I read and heard that some organizations would use cloud services for non-sensitive data to be shared so as to reduce operational costs.
However even with TLS (Transport Layer Security), file encryption and other security technologies, some government sector or organizations would still host their own file servers / VPN for top secret or confidential information. Why is that so?
Could data be leaked out from cloud services?
It is up to organizations and individuals to make sure providers will have a secure infrastructure for storing their information. While data theft is always a concern with most people, data alteration would also be something to consider.
For individuals, make sure your cloud uses a good verification system. Find out where your data is and know the procedure for reporting and recovering it should there be a disaster. Verify that encryption is used. Run your own backups of your information. Make sure recovery information for your account such as where you can receive password reset information is current.
On the other hand, companies are responsible for the security their of data, even when it is held by a service provider.
Although the following article was written in 2009, the suggested best practices still apply:
* Inquire about exception monitoring systems * Be vigilant around updates and making sure that staff don't suddenly gain access privileges they're not supposed to. * Ask where the data is kept and inquire as to the details of data protection laws in the relevant jurisdictions. * Seek an independent security audit of the host *Find out which third parties the company deals with and whether they are able to access your data * Be careful to develop good policies around passwords; how they are created, protected and changed. * Look into availability guarantees and penalties. * Find out whether the cloud provider will accommodate your own security policies
Companies also implement private cloud services which could be driven around control, rather than security, as employees come and go, and this would mitigate the risk of data theft by ex-hires.
Remember too that there are requirements for data security that are implied by securities laws in many countries. The accidental release of, say, financial data prior to any public release creates a disclosure requirement with, in the US, the SEC. That could be extremely embarrassing and even create abnormal stock tradeing in a company's stock.
A security expert shared an incidentwhere the CEO of a major publically traded company had his laptop stolen from his hotel room. That mandated public disclosure and SEC filings, and made the front page of the Wall Street Journal, which was both embarrassing indeed, and potentially dangerous as well.
Organizations and individuals should consider the increased public relations implications if that type of data were stored on a public cloud service rather than on a private server, either using a private cloud, VPN or both. Significant questions could be raised if the compromised data were stored on a public cloud.