In the previous part, we discussed what the Cloud—particularly when used for storage purposes—really is, and some security concerns that may arise from this better understanding. In this second part, we will run through some more points for ensuring that your file storage procedures are secure, and present an analogy to help you think about your processes.
Ultimately, then, the Cloud is ‘just someone else’s computer’ (or computers). These computers have to be physically located somewhere, even if that somewhere is out of sight and out of mind for you. Unfortunately, not all countries are created equal when it comes to data protection standards, so an awareness of where your files will actually find themselves may be necessary.
For example, the EU GDPR restricts the transferring of personal data to countries outside of the European Economic Area except where exceptions such as an adequacy decision for the country in question’s data protection standards are present—so far full decisions have only been issued for Andorra, Argentina, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay, and if Britain leaves the EU in the near future it, too, will require such a decision to be made in order for EU-based companies to transfer data to it.
Also, you may have to deal with classified information as part of the normal running of a company—all companies should have some sort of information classification framework in place. Consider how some classification levels may affect your ability to save the file remotely. If a CONFIDENTIAL document is not to be taken outside of the company premises, do you think it should be saved in an Irish data centre? If a RESTRICTED document is only to be transferred electronically after having been encrypted a certain way, should you be doing that before you transfer the encrypted file to the remote storage? Finally, whilst it likely will never come up for most businesses, consider your responsibilities if your line of work takes you into contact with government-classified information. TOP SECRET – UK EYES ONLY, for example, will limit your storage options further than the GDPR and its adequacy decisions.
The term ‘Cloud storage’ makes what is ultimately a very old concept sound like some sort of new-fangled whizz-bangery, which is exactly what those attempting to market such services want, but which is not overly helpful for the end user. Instead, think of Cloud storage as just the digital version of external storage, whether that means large-scale warehousing or small-scale self storage.
Eventually, there will be cost benefits to storing work-related material somewhere other than the office (or you will simply run out of room). For the most part, this will be fine—your storage partner can be reasonably expected to be an expert in the business, and their security provisions will likely be greater than any you could have implemented on your own. However, that does not mean that they are invulnerable to being broken into, and may even be more of a target than you on your own due to their range of clients. With that in mind, perhaps there are some things that you could certainly do with keeping in-house.