As we move ever-closer to the enforcement of the GDPR 2016/679 on May 25th 2018, the importance of knowing with confidence, the nature and quantity of personal data flowing through businesses and organisations, cannot be understated. A specific area, cloud computing, has become the source of many queries in this regard. The Data Protection Commissioner’s Office has published 5 steps to secure cloud based environments which I have summarised below.
While offering advantages to organisations, cloud services also introduce security risks which organisations should be aware of such as:
- Data breaches
- Hijacking of accounts
- Unauthorised access to personal data
Organisations should set about implementing a documented policy and apply appropriate technical security and organisational measures to secure their Cloud activities. If organisations do not implement such controls, they may increase their risk of a personal data breach.
A good start is to look:
- Access controls
- Staff training
- Policy development
A layered approach to Cloud-Based security mitigates the risk of a single security measure failing which may result in a personal data breach.
Many Cloud-Based providers provide advanced settings and solutions which can assist organisations to secure their use of Cloud-Based services. These providers may also offer best practice guidance to assist organisations in securing their Cloud use.
Additional information, advice, and best practice regarding security of Cloud-Based environments is also provided by agencies such as the European Union Agency for Network and Information Security (“ENISA”) and the US-based National Institute of Standards and Technology (“NIST”).
1. Access control and authentication
- Organisations should implement strong password policies
- Organisations should implement two-factor authentication
- Organisations should be aware of and document user access privileges within their Cloud-Based environments. This is particularly important where group mailboxes or shared folders are utilised
- Security measures must be supported by regular reviews of user access
2. Review default security settings
Do not rely on Cloud-Based service providers’ default security settings. Engage with the layered options available to enhance security.
Examples of security settings and controls include:
- Centralised administration tools
- Mobile device management
- Multifactor authentication
- Login alerts
- Encryption during message send and receive
- Encryption of message content
- Account activity monitoring and alerts
- Data loss prevention
- Malware protection
- Spam and spoofing protection
- Phishing protection
Organisations should also be aware that Cloud-Based services might be publicly accessible and organisations should review and implement the appropriate security settings to secure remote access.
3. Seek assurances from your ICT service provider
Organisations may utilise external ICT (Information and communications technology) services providers to implement their Cloud-Based environments. It is vital during such engagements that organisations seek formal assurances from their ICT service provider that the security controls which have been implemented meet an organisation’s specific security requirements and protect the organisation’s personal data. Conduct regular security reviews.
4. Clear Policies and Staff Training
- Organisations should ensure that staff receive appropriate training on social engineering attacks, phishing attacks and security threat practices.
- Organisations should have clear policies in place with respect to the usage and security of Cloud-Based services, especially under Bring Your Own Device (“BYOD”) policies.
- Organisations should have clear “employee leaver” and “succession” policies in place and these should be applied to an organisations Cloud-Based environment.
- Organisations should have a clear policy in place for data retention to ensure that personal data is not retained longer than necessary or where the original purpose for the use of the personal data has ceased.
5. Know your data and secure it
- Organisations should understand and monitor the types of data that is stored in their Cloud-Based environments.
- Organisations should utilise data classification methods to identify the data which they store and process within Cloud-Based environments.
- Organisations should carefully evaluate Cloud-Based vendors (obtain independent advice from a tech security specialist if necessary)
- Who has access to your data?
o How is it secured?
o How often is the data backed-up?
o Does your cloud policy reflect the service received from your ICT provider?
o Are you varying your appropriate security measures and not a once off “Set and forget” habit develop?
Cloud-Based security settings should be reviewed on a regular basis to ensure that they are still appropriate and up-to-date.
If you wish to discuss the above, or indeed data protection matters in general, contact me, Donnacha T. Anhold at Carter Anhold & Co., Solicitors (Sligo and Dublin) at +353 71 9162211.