Nightman1965 - Fotolia
A recent study from Clutch found that 90% of small businesses believe their cloud is secure, but only 60% use encryption,...
and even fewer use two-factor authentication to secure cloud storage. Additionally, the market research company headquartered in Washington, D.C. reported that 60% of the small businesses that store customer credit card and banking information in the cloud said they don't follow industry compliance regulations for cloud data storage.
In reality, it is more likely that many of these businesses aren't sure about their cloud storage security and compliance posture because they haven't designed or added to it themselves, or because they haven't looked deeply into the types of controls and compliance status offered by the cloud providers.
This is the first, and perhaps most important, step any small business should take when planning to put sensitive data into a cloud environment -- take the time to properly assess the provider's security controls, capabilities that they offer to customers for protecting data and compliance status.
Many small businesses won't have the staff or expertise to perform an in-depth risk review, but they can ask the provider for a list of compliance reports -- such as a report on compliance for PCI DSS -- as well as any audit and controls attestations they have, like the SSAE 18 SOC 2. There are many consulting firms available to help interpret these reports if small businesses need assistance, too.
Cloud storage security controls for SMBs
There are several cloud storage security controls that all small businesses need, regardless of their cloud provider's internal security posture. First, strong account security controls should be available to access the cloud provider's administration console and services. At a minimum, flexibility in password strength and policy creation should be available, enabling longer, stronger passphrases that are resistant to brute force attacks.
Ideally, cloud providers should support some form of multifactor authentication so that no one can log in at all with just a username and password. Free tools like Google Authenticator are commonly available from a number of cloud providers, which makes integrating and using multifactor authentication even simpler for many small businesses as long as they have smartphones.
Regardless of size, all businesses using cloud storage should look into the types of data protection offered. To some extent, the controls available will depend on the cloud model. For instance, SaaS environments may offer automated encryption of data at rest, give customers the chance to encrypt a database field or column, or apply encryption to a data set through a dashboard option.
In platform-as-a-service and infrastructure-as-a-service environments, however, the encryption or tokenization offerings may depend on the types of storage implemented, and may be significantly more complex, requiring key management expertise. Data loss prevention and content security policies are useful, too, and may require the use of a cloud access security broker or another third-party service offering to properly implement. Unfortunately, that will drive up the cost of cloud services, making them less attractive to business leaders.
In addition to access controls and data security, small businesses need alerting and security monitoring of some sort. This may require assistance from the provider or the third-party tools and services, as well.
However, without a large security team or dedicated staff focusing on cloud security, many small businesses will be flying blind to what's happening in the cloud, and that could easily mean that account hijacking and other attacks go unnoticed. Ideally, providers will offer cloud storage security services that can help, such as Microsoft's Advanced Threat Analytics, which can identify suspicious account behavior.
Final considerations for small business cloud security should include the availability of cloud backups and other basic continuity practices. Also, hopefully, cloud providers can offer some end-user training or assistance in setting up security controls, if needed.