Additional considerations for Online Storage
In the previous two blogs, we provided information on why and how to choose an online storage provider. In this blog, we will provide you with additional considerations that will help in guiding you to a better decision for online storage!
Secure data center: Your data should be stored in a secure, controlled-access data center with redundant power, HVAC, and internet services. Ideally they should have multiple locations in different areas of the country to provide failover protection in the event of a natural disaster at one of their locations.
Data Encryption & Employee access: Your documents should be encrypted in transit and at rest. That means the file-saving and retrieval software should be secure, and documents should be stored encrypted on the servers as well. Encryption is an additional layer of protection against data loss should the servers be compromised. Data center employee access to information should be limited, controlled and recorded, since the company, however unlikely it is they would do so, is capable of unencrypting your data. Some online storage providers offer the additional ability for you to hold and manage the encryption keys, so that even the storage company is unable to decrypt your files. There are some complexities to managing your own encryption keys, so it may not be reasonable for you to attempt, but if you want an extra layer of security, that is something to consider.
Backup & retention: Investigate how- how often and for how long data backups are kept. Important considerations are how frequently backups are taken, and in what increments they are saved. How many days are daily/hourly/continuous backups saved? Are older backups retained? In the event of a data corruption, file overwrite or deletion or local virus infection, being able to roll back to older versions of your documents could be invaluable. You should also find out how long data is retained after you delete it, as well as after you close your account.
Retrieval and ownership of data: This is an area of particular concern. How do you retrieve your data if you cancel your service? How long do they keep your data after you leave? What provisions are there to fully delete your data at your request? Most importantly – who owns your data. A significant percentage of storage services either claim ownership of the data on their servers, or don’t disclose one way or the other. You want an explicit declaration that you are the sole owner of that data and it will not be mined or used for any purpose, or retained without your permission
Dual factor identification & mobile device controls: It is important that any service you use have the option to use dual factor identification, and it would behoove you to use it. Dual factor authentication requires that in addition to a password, you provide a second authentication – usually a text code or code provided by an application running on your phone. It takes an extra few seconds, but ensures that if your password is hacked, you get notification (in the form of a code you didn’t request) and more importantly, that the compromised password isn’t sufficient to get them in.
Speaking of passwords: It’s important that you use complex passwords, change them frequently and don’t reuse them on multiple services. If you need assistance in keeping track of all your different passwords, there are free programs such as Lastpass that can store all your passwords and keep them secure.
Mobile device controls: These types of controls allow you to decide what data can be downloaded or saved to the device; what level of password security is required on the device to able to download information if you allow it (recommendation: password or fingerprint, not pin number); and the ability to revoke access if the device is lost or stolen.
Security certification & Regulatory compliance: If you are subject to HIPAA, PCI or other financial industry or government information security standards, look for certification information. There is no certifying body for HIPAA, but your provider should be willing to provide a signed Business Associate agreement. Even if you are not subject to any of those requirements, the presence of those certifications and compliance efforts is a good clue to the acceptability of their security standards.
And finally, monitor your own internal policies. 54% of data loss occurs because of unintentional security breaches by employees, and the results can be devastating. Make sure that your staff understands that there is ONE acceptable file storage service, and what your policies are with regard to storing confidential or sensitive information there. That should explicitly include not emailing information to (or from) personal email accounts or personal storage services. Written policies and regular discussion and education with regard to information security is a valuable (and necessary) part of your overall responsibility for protecting your client information. It would also be a good idea to periodically check workstation computers for unauthorized applications.
If you have questions about which online document storage providers meet your needs, or concerns about how to protect your sensitive information, contact the Application Services Group at River Run Computers. We can assess your information environment and make recommendations specific to your needs. We offer consultations on making the right choice for your business!