Lost in the Cloud - Responsibilities of Storing Data in the Cloud

Over the past several years, we have watched public perception regarding storing data in the cloud swing back and forth. For years, clients avoided “the cloud” given the nebulous nature of the storage medium and lack of understanding as to how the data was secured and who had access. Somehow, through additional education, along with the impact of COVID-19 requiring organizations to work from home, 92% of companies now store data in the cloud. Unfortunately, this storage method provides hackers with another target when looking to infiltrate your network.

Companies using cloud-based technologies shoulder additional responsibilities when utilizing these services. Management should consider the following when managing their cloud storage providers: 

Access controls are more important than ever.
Access to cloud-based storage should be limited and tightly monitored. Additionally, administrators with the ability to modify or delete restore points and backup files should be sure to use a different username and password for their credentials. Recently, one of our clients fell victim to a phishing attack and had their administrator password compromised, granting the hacker full access to their system. After the perpetrator was unsuccessful in finding files they could monetize, they decided to delete all of the network applications and data. As a parting gift, they logged into their cloud-based storage and deleted all backups and restore points, making it virtually impossible to restore the client’s network infrastructure and data. 

Do your due diligence on your cloud provider.
Not all cloud providers are created equal. Some have well-established controls and advanced features while others are fly-by-night organizations with limited controls. One key question to ask your cloud provider is to obtain a copy of their most recent Service and Organization Control (SOC) 2, a Type 2 report over the controls at their data center. These SOC reports provide evidence of effective controls placed to secure, protect, and restore your critical data.

SOC 2 review
Obtaining the SOC 2 report is only the first step – evaluating the contents can be just as critical. Here are a few questions to consider:

• Was the SOC examination performed by a reputable firm?
• Was the examination opinion unmodified - meaning there were no exceptions that would impact the services you rely on?
• Have you implemented all of the Complementary User Controls required by the cloud provider in the report?

Evaluate the need for the redundant backups.
More and more often we are seeing clients who are highly dependent on quick uptime and access to data to set up local back-up infrastructures (local backup solutions; warm/hot sites; real-time data replication between sites) as a redundancy to their cloud providers. This added level of protection can be the difference between meeting Service Level Agreement requirements, customer delivery obligations, and a lengthy downtime.

To help evaluate your data redundancy plans, consider setting up a meeting to discuss how Citrin Cooperman can help your business. Please reach out to Michael Camacho at mcamacho@citrincooperman.com or Kevin Ricci at kricci@citrincooperman.com for more information.