Cybersecurity Handbook
Chapter 10

Cloud Security

Google Drive, OneDrive, Dropbox, AWS, and other online file storage services are called cloud computing services. They can be very useful when working in a team, especially if some colleagues are working remotely (see the Remote Access Policy).


Can we put everything on the cloud?

The answer varies depending on the situation. What you need to keep in mind is that a cloud service is like storing your work documents on someone else’s computer. This can have many advantages, particularly in terms of the resilience (availability) of the information and teamwork. However, it’s advisable to show some vigilance and ask yourself some fundamental questions before storing sensitive data on the cloud. Has your service provider been the target of any recent data breaches? Does it share your data for commercial purposes? What level of encryption does it offer? Does this level meet your needs? 

While these services are very useful for daily tasks, it could be a good idea to avoid using them for storing highly restricted or confidential data (see the chapter on sensitive data). Here too, it’s a question of balance. Remember that the first function of cloud computing is to ensure the availability of documents. In choosing to store a document on a cloud service, the notion of confidentiality will necessarily be in tension with the notion of availability. The question you need to ask yourself is this: Do you need this document to be more “available” or “confidential”? 

Depending on your answer, you could consider different actions. If your cloud service uses a strong encryption (and all the members of your team have fully grasped the good practices outlined in the previous chapters), you can use it to store confidential or restricted documents. 

If you are unsure and prefer to use your hard drive, that’s perfectly fine too! You just need to make sure that it’s encrypted or, if kept on the premises of your organization, that it’s locked away. Here too, you must analyze your backup and archive methods and decide which method is most appropriate for your organization.

Choosing your cloud service

Cloud services can vary widely in terms of their functions and security. 

You first need to consider the interoperability (ensure that the service works on the operating systems used by the members of your team) and the functions of synchronous or asynchronous work. In terms of cybersecurity, we would like to draw your attention to the encryption of your documents on cloud servers. 

In particular, cloud services that use end-to-end encryption and the zero-knowledge principle are usually extremely secure. Your data is encrypted by policies that render its content unreadable, even for the company storing your documents. The only danger is the passphrase. If you forget it, there’s no way that the company could recover what you have stored on their servers. If you are a passphrase pro, it’s definitely a solution worth considering. 

Otherwise, services that don’t offer end-to-end encryption can also be relatively secure. You should nonetheless assume the possibility that the company could have access to the documents you store there. You therefore need to trust them. 

Popular services such as Google Drive and Dropbox don’t use end-to-end encryption. This comes with certain gaps in confidentiality, but their offer in terms of storage space, functionality, and availability lead many professionals to use their services. If this is your case, it’s important to be vigilant about:

  • the nature of the documents stored on their servers
  • the strength of the passphrases that control their access 
  • the access granted to different individuals (it’s important to keep it to a minimum).

Some precautions to keep in mind

As with everything else, the first precaution to follow in terms of your cloud service is to master the access. As mentioned in the chapter on access management, it’s best that everyone who has access to a cloud service uses passphrases to secure their access. 

It’s also important to take inventory and determine which documents (or sensitive data) can be stored on this service. You can determine this by balancing your confidentiality and availability needs. 

Lastly, good access control also implies that you implement your policy regarding the access parameters (view, comment, edit). 


Recap:

  • Research the security of your cloud service.
  • Customize the security settings so that they correspond to your needs.
  • Reflect on the use and access granted to the members of your team.

Useful link:

Cyber Policies All the Chapters