When our library decides to put its data in the cloud for backup storage and emergency access, what encryption, level of security, and access do we need to consider for non-personal information data versus personal data that might include payroll information and such? Is there a going rate that is reasonable? Are there other considerations and issues to watch out for when considering contracting with a tech company providing these services?
Cloud-based storage services can now be considered a routine part the technical infrastructure for almost any organization. Businesses, government agencies, and non-profits regularly rely on public, private, or hybrid cloud deployments for storage of critical data.
It's important for libraries to develop multi-tier strategies that govern how their data is managed. These strategies will ensure that all data is properly controlled at all stages. The level of security and encryption will depend more on the type of data and its business environment rather than the technology employed. Data stored locally should meet the same security and encryption requirements as any cloud-based options.
It is often the case that data will be more vulnerable when housed on local devices and servers. Laptop and desktop computers can be seen as having the highest risk. The users of these computers may not always follow the most stringent security practices. Any data files stored on the built-in storage devices have a high level of risk due to possibilities of loss or theft as well as equipment failures. Data files are much safer when directly stored on institutional network drives or to cloud storage services, such as Microsoft OneDrive, Google Drive, Drop- Box, Box, or similar services. Most of these services enable functional access to files when the computer is offline with automated synchronization when reconnected to the internet.
The weakest link in the security of data are the people involved. It has been my experience that in many organizations, individual staff members treat their work-related files according to their own preferences. These files may be stored on personal cloud services, flash drives, or other media.
Data associated with general productivity applications should have at least three levels of protection. In most cases, the layers would include copies cached on the local computer, a copy on the institutional file server or cloud-based storage service, and an offline archive on the institutional tape library or a cloud service, such as Amazon Glacier. Some organizations may use multiple cloud services to distribute copies of critical data files or at least storage services deployed in different geographic regions. In most cases, the synchronization of the local and cloud copies of data files can take place in real time, with periodic scheduled transfer to offline storage options.
Files with personally identifiable information or other sensitive data requires additional levels of security and protection. Sensitive data should be encrypted throughout its lifecycle. The procedures described above for multi-level storage options guard primarily against the loss of data through technical failures or human error. Additional layers are required to ensure that in the event of any type of intrusion or security incident, any exposure of files will not enable an unauthorized intruder to gain access to their contents. Sensitive files should therefore be encrypted as records are saved onto storage devices and when transmitted through local networks or through the internet.
The encryption of data files will often be controlled by the business applications involved. In the library context, the ILS manages patron records and related usage data. Personnel and financial data may be created through spreadsheets, enterprise resource planning, or other business systems. These applications should be configured to follow security protocols that enforce encryption for all data that the library considers as sensitive. Although sensitive information can be encrypted as it is transferred to backup drives or other storage locations, significant vulnerabilities remain when business applications do not apply such protections when working with live data.
Authentication credentials, especially passwords, also require special treatment. Many security intrusions involve exposure of username and password files, which can then be used for subsequent attacks. The industry-standard practice of using one-way hashing algorithms to store passwords provides a high level of security. Hashed passwords enable the authentication service to verify that the password entered matches the one stored but does not enable that password to be viewed or extracted. Any product or service where a system administrator or staff member can view a password has not enabled password hashing and would not be regarded as secure enough to store sensitive data.
- Cloud based storage is increasingly the standard operating environment for most organizations.
- Additional precautions should be taken for sensitive data to ensure its protection during active use, storage, transmission, as well as in backup or archival copies.
- Cloud storage offers protections beyond that of local devices and servers.
- Desktop and laptops are usually the weakest option for data storage.
- Distribution of data across multiple local and cloud storage options provides the most protection.
- Sensitive data must be encrypted throughout its operational lifecycle, beginning with the applications that record the data and must remain encrypted as it moves through networks to each tier of storage and backup.
- Passwords should be encrypted through one-way hashing algorithms.
- Organizations should have explicit data storage policies that should be followed by the business applications and in the procedures followed by its personnel.
- Treatment of data should not be at the discretion of individuals in the organization but should be managed within institutional infrastructure, policies, and procedures.