Is it safe to store corporate information on Google Drive (or similar services)?

When it comes to storing a company’s confidential information and/or backing it up, various questions tend to come up with regards to the location where this storage will take place. Some companies choose to manage everything for themselves, providing remote access so their employees can look it up whenever they need it.

Others, however, have embraced the cloud and all its advantages, like the low cost of choosing companies that are specifically dedicated to these tasks and the availability of the information, regardless of where it might be (as long as we have an Internet connection, of course).

But when we talk about the security element of these decisions, things become less clear, with more than a few people reluctant to store confidential information outside of the company. And this is despite the huge growth among companies all over the world that have started using services like Google Drive and Dropbox in recent years.

Cloud storage: Yes or no?

When choosing from the different solutions, we should ask ourselves various questions, of which one of the most important is probably this: Can I offer a higher level of security than that provided by these external companies when it comes to protecting this data?

This is a very important point, given that the majority of companies that are dedicated to offering these services tend to have good measures in place to prevent their users’ data from being compromised.

However, the main problem is not what security they implement on their servers. The vast majority of information theft occurs due to poor policies on access control and the management of credentials by users.

Additional security measures

It is pointless to have the best and most secure cloud storage service if the users who then access these resources use passwords that are easy to guess or which have already been used on other services that have been compromised. It is important to implement additional measures and, if the service we are going to subscribe to permits a double factor authentication system, then so much the better.

Additionally, regardless of how secure the service we subscribe to is, we will never be overdoing it if the data stored both within and outside of our company is encrypted. This way, in the event of an incident in which attackers manage to gain access to this information, it will not be easy for them to read, thus minimizing the impact of the intrusion.

Lastly, we must not be careless about who can access what information, and what they can do with it. If we let all our employees access confidential information, and that information could then be leaked out through other means, we would have achieved practically nothing.

To avoid this, we need to adopt tools for the prevention of data leaks, by using applications that detect when certain users without permissions are trying to access a certain type of confidential information or when it is being sent outside of the company through unauthorized means.

Compliance with regulations

As well as all this, it is essential to take into account something that a lot of companies do not think about… until it is too late and they start getting fined for non-compliance with regulations. Depending on where we have our company’s head office(s) and where our customers and suppliers are located, we will need to comply with the legislation in force and adopt a whole series of measures.

For example, if our company is in the European Union or if we do business with users in that region, we need to adapt our data storage and management systems according to the GDPR, which will become obligatory from May 25, 2018. This fact raises new issues, one of which is whether storage services like Google Drive and Dropbox comply with the regulation.

The companies that manage these services are aware of the need to comply with all the requirements relating to management of the information stored by their users on their servers. For this reason, they wasted no time in adopting all the measures necessary in order to bring themselves up to date.

As of today, both Google and Dropbox comply not only with the regulations imposed by the GDPR, but also with the Privacy Shield, an agreement signed between EU member states and the United States.

Conclusion

We could say that using file sharing and storage solutions in the cloud is secure so long as they comply with a series of norms and international regulations, and we ourselves also implement certain additional security policies.

Nonetheless, we must never be careless about the security of information stored both within and outside of our company, nor believe that it is someone else’s responsibility. We need to apply all the additional security measures available to us in order to protect it sufficiently.

written by Josep Albors, ESET We Live Security


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s