CSA Blog

FTC Guidance - Six Steps Toward More Secure Cloud Computing

  • 1.  FTC Guidance - Six Steps Toward More Secure Cloud Computing

    Posted Jul 08, 2020 03:24:00 PM

    By Francoise Gilbert – DataMinding, Inc.

    The June 15, 2020 FTC Blogpost, titled Six Steps Towards More Secure Cloud Computing provides a concise, valuable checklist for businesses that use or intend to use cloud services, so that they make their use of cloud services safer. The document is a reminder of the basic golden rules concerning data security when using a third-party service provider.

    1. Security is your responsibility.

    First and foremost: Keep in mind that if it's your data, it's ultimately your responsibility.

    Using cloud service providers (CSP) to store or process your data does not mean you can also outsource security. Throughout the lifecycle of data in your company's possession, security remains your responsibility.

    Even if you rely substantially on your CSP's security tools, you must have a written data security program that lays out your company's process for securing your customer's information, and that ensures that people on your staff remain knowledgeable about maintaining, monitoring, testing, and updating that program. You should train your staff on their obligations under that data security program, so that they perform fully and correctly the tasks set forth in your security program. You must also review your cloud contracts carefully to ensure they spell out your expectations and clearly establish who is primarily in charge of what.

    2. Take regular inventories of what you store in the cloud and how it is protected.

    You cannot use your data if you don't know you have it, and where to find it. This is why you need an "inventory" or a "data map". Numerous CSPs offer tools such as dashboards or management consoles.

    You cannot keep your data safe if you don't know the security configurations and access rights that are attached to this data, and you ensure that they remain consistent with the sensitivity of the data you have stored. As you add data that may require more protection, re-evaluate your security settings and update them accordingly.

    Actively test for misconfigurations or other security failings that could compromise your data. Maintain robust log files so you can continuously monitor your cloud repositories.

    3. Don't store data that is not necessary.

    There is a tendency to keep as much data as possible because cloud storage is usually less expensive than other storage methods. Anyone will attempt to convince you that they "need" to keep this data because they might need it for a future project. There are several problems with this.

    -From a practical standpoint, except for archives, in most cases, old data is useless. It might be obsolete, incomplete, or unreadable.

    -From a legal standpoint, retaining personal data when it is no longer needed could violate applicable laws. Numerous privacy or data protection laws on all continents require that personal data be kept no longer than necessary for the purpose for which the data was originally collected.

    -From a contractual standpoint, it might violate contractual promises your business made to dispose of data at the end of a project, or on the occurrence of a triggering event.

    -From a security standpoint, the more data you keep, the greater the probability that someone will want to steal it, misuse it, damage it, etc.

    As you conduct a data inventory, be ruthless. Dispose of all data that is not necessary, and do so securely.

    4. Take advantage of the security features offered by the cloud service provider.

    Most cloud service providers offer detailed guidance about their security controls and how to set up their services in a more secure fashion. Users should do their best to understand the options and configure those settings in the way best suited to their own operations.

    -Understand the nature of the data that will be stored, processed, or used in the cloud.

    -Evaluate the risk to this data: Is the data sensitive? Is it needed? Who should have or not have access to it?

    -What means should be used to protect against the risks of unauthorized access to the data while it is held in the cloud?

    5. Make good use of encryption.

    There are numerous benefits to encryption, assuming of course that it is conducted properly, and in accordance with up-to-date techniques. If you must retain certain data, but that data is seldom accessed, consider encrypting it. If data contains sensitive information, consider encrypting it, as well. The more data is encrypted, the less chances it has to be stolen, modified or misused.

    6. Stay alert: pay attention to credible warnings.

    Some cloud providers offer automated tools to remind users about cloud repositories that are open to the Internet. Others may contact users with warnings to that effect. Security researchers may contact businesses when they find exposed data online. If you receive one of these warnings, pay attention. Investigate your cloud repositories and recheck your security settings.

    ~ ~ ~ ~ ~

    Most cloud service providers have better resources than their customers to provide an adequate level of security. However, purchasing a subscription for cloud services is not equivalent to transferring all responsibilities to a third party. The overall responsibility for the data remains in the hands of the data custodian. Cloud customers remain primary responsible for the data that they have collected from their own clients, visitors, or users, which often constitutes their most valuable assets. The FTC blog post should serve as a reminder of the duties and obligations that are vested on those who collect and use data. They must understand the nature of the data they collect, limit their collection and retention to only the data they need, use security measures and controls that are adapted to the data, train their personnel and suppliers on the ways to better protect this data, and stay alert and look for clues of potential vulnerabilities.