Sending your data into the cloud has implicit security risks. Attackers could potentially intercept the data during transmission or the data can be compromised on the cloud server itself. Ensuring encryption exists at all points of transmission and storage will help to ensure your data remains secure. Let's look at several aspects of security when selecting your cloud-based service provider.
Cloud providers typically offer security using SSL when used in a web browser client or a Virtual Private Network (VPN) and they should be fully utilized. Some businesses feel that by eschewing the cloud provider's security in favor of their own local encryption, they would have more control over their own data security.
The problem with this approach is cloud metadata would still be visible over an unencrypted wire. Typically this metadata would include timestamps and filename information which in the hands of an attacker. This could pose a threat with information leakage even if they can't access the file itself.
Instead, it's favorable to use double-encryption rather than avoiding the cloud's encryption even if there is a slight performance bump. In the event that the cloud provider's encryption fails or there is concern about snooping by a provider, you would still be protected through local encryption.
Transmitting data from your private corporate servers into a shared-usage cloud-based architecture presents its own risks. Although data would likely be encrypted at the cloud's servers, for sensitive files you don't want to chance it. An attacker could be another tenant of the cloud system or an agent of the vendor itself. If an attacker was to gain access to your storage & the vendor's encryption had failed, your information is no longer secure.
Again, encrypting the file locally before transmission would mitigate this risk by removing the dependence on the vendor's own security measures. Put the onus on your users to ensure they've taken this necessary precaution especially for highly sensitive files.
Ensure that your cloud credentials are unique without the possibility of them being shared between other cloud customers. Although on-disk encryption would prevent the possibility of viewing the data within the files, it wouldn't prevent an unauthorized party from accessing your filespace and deleting files.
The rule of thumb is to select your own user IDs and passwords whenever possible, prior to transmission of any data. Don't rely on the vendor providing your users their credentials under the assumption that they are unique to your organization.
Instead ensure your users get to select their own user ID and password, and in cases where this is not possible, that they at least change their password immediately after receiving it to their own liking.
Users who manage their own keys are notorious for disabling cryptography for the sake of saving effort or just, for whatever reason, deciding not to enable it during file transmission.
Instead, don't rely on users to manage their own keys. Make it part of a seamless solution. By removing the reliance on users having to activate cryptography, you can ensure that the files are transmitted securely. Also, ensure that the private keys themselves are difficult to retrieve using a secure escrow facility. Compromised keys can be a disaster if an attacker were able to retrieve them.
We've looked at several considerations your organization should undertake at implementing a secure cloud environment. Sending your data securely can be achieved with the right mentality of taking ownership of your own security while leveraging your cloud provider's own security mechanisms.