Security measures for the storage of personal data in a cloud computing environment

The following points are worth considering when considering the safety of the cloud service:

1. Strong password with two-factor identification must be used

Dual identification is an effective way to further enhance cloud security and most service providers offer such a solution. Access control is particularly important in the case of group mailboxes or shared folders. In addition, the access rights of each user should be recorded and ensured that they are supported by appropriate change management processes. Security measures must be reviewed regularly to ensure that all access permitted at any given time is necessary and justified.

2. Default security settings should be reviewed

The default security settings of service providers should not be relied on in isolation, since it is not default for any cloud service provider to follow best practices and certified quality systems. The security features offered should be reviewed to ensure that they are applied appropriately and stratified. Examples of security settings and controls in cloud services are:

• Centralised access systems

• Multifactorial Confirmation

• Login notifications

• Encryption

• Control of accounts and notifications

• Prevent data from being lost

• Protection against malware

• Protection against phishing

It should be taken into account that the cloud service could be accessible to the public and therefore it would need to be reviewed and implemented appropriate security settings to ensure remote access.

3. Get insurance from (information technology) your service provider

If you use an external service provider to install the cloud, it is important to get assurance from that service provider that their security controls meet your security requirements and protect the company/institution's personal data. You should be actively involved in regular reviews of your cloud service security system to ensure monitoring and regular updates and efficiency.

4. Clear policy and training of staff

It is important to ensure that staff are properly trained on how to deal with any cyber attack. Such training should be part of the company's retraining policy as a factor in reducing the risk of cyber attacks. Companies and organisations should have a clear policy regarding the use and security of their cloud services. It is necessary to review the policy regularly to ensure that personal data are not stored beyond the need or until the original purpose of their use is achieved.

5. The data must be known and secured

Companies or entities that store data in cloud computing should understand and monitor the data stored there. This will allow for appropriate security and use of access controls to further protect the data. Data classification will provide a certain overview and it will be easier to determine appropriate security controls. The best security provider should be selected and information should be requested on how they meet the requirements of the company.

Questions such as:

• “Who has access to the data?”

• “How are the data secured?

• “How often do you take copies of the data?

• “How long are the data stored?”

The security settings should be reviewed regularly to ensure that they are still appropriate and up to date.