Article

Digital Doughnut Contributor
Digital Doughnut Contributor 18 November 2013
Categories Technology

Cloud security for SMEs: 7 key steps

Cloud security remains a key concern for SMEs, and is still often cited as a chief impediment to moving to the cloud.

Below are seven steps which SMEs should follow when considering a cloud service, selecting a cloud provider and managing a cloud contract.

 

1. Audit your data

Review your data to determine whether there is any which should not be shifted to the cloud (e.g. because a contract restricts the transfer of confidential information, or your privacy policy does not allow certain personal data to be transferred). Create a clear record of the categories of data you intend to shift to the cloud.

 

2. Do your homework

As the cloud market is maturing, there are now many service providers and types of service on offer. This means you can shop around to find the cloud provider that best meets your security and other needs. Asking the right questions before you select a provider is key.

 

If you are transferring personal data to the cloud, you are likely to be viewed as a ‘data controller’ of the data under EU data protection laws and will be responsible for ensuring that any processing of personal data is secure - even where that processing is carried out by a cloud provider on your behalf. You will therefore need to choose a cloud provider that gives sufficient written assurances in respect of security.

 

A good starting point for SMEs is the Information Commissioner’s Office (ICO) guidance on the use of cloud computing (2012). The guidance outlines the different types of cloud models, including the risks associated with them, and raises questions to take into account during a cloud selection process. For example:

 

  • How is data stored by the cloud provider (e.g. is it co-mingled with other customers’ data)?
  • Does the provider have any industry accreditations (e.g. ISO 27001)?
  • Can it give you copies of any independent security audits or other evidence of its security track record?
  • How does it monitor, report and deal with security breaches?
  • Is encryption used/permitted?

 

EU data protection law regulates the transfer of personal data outside the European Economic Area, so - if you’re shifting personal data to the cloud - it’s also important to ask where the provider’s servers are located and what safeguards are in place there. Cloud providers should be transparent about this.  Some providers offer ‘Europe-only’ solutions, or US clouds operating within the confines of the Federal Trade Commission enforced ‘Safe Harbor’ regime, but whether these (or other) solutions are appropriate - or necessary - for you will depend on your particular circumstances. If in doubt, seek legal advice.

 

3. Look at the contract

The flexibility and pricing benefits of public cloud solutions come at a cost: most SMEs will be presented with standard terms on a ‘take it or leave it’ basis for such solutions. You will need to shop around to find the best terms for your business, remembering that - as data controller of any personal data in the cloud - you must retain sufficient control over the personal data to meet your legal obligations.  The contract should, for example:

 

  • state that the provider will act only on the customer’s instructions;
  • give assurances as to the security of your data;
  • specify the limited circumstances in which the provider can access the data;
  • clarify the customer’s rights to access and delete the data; and
  • set out how security is monitored and breaches are dealt with.

 

4. Encrypt data where necessary

Place encryption around any personal data ‘in transit’ between your IT infrastructure and the cloud provider’s to limit the risk of unauthorised access or exposure of the data, and ensure that the encryption used meets industry recognised standards. The ICO also advises businesses to consider whether the encryption should be used on data ‘at rest’ (e.g. where sensitive personal data is stored in the cloud). 

 

5. Check your privacy policy

You may need to amend your privacy policy if it doesn’t currently allow you to process personal data in the cloud.  The ICO states that businesses should be as open as possible with individuals when processing personal data in this way.

 

6. Manage your contract

To maintain control of your data throughout its lifecycle, monitor and review your cloud provider’s security measures on a regular basis to ensure that they are meeting the expected standards, and check whether any updated security audit reports are made available.

 

7. Train your staff

Security measures are only as good as the people implementing them. Ensure relevant staff understand their responsibilities; e.g. to keep their authentication details safe, maintain the security of encryption keys and adhere to access controls.

 

The steps above are simply starting points for a SME considering a cloud service, or a quick checklist for those who have already shifted data to the cloud. Regardless of what stage you’re at though, bear in mind that a careful consideration of the security risks in the early stage of planning and the implementation of sound risk management strategies are central to a successful cloud project.

Please login or register to add a comment.

Contribute Now!

Loving our articles? Do you have an insightful post that you want to shout about? Well, you've come to the right place! We are always looking for fresh Doughnuts to be a part of our community.

Popular Articles

See all
Digital Marketing Vs. Traditional Marketing: Which One Is Better?

Digital Marketing Vs. Traditional Marketing: Which One Is Better?

What's the difference between digital marketing and traditional marketing, and why does it matter? The answers may surprise you.

Julie Cave
Julie Cave 14 July 2016
Read more
Infographic - The Best Times and Days to Post to Social Media

Infographic - The Best Times and Days to Post to Social Media

With the social media landscape changing literally every single day, it's become a full-time job for social media managers to merely stay up-to-date on emerging and shifting trends and best practices. It's tedious, time-consuming, detail-oriented, and, quite frankly, a bit of a headache. But thanks to this new infographic, some guessing can be taken out of social media management.

Will Price
Will Price 21 September 2017
Read more
Customer Journey Mapping: A Real-Life Approach to Your Digital Marketing Strategy

Customer Journey Mapping: A Real-Life Approach to Your Digital Marketing Strategy

As financial services and insurance (FSI) companies strive to deliver the seamless multi-channel customer experience, the traditional marketing model has been radically reimagined. Innovative institutions are showing how cross-functional teams focusing on the customer journey can work to develop a single view of the customer – an approach that can bring tangible rewards. Yet research shows that large institutions still have some way to go in maximising the return on their investment in this area.

Aoife McIlraith
Aoife McIlraith 18 September 2017
Read more
4 Important Digital Marketing Channels You Should Know About

4 Important Digital Marketing Channels You Should Know About

It goes without saying that a company can't do without digital marketing in today's world.

Digital Doughnut Contributor
Digital Doughnut Contributor 5 November 2014
Read more
10 Marketing Lessons From Apple [Infographic]

10 Marketing Lessons From Apple [Infographic]

The 10-year-old kid, selling ice cold fresh lemonade on the street corner in your local neighbourhood had it right. He or she may not have realized it but the simple marketing strategy that they accidentally and innocently came up with works perfectly on the people strolling by on their daily walk.

Ellie Summers
Ellie Summers 19 September 2017
Read more