You can't have a business conversation or attend an industry conference without hearing someone ask "are you in the cloud?" Indeed, servers and disk storage have been evolving frighteningly quickly over the past five years.
However, like anything you do for your business, don't do it just to keep pace. Make it a determined decision that means you will either save time, money or both. And if you can add in offering new capabilities for your clients, all the better.
You can embrace the cloud in a meaningful way.
Chances are most of you have already, most likely in the form of an app powering your business operations such as customer relationship management, financial planning or portfolio re-balancing. What has tripped up most firms is the most commoditized part of the cloud: Files and folders.
Cloud storage (replacing our internal servers) comes in three basic varieties.
• Basic, no-frills storage that simply mimics your offline server's file and folder structure. At a minimum, it should allow basic search, upload and download and possibly some level of access control
• The second type — secure file sharing — offers a secure method for distribution of files (even those that are mega-sized) but does not provide the general storage and organizational facility of an offline server. This will include encryption, expiring sharing of files and support for tracking of when those files were received.
• Finally, there is the server in the cloud model, offering fully featured cloud server storage, with everything you have in an offline server, as well as the secure distribution of files and folders, tagging and search, collaboration features and perhaps even disaster recovery services.
A KEY TERM TO REMEMBER
Encryption at rest. Encryption is the method through which a file is secured and only visible to someone with the proper key to unlock it. Encryption at rest is a more recent technique of insuring that all data stored in a cloud destination is encrypted at all times, thus reducing the possibility that someone unauthorized could be exposed to your data, even if unintentional (such as customer service personnel or engineers).
Before focusing on the vendor, let's cover the basics for stepping up security for yourself as a precursor to using the cloud.
1. Ensure your laptops and desktops are hard-disk encrypted so that data is secured at rest on your computers even when offline. Thus, if someone steals your physical computers, they have gotten their hands on a fantastic paperweight and not the confidential data you seek to protect. There is a subplot here. It is assumed you will then have a backup service for that secured data in the event you do lose that computer and need to restore it to a new machine.
2. Your portable devices must be secured by at minimum a pin or password to unlock and use. Optimally you'll also have a security app (now available from Lookout, Trend Micro and Symantec). These apps scan for malware, offer varying levels of data backup and offer location services in the event a device is lost. Also ensure you are securing your use of public WiFi connections using a service like VPN1Click or Cloak.
3. All of your online accounts that support it should have two-factor authentication enabled. This is no longer a decision to make. Regardless of inconvenience, the password security model is broken and we are responsible for data that is far too precious to put at risk.
4. Your cloud storage provider should be able to substantiate that it stores your data encrypted at rest, on its platform. The provider also should vouch for backup or redundancy.
What are some standards to use to evaluate? Certainly requirements will have some unique twists based on your business and its service model, but there are some constants.
Here are some key questions to consider when evaluating cloud storage:
• How does the provider support Finra and/or SEC regulations governing your storage and use of business data?
• Does the cloud provider have a key to decipher the encryption provided to you for security of your data?
• What level of SSL encryption is used for the web browser connectivity, where file transfer also occurs? This is technical but important to understand.
• Can you ship an encrypted drive to transfer large amount of data? This allows you to implement a new solution and securely shift gigabytes or even terabytes of data onto your new cloud storage without risking the underlying information.
• How can you manage users, adding and removing them to protect data as changes occur in your business? Can you enforce two-factor authentication and other business rules on remote employees? Can you control how files and folders can be shared?
• What devices can you use with the service and does security extend to those apps and devices, including for syncing data?
• What integrations are available, such as connectivity to CRM, proposal or project management tools and other systems used in your business? How is your data secured when in transit with those integrations?
It's important to take seriously the evaluation of any solution, not just the cloud. Don't assume anything and ask for confirmation of your questions on backup, security and redundancy. Moreover, it is key to remember that nothing is (nor has ever been) bulletproof from bad actors who seek to compromise systems.
While the cloud is a convenient scapegoat as security risk, there is no alternative and there won't be one as our systems continue to interconnect and become web-distributed. By taking the steps to shore up your own security habits and carefully selecting your cloud providers, you can greatly minimize the risk of being a victim.
Blane Warrene speaks and writes frequently on technology and the intersection of marketing and compliance in financial services. He co-founded Arkovi and QuonWarrene, the former acquired by RegEd in 2012. He produces the Digital Well podcast.
