Security Think Tank: Four steps to using public cloud storage

How can businesses make use of free or low-cost cloud storage services aimed at consumers, but ensure that their data is safe and secure?

The consumer cloud storage market is undergoing significant change, with Tencent currently offering up to 10TB of free storage, and other providers such as DropBox and Microsoft SkyDrive increasing the free space they offer their customers. Should businesses take advantage of this free storage?

The answer, from an Information Security Forum (ISF) perspective, is a qualified "yes". We have examined the security and privacy issues of using cloud service providers – and of suppliers in general – and our findings can be applied to any cloud service (free or not). Our findings include:

  1. No matter what the service is, take an information-led, risk-based approach. Start off by identifying the information you intend to place in cloud storage, the risks and impacts associated with a compromise of that information, and any legislation or regulation that applies to the information you wish to store in the cloud;
  2. Understand who and what the cloud service provider is, where it is based and what it is offering (free isn't always free);
  3. Read the contract or EULA. Free services come with fixed terms and conditions, set by the provider. You may discover rights allowing the provider to access your information, or that files will still be stored even though the user has deleted them, or that a different jurisdiction applies to the contract, rather than your organisation's home jurisdiction.
  4. Train the user. Users should be made aware of how to use the storage and any apps or devices (eg smartphones and tablets) that can access the storage in a secure manner. Importantly, educate users about what information can be stored in the cloud.

Underpinning the risk-based approach should be an implemented information classification and handling scheme in place, detailing how information should be classified and whether it can be stored in the cloud.

Adrian Davis is principal research analyst at the Information Security Forum (ISF).

Read more on Cloud security