is in transit, you should have your own encryption measures in place wherever possible - here is a quick guide.