Moving data around used to be hard. There used to be whole industries devoted to gathering and distributing information. We relied on records offices, newspapers, librarians and industry journals. But since the birth of the Internet, it's become so easy to copy and distribute information that it often takes more work to keep data private than it does to share it. Information wants to be free.
This new reality means we can collaborate and learn much more quickly than before, but it brings with it a new type of headache: We must keep our data safe.
In many countries, there is a legal requirement to keep your customers' personal or sensitive data secure. We sometimes spend so much time thinking about what apps and services we can use to improve collaboration that we don't think about what data is going where, and whether its safe.
Most people don't care about data security, they just want to get the job done. If Google Docs makes their life easier then they'll want to use it. But if you upload a spreadsheet containing your customers' names and addresses into your Google Drive, is it clear where that data is stored? Google has data centres all over the world, your customer's personal data could be in any one of them. And if Google opened a new data centre in North Korea tomorrow, would they be obligated to tell us, or give us the chance to stop our data going there? I doubt it.
For business in the UK, the Data Protection Act 1998 states that:
Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Adam Welch's blog has some helpful details on which territories are considered OK according to this act. But worrying about where there data is going is fundamentally at odds with how The Cloud is supposed to work.
The whole point of The Cloud is that it's not a real place. It's a virtual place where data can just, live.
So how do we as IT professionals, steer businesses towards a sensible data security policy?
Limit Your Providers
While it will be a bit of a drag making business users get approval from someone in IT before they use internet services, there is a legal requirement to make sure data isn't going somewhere it shouldn't, so someone should really be checking what gets used.
Fortunately, most tech companies that you might want to store data with are either EU or US based. This makes life a little easier. Keeping your data within the EU will satisfy one aspect of the Data Protection Act. And while the EU does not consider the US to be a "safe" country by itself, the US has a Safe Harbor scheme that tech companies can self certify with in order to satisfy the EU regulations. You can search the list of Safe Harbor providers here.
Use Strong Passwords
When the Heartbleed security vulnerability was discovered, I decided I finally I had to sort out my password regime. I had roughly 6 passwords that I reused across all my internet services. While these passwords weren't particularly weak and I did occasionally check whether any of my accounts had been compromised I knew I really could do better. I decided to implement a new policy:
- Multi-factor authentication on emails. Email accounts are the master key for all our other accounts. If someone gets access to your email account, they can reset the passwords on everything else. So multi-factor auth is a must. Here are some instructions for turning on 2 step authentication in Google Apps.
- Use password generators and managers. I use LastPass to generate and synchronise secure passwords for all my web accounts. You can also use 1password or KeePass.
- Use long pass-phrases. Your password managers and operating systems logins will still need a master password. These should be long phrases rather than single words. Passwords are one of those areas where; Size. Does. Matter.
If your customer's personal data is going to be stored on company laptops use full disk encryption to ensure that the data is not (necessarily) compromised when a device is lost.
While the servers your business operates are hopefully kept in a secure location and don't need encryption, your off-site backups should be encrypted. If you're backing up to a cloud provider like Amazon or Microsoft Azure, consider encrypting those backups or switching to a service like Tarsnap.
If you're emailing your customers' data around, you should also consider email encryption. If you use web based email, checkout Mailvelope for easy email encryption.
If you loose a device that has data or passwords stored on is, being able to remotely wipe it will help keep your data safe and give you piece of mind. Apple iOS devices have a remote wipe feature, so does Andriod. For laptops you could use SugarSync's business edition or Druva's inSync.
Using The Cloud to store and share data is a game changer for many businesses. The possibilities for collaborative working are still being realised and it will be decades before business truly gets used to working in an Internet enabled way. But the benefits do come with a cost. There are risks involved. As IT professionals we have an obligation to educate the businesses that we work for about those risks and help them protect sensitive data effectively.