Cloud Compliance? Do we even need it? Our data is in the cloud … therefore it is safe right?
What does it mean to have compliance in a cloud computer? So a cloud computer is a computer managed by “someone else”. Compliance for various standards is all about your data. So we do have to ask some detailed questions to make sure there is compliant methods at the cloud.
(image from freepik.com)
In past posts I made it clear that backups are needed to make sure you are safe from Cyber attacks. As in case of a successful Encryption attack (Ransomware – including the recent San Francisco train system) you must have a working backup. By ‘Working’ I mean tested in the last 3-6 months. Yes this is a pain and difficult, but as in most Cybersecurity issues the details are important.
As you can see in the image above your devices connect to the Cloud (or Remote Servers) which house your data.
Each cloud setup is different with applications and usage that drive the type of cloud service.
So the data you work on is on the remote server(cloud). How can we make sure we are compliant for this environment (as we do not control it)?
Answering the following is an important step:
- Who has access to the data? Employees of cloud company only? Is Data Secure? Details…
- How is the data backed up? How long is it kept etc.
- How does the data get to the Cloud /remote server? Encrypted or some other way?
Documentation of the answers to the above 3 questions and the details are important, are there any contractors that will have access to the data? The SLA (Service Level Agreement) is important to review.
The item that now must be done (after the documentation is done and you know what data is stored where) is to test the environment for recovery.
This is an important step not to be missed. How do you know if the backup and recovery works? You will not know until you try it. And it is too late when an actual emergency is facing you. At this point it is a Pray and hope everything works as it should.
Admittedly this testing step is difficult especially in complex environments.
Let’s assume that you look at these challenges and consider that the costs may be too high to make testing the backup viable. You may be tempted by our Psychology of Security and decide that you would rather risk the potential of failure in the cloud somehow (Cybersecurity or otherwise) instead of paying a cost to test and ensure the recovery from a failure.
This is not wise but we are human after all and you would be in the majority (as in blogpost 70% take higher risks when loss is an option)
We at Fixvirus.com do not recommend this argument, as it is better to ensure your survival rather than risk it.
As in the USA Today link about the San Francisco Train System ransomware attack (whether the train system is on the cloud or not) it is undeniable that in the future more companies will depend on the “cloud” and will have serious problems if there are Cybersecurity or functional problems with the infrastructure. So it behooves you to get your backup-recovery tested however complicated.
Contact us to discuss