Who is Responsible for Cloud Security – Your Cloud Service Providers or You?

Nowadays, the sheer amount of data that must be stored and managed by any given company is staggering. To keep up, most companies have fully embraced cloud service providers, such as Amazon Web Services (AWS), Google Cloud, and Microsoft Azure while supplementing them with various add-ons and applications. But with all this data stored, managed, and shared off-site by a cloud platform, many companies mistakenly assume that their data is secure by default. 

If you are wondering who is responsible for security in the cloud for your applications and data, you may be surprised to hear that the end-user agreements of many major cloud service providers don’t include robust data backup terms to prevent losing your data. With the exception of a few, many of these entities make no promises when it comes to keeping the data you store and manage on their platforms secure. This doesn’t mean you can’t enjoy the benefits these invaluable applications and cloud service platforms provide, but to protect your bottom line and secure your data they store, you should consider taking the following steps.

Vet Your Cloud Service Providers

First, if you’re going to trust a third-party cloud data backup service with your data, you must identify what data is stored on their systems and what their security posture looks like. It’s time to dig into those end-user agreements and start investigating. Ask questions, read the fine print, and decide whether you are comfortable or not with their overall security profile and, should that fail, their data backup plan. To streamline this process, do the following:

  • Establish and Maintain an Inventory of Cloud Service Providers – Compile a list and, more importantly, classify each from critical to non-critical. Identify which third-party services are crucial to your business’ day-to-day operations.
  • Establish and Maintain a Cloud Service Provider Management Policy – Decide the bare minimum security standards you need a vendor to demonstrate to trust them with your data. Also, establish how often you will review third-party security practices to make sure their standards haven’t dipped below this baseline.
  • Regularly Monitor Your Cloud Service Provider – Most platforms also supply a dashboard with important updates, changes, and health statuses. Administrators with access to this feature should check in regularly to monitor changes and report any significant problems. If you have trouble finding this feature, ask your third-party vendor where it resides and how to check it, as each provider approaches this differently.
  • Conduct an Annual Cloud Service Provider Review – Different from the regular review mentioned above, an annual review should assess what has transpired for your vendor over the last year and how they fit into your future plans. Have they been breached? How many times? Take a second to look at how circumstances have changed and whether the tools they offer are still relevant to your daily processes.
  • Secure Decommission from Cloud Service Platforms – Lastly, it’s essential to understand the consequences if you decide to move on from your cloud platform at any point. Many times, exit plans are trickier than they seem, and if you are storing data on their platform, this is even more important. A few questions to pose might be:
    • How can I get my data back if I decide to terminate?
    • What format will it be in?
    • Are there costs associated with termination or retrieval of data?
    • Can I retrieve the data myself, or will I need assistance?
    • If I do need help, how much will be provided?
Have Your Own Data Backup Plan

Regardless of how much you trust your cloud service providers, creating your own data backups is essential in case any worst-case scenario occurs in which your service provider cannot retrieve your lost data for you. To do so, you should take the vendor list you have created above and identify the sensitivity of the data stored on each platform. Then, start a conversation around business continuity and how you would be able to operate without these platforms should they malfunction. For example, how would you respond if the data they have access to is lost or stolen? The success of this conversation, and your future backup plan, will hinge on how well you know each platform’s policies and features. For example, Microsoft typically only offers 30-day retention for any files they backup. So, if you plan to backup the data on Azure every 60 days but accidentally delete a vital piece 31 days after uploading, you’ll have no recourse to recover it.

3-2-1 Rule

Once you understand when and how often you should be making backups, you can start working to ensure resiliency. One of the best ways to do so is by following the 3-2-1 rule:

  • Create 3 copies of each set of data
  • Store it on 2 different types of media
  • Always keep 1 copy off-site

This rule is particularly effective because it addresses almost any critical scenario and does not require any specific hardware or software.

Testing Your Data Backup 

Finally, you’ll want to test this entire process to make sure your plan has been thoroughly vetted in the event of a worst-case scenario. There are software testing options, but the most fail-safe method is a simple manual test in which you remove files and then ask whomever you’ve tasked with managing your backups to restore them. If you use this method, make sure to move the files onto a backup device instead of trashing them in case recovery fails. Tests like these should be done at a minimum quarterly.

If you don’t want the hassle of handling the backup process yourself, there are also several reputable services, such as VEEAM, Barracuda, and Avepoint, that offer backup services for third-party cloud data.

If you have questions about how to better decipher the fine print included in cloud service providers’ end-user agreements regarding data backup or have questions about properly creating data backup plans that ensure resiliency, don’t hesitate to contact me at lenny@reliabletechnology.co.