Security in the Cloud
As Joshua Peskay explained to a group of fifty nonprofit professionals at NPCC, “Cloud computing has a branding problem.” For most people, the word “cloud” brings to mind something that is wispy and transient, not exactly what you’re looking for in a critical technology infrastructure.
Many people have grave concerns about trusting the cloud. Joshua started the workshop by asking attendees to stand close to a sign reading either “Strongly Agree” or “Strongly Disagree” after considering the following statement:
I can confidently explain the cloud.
Most people stood in the middle of the room expressing only moderate confidence in explaining cloud computing. When asked about why she was standing in the middle, one participant responded, “Our payroll service is asking my organization to move our data to the cloud and I feel very insecure about that.”
Joshua showed the audience a short video tour of a Google Data Center. “This,” Joshua explained, “is what the cloud looks like from the other side.”
People feel insecure about their information security because even large and well-financed organizations such as The NSA, The White House, Target, Chase Bank, Home Depot, and most recently, Sony, have all been hacked. And if these companies, with their extensive resources and high-priced IT departments, can’t protect their data, how can a small nonprofit organization have any hope of keeping their information safe?
The answer is that there’s a lot of things those companies did wrong that don’t necessarily cost of lot of money to do right. And it starts with something called a risk analysis.
At the workshop, Joshua described how to approach information technology risk analysis. He said that unless you think it’s a distinct possibility that your organization as a whole might be targeted by hackers, that is not the scenario on which you should focus your security efforts. Consider instead what security breaches are most likely to occur to your information and what the impact would be if one of those breaches occured.
Joshua explained that in a risk analysis you are essentially asking the following questions:
- What information do you have?
- Where is that information?
- How much do you care about it?
- What could happen to it?
- How likely is something to happen to it?
- How bad would it be if it did happen?
- How will you know if it happened?
- How will you respond?
The first step is assessing your data. Exactly what data do you have, where is it, and how important is it? There are three ways to think about your data: (1) data you don’t care about, (2) data you can’t lose, and (3) data that can’t be exposed. You only really need to pay attention to the latter two: the data that you can’t lose or that can’t be exposed. For these two data sets, ask yourself how important your data is and how likely it is that the data would face a threat. At the workshop, Joshua asked participants to write down on a post-it types of information they have in each category and bring them up and place them on some posters. Here’s what one of these posters looked like after the exercise:
Data you “don’t care about” is data that can easily be replaced via backups, is old and no longer useful, or is public and is non-sensitive information, etc. Data you “can’t lose” may include completed work products or documents, operating manuals and handbooks, employee records, etc. Data you “can’t expose” includes HR records including salary information, donor information, credit card or Social Security numbers, in-house emails, etc.
As Joshua pointed out, once you’ve identified what data you have, where it is, and how important it is to protect, your next goal is to understand what may, and/or is likely to happen to your data. And, finally, to understand the impact should any of those threats actually occur.
In general, when assessing the impact of a breach think about it in terms of the direct impact on your time, money and reputation. How long might you be unable to operate and how long will it take to get you up and running again; how much will it cost in money and man hours to repair the damage, and how much will you lose while you’re out-of-service; and how will the breach affect your reputation among your constituents, your donors and your staff?
After thinking about the risk levels of the data your organization has stored or archived, ask “What can happen to our data?” Your data might be:
After twenty years of experience as an IT professional, Joshua shared that the biggest threat to an agency’s data, by a wide margin, is human error. Someone accidentally deletes something important, or shares something that should have been kept private. Or more commonly, simply circumvents your organization’s security protocol for their own work needs by, for example, uploading files to their own laptop, or personal Dropbox account, so they can work on them from home. (Something we’ve all done!)
Clearly established and published protocols about IT use within your agency is reduces the risk of threat. What can and cannot be done with your data, and by whom? Developing in-house access controls laying out who specifically can see and/or edit data is crucial.
Joshua went on to say that the best protection against data loss is doing regular periodic backups and running backup and restore tests on a weekly or monthly schedule. The next biggest threat to your data is a failing infrastructure, like a failing server, frayed connections, non-updated software, moisture damage, etc.
Assessing the potential harm to your organization if data becomes unavailable, for whatever reason, is vitally important to your business continuity. However,understand that protecting your most sensitive data from exposure is extremely difficult and may require the guidance of an IT expert.
Be aware that there is a gap between having a backup and having your data restored. Consider this scenario:
I have a backup of my QuickBooks file. But if the server goes down, I can’t make the backup available without an alternate server andI may need technical expertise to get the system up and running.
The final steps in a risk analysis are to figure out how, and to whom, and how fast a notification will be given when a service fails or data is lost, misappropriated, unavailable or exposed. And then, to understand the process necessary to get your data protected and back online as quickly as possible. Will you need to consider a “failover process” whereby a secondary service starts working when the primary service fails?
To recap, the steps in performing a risk analysis are (in broad strokes):
- Assess your data
- Assess threats to important data
- Shape a plan to protect important data from likely threats
To learn more about security tools, or for more information about cloud security or security in general, you can take a look at the slide deck from the workshop, explore the resources at the end of the deck, or, of course, contact RoundTable Technology and ask us, we’re just an email or phone call away.