The COVID-19 pandemic has sent businesses scrambling to support their newly mobile workforce. For many of these businesses, this means they’re turning to cloud-based SaaS providers for collaboration, online meetings, and document sharing.
Unfortunately, this rush has meant that security problems have cropped up one after another. Recent headlines have focused on lax security measures that allowed Zoom meeting “takeovers”, among others. And even before the pandemic, poor security practices on cloud providers have led to several data breaches, including one involving real estate giant Regus.
If your company has turned to cloud providers and SaaS platforms to enable your remote workforce, what precautions should you take to protect your data and your users?
Choose Your Cloud Providers Wisely
While this may seem impossible in the rush of a crisis, vetting who you choose to trust with your data is more important than ever. Zoom found itself in hot water over its privacy practices, among other things. So take the time to read the fine print to make sure your data will be protected.
Also, some services have more granular security controls than others. A full-featured cloud workspace service like Office 365 or G Suite will give you much more control over the security of your data than a free service or a one-off productivity tool. These commercial services also allow you to integrate with your existing authentication landscape such as Active Directory. This can simplify management in the long run and give you access to better auditing and security features.
As many companies have learned, the cloud can be a two-edged sword.
Double Check Your Cloud Security Settings
For many “pro” level cloud services, they come with fairly lax security baselines by default. One of the complaints against Zoom (not to keep picking on them, but…) was that the default security options didn’t protect users against malicious actors. And this was true — Zoom was expecting that a system administrator would lock down the settings on these accounts after making decisions.
The same is true of many other cloud services. You should review the account-wide security settings, and determine what you can down without impacting functionality. In the Regus breach mentioned above, users at the company inadvertently opened up Trello boards to the public. You can mitigate these breaches by enabling account-wide security settings that will prevent users from accidentally making poor security choices.
Classify Your Cloud Data
When we talk about “classified data”, you may think of top-secret government information filed away in locked cabinets. But classification really just means sorting your data by how sensitive it is and how serious it would be if that information were to be disclosed to those who shouldn’t have it.
You can use a similar principle when it comes to choosing which data your users can share on which cloud services. Some data is basically public, and so can be shared relatively freely. But other things need to be highly protected, like personal information about your customers, or unreleased product information. Having this kind of classification system in mind — even informally — can help you to make decisions about which cloud services to use and how to secure them.
Audit Your Cloud Usage Continually
Just like any systems that you manage, cloud services need to be checked regularly for compliance with your security requirements. Cloud services are updated frequently, and the security options that are available to you may change over time. Regularly review these new features to see if they can help you to keep your data secure.
It’s also good to audit which cloud services are in use, and make adjustments as your business needs change. Can data be consolidated into a single service? Are there features already included in your enterprise cloud suite that could be used instead of another SaaS provider? Having fewer systems to manage will reduce your attack surface and help you to keep your data secure.
As many companies have learned, the cloud can be a two-edged sword. When configured and secured properly, it can give your company the flexibility to withstand even major disruptions. But used incorrectly, cloud services can open your company up to data loss, service disruptions, or worse. By taking the time to understand and secure the services that you’re using, you’ll protect your business and your data from these threats.