Data Privacy: How Secure Are Cloud Communications Services?

What risks is your data exposed to? This cloud security study by McAfee provides detailed insights. The provider of security software surveys 1,400 IT decision-makers every year on security issues in their organisations. Impressively, 97 percent of the organisations surveyed rely on cloud services, with 88 percent storing sensitive data in cloud servers.

To be clear, data protection and security risks are not only issues for cloud services. Even organisations that rely on conventional in-house solutions repeatedly report incidents related to their IT infrastructure. What is changing, however, is the nature of the risks.

Viruses, Trojans and DDoS attacks are classic security breaches where external intruders modify or steal data, and may even completely paralyse IT operations. Neither in-house IT solutions nor cloud services are completely immune to these types of attacks. However, with the growing use of cloud services, the spectrum of data protection and security risks is changing.

Cloud technology users are exposed to different risks than are in-house IT departments. The organisations surveyed by McAfee report the following risks and incidents:

• 30 percent complain about a lack of transparency regarding how data is processed within a cloud service.
• 26 percent have experienced theft of data processed in cloud data centres by a malicious actor.
• 25 percent see room for improvement when setting up access authorisations for sensitive data.
• 23 percent of IT managers fear shadow IT through cloud services outside their control.
• 23 percent confirm a lack of know-how and competence to guarantee cloud security.

The second point is a challenge for any organisation. External actors with malicious intent are a problem that all IT managers have to deal with – whether they run their IT themselves or use cloud services.

However, the other points are much more exciting, since here we are dealing with new security aspects that relate primarily to questions of configuration, guidelines, usage and competence. In a recent report, Gartner asserts that by 2022, 95 percent of all cloud security failures will be the user’s fault.

That sounds like an accusation, but it is not. Gartner simply wants to emphasise that cloud services are secure from a technical point of view. We can confirm this from our own experience as a provider of cloud communications services – we are well aware of our responsibility in this regard.

Like many other leading cloud communications service providers, NFON relies on security measures to ensure the best possible protection of your data:

• Encryption: All data and calls are encrypted and protected against external attackers.
• Secure data centres: This is an NFON speciality – our data centres in Germany follow the highest security standards.
• Protection against external attackers: Viruses, intrusions and DDoS attacks have no chance, thanks to the latest protection programmes.
• Redundancy: Our data centres are operated redundantly, which means that users can access data, even if a data centre should fail.
• Legal security: We operate our services in accordance with GDPR requirements, the worldwide pioneer regulation in data protection.

Data protection is part of our DNA at NFON. Since we were founded in 2007, we have committed maximum security in the processing of our customers’ and partners’ data. In this blog post, we report how we have successfully implemented GDPR requirements.

Reliable cloud service providers develop their solutions according to the principle Security by design. Unlike self-developed IT and communications systems, cloud service providers have completely different possibilities and resources to provide their services with the greatest possible data protection and security mechanisms.

As Gartner confirms, the security issue of cloud services will be decided less by the technical security of the solution and more by the way people use cloud services. A data protection policy for cloud services should answer the following questions:

• Which data is processed and which security requirements are necessary? Not all data is the same. Get an overview of the data to be processed and define your required security level as a requirement for the cloud service provider.
• Which employees, customers and partners should have which form of access? Access control is much more important than the storage location of the data. An in-house server is no more secure than a cloud data centre if you do not manage access rights properly.
• Which risks do you see your data exposed to? Some organisations are a more attractive target for external attackers than others. Develop a realistic assessment of the external risks for your organisation and test all possible scenarios.

Your cloud service provider has a special responsibility to advise you on these issues in a professional manner. After all, they process huge amounts of confidential data on behalf of your organisation, every day.

Strict data protection regulations have been in force in Germany for many decades. They are a fundamental right enshrined in the constitution: explore the topic of data protection ‘made in Germany’.