Many businesses use the cloud for storing and backing up files and data, and you might be looking into doing this for your financial services firm, too. After all, the cloud is affordable, hands-off, and convenient. You don't have to worry about taking up memory space on your devices; keeping track of physical documents; or purchasing, installing, and maintaining additional hardware or technology infrastructure.
But how do you go about choosing a cloud service provider for your financial services firm? Here, I'll explain a few important considerations to keep in mind as you decide on the right provider to store—and secure—your clients' sensitive information.
Security should be your top concern, especially as you need to back up files that contain sensitive data, such as client account numbers and other identifying information. Without adequate controls in place, cloud computing could expose stored information to a range of threats, including theft and unauthorized access. Therefore, it's important to partner with a provider that has implemented tight security practices.
How does the cloud service provider handle data encryption? Specific questions you might ask include:
- Will you or the provider locally encrypt the data? Without question, your data should be locally encrypted, which means that it will be encrypted before it's uploaded to the cloud. You can do this yourself with software like Boxcryptor, although many providers will locally encrypt the data for you. If the provider does the encrypting, be sure that you can create and manage your encryption key so that the provider has no idea what you're storing and doesn't have access to your files.
- What about server-side encryption? This is an additional layer of security that many cloud providers offer. It ensures that your data is encrypted while at rest (i.e., while it is stored but not being accessed).
- Will your data be encrypted while in transit, including when the provider uploads it to the cloud? This should be done via an encrypted secure socket layer (SSL) tunnel, with at least 256-bit encryption. Fortunately, you will find this is commonplace for most cloud service providers.
Who has access to your data and why? You'll want to be absolutely clear regarding the provider's access policy.
- The cloud service provider's employees will have access to its data centers and servers. But only authorized employees should have access, and that authorization should be based on a business need.
- Be sure that the servers are owned, operated, and maintained by the cloud service provider itself and not by a third party. If the provider uses servers that are owned and maintained by a third party, you would have less control over data security.
- In your office, only those with a valid need for the data should have access to your cloud. For staff with a valid need, choose a cloud storage service that allows multiple user support, so that each person has his or her own credentials to get at the cloud.
What will happen to your data in the event of a natural disaster or site outage?
- The cloud provider should have a business continuity or disaster recovery plan in place.
- Be sure that you will have 24/7 access to your data and the people who can help you recover it—especially if you're paying for this service.
Once you've decided on a cloud service provider, consider taking the following steps for added security:
- Enable multifactor authentication on your cloud account.
- Audit your files frequently. If you no longer need to retain a backup of the data, take it off the cloud. Be sure to back up your files often—daily if possible.
- Maintain a record of which staff members have access to the cloud.
Do Your Homework!
Remember, when you enlist a cloud service provider to store or back up your data on its servers, you are never truly in full control of it, so do your homework. But by choosing the right cloud service provider for your practice, you'll be helping to ensure the safety of your clients' sensitive information and fulfilling your role as their trusted advisor.
Is choosing a cloud service provider important for your practice? Have your clients expressed concern about the security of their information? Please share your thoughts with us below.