Is your business storing data in the cloud? Your clients and competitors are most likely already there.
What do you have that’s valuable to criminals, identity thieves and hackers? Keep in mind that hackers target large volumes of consumer data; they want credit card numbers, member numbers, names, addresses and phone numbers by the thousands. Routine business data (except financial, IP and HR information)? Not so much. The first place to look is within your own organization, at your governance and how you manage access to data. That’s a broad topic, and one we’ll address in future posts. For now, here’s an overview of some security basics for you to consider.
When you use Office 365, you’re turning the security of your data over to Microsoft, and the company takes that very seriously. Microsoft has a full-time staff — larger by itself than many companies — dedicated to security. Your Office 365 data is saved in multiple locations across Microsoft’s highly secure network of data centers around the globe. Security in those data centers make up the foundation for securely protecting Office 365. If you want to know more about the security of those facilities, you can do a deep dive on Microsoft cloud -scale data center security. The company offers a white paper on the subject on this same web site.
If you’re considering several of the major cloud services available, keep in mind that price is not the only consideration. Access to your files is critical, too, and this is one area where providers differ dramatically, ranging from Microsoft’s SkyDrive Pro, which appears at this writing to offer the most protection, to Google, whose user agreement specifies that it may scan, copy and sell your stored data to others. For a detailed comparison of the services available, see Mark Gordon’s article on the Aptera blog here.
As of this writing, your files are encrypted while they’re in transit from your computer or your network to SkyDrive, but not while they’re stored there (“at rest,” in IT parlance). The Department of Defense uses it. So perhaps that’s safe enough.
Most security breaches are performed by people who have internal access to your files anyway – consider infamous NSA leaker Eric Snowden, for example. Snowden didn’t hack anything or breach any firewalls to get to the data he leaked, he was granted access to the data internally. Sure, that’s a very extreme case, but it underscores the point: the front line of security is how you govern and monitor access to your data in the first place. You are less likely to be a target for outside breaches unless hackers know the data you have is valuable, and will be worth the considerable effort required to access that information.
In fact, several of the best steps for securing your files in the cloud are the same ones recommended for your own networks at work and at home. But many people don’t pay enough attention to the security of their networks and devices at those places, either, so here are a few points to keep in mind.
Pay attention to governance with policies that limit and control who has access to your personal accounts. Log out when you finish a session. Anyone who can gain access to your email account because you’re still logged in can easily request a new password from your email provider and gain access. That combination of login and password is the key that unlocks your information.
Password strength is perhaps the simplest and most important thing you can do. The days of using your daughter’s name to log in and her birthday as your password are gone. Experts recommend (and Office 365 requires) a minimum 8-character password using at least one capital, one number, and or a special character. Your password should be random. And keep it to yourself; no sticky notes on your monitor, desk, or anywhere in plain sight. Don’t allow others to use it or share it with anyone.
Use two-step verification, also known as two-factor identification. Yes, it’s an extra step, but the protection could be well worth it. Your operating system most likely already has this feature. You need to store alternative contact information in your Microsoft account profile, because using this step requires an authentication code to be emailed to your phone or generated through an app on your smartphone. To turn two-step verification on requires just three clicks after you log in to your Microsoft account. A checkbox lets you enter an authentication code just once for devices you trust; leave it unchecked when you’re using a device other than one of your own, and it will require a code each time you log in. Detailed directions can be found at the Two-step Verification FAQs page. For more on this process, see c/net’s detailed article here.
If you’re still concerned about the security of your data, consult a data security professional or your company’s IT experts.
A couple of disclaimers: There are considerations beyond those addressed in this post, such as legal access to documents, governance policies, the differences between SkyDrive and SkyDrive Pro, and how those services differ from the many other cloud options that exist. There’s simply too much to address in a single post. We’ll get to them another time. In the meantime, please add your comments and suggestions, especially for anything I missed, in the space below. And please, keep it professional and polite. Opinions differ, and we’re (almost) all adults here.