Communicating and Storing Data Securely

Storing Data Securely

Last Updated: July 2022

For most civil society organizations, one of the most important decisions to make is where to store their data. Is it “more secure” to store data on staff computers, on a local server, on external storage devices, or in the cloud? In 99 percent of situations, the easiest and most secure option is to keep data stored in trusted cloud storage services. Perhaps the most common examples include Microsoft 365 and Google Drive. Without a comprehensive cloud storage plan, it is likely that your organization's data is stored in a variety of places - including staff computers, external hard drives, and even a few local servers. While it is possible to secure data on all these devices, it is very hard to do so successfully without spending a lot of money and hiring significant IT staff.

When selecting a tool or service to store your data, ensure you trust the company or group behind it. A quick google search and checking with digital security experts can go a long way in helping you verify the trustworthiness of a potential tech vendor. Some questions to keep in mind include: Do they sell or share your private data? Do they have appropriate security resources on staff? Do they offer security features (like 2FA) to help you protect your account?

Data Storage and Civil Society

Two long banks of computers in a server room.

The advent of affordable (sometimes free) cloud-based data storage has made life easier (and more secure) for many resource-limited civil society organizations. Unfortunately, many still attempt to host their own servers with relatively limited IT budget, staffing, and support. In March 2021, the threat of such organizational infrastructure became real for tens of thousands of organizations across the world when a Chinese government-affiliated threat actor, called Hafnium, unleashed a global cybersecurity catastrophe with a sophisticated attack on self-hosted Microsoft Exchange servers. The attack compromised local servers, enabling the hackers to gain access to organizational email accounts, install additional malware on the victim’s servers and connected systems, and ultimately extract sensitive data. While Microsoft quickly published an update and instructions to identify and remove potential intruders once the hacks became public, many organizations lacked the IT capacity to quickly apply such updates, leaving them exposed for extended periods of time. The scope and impact of this global hack reveals the danger of civic organizations choosing to self-host email servers and other types of sensitive data, particularly without significant investment in dedicated cybersecurity staff.

Benefits of cloud storage

Even if you take all the right steps to protect your computers against malware and physical theft, it is still possible for a determined adversary to hack into your computer or local server. It is much harder for them to defeat the security defenses of, for example, Google or Microsoft. Good cloud storage companies have unparalleled security resources and have a strong business incentive to provide maximum security to their users. In short: a trusted cloud storage strategy will be much easier to implement and keep secure over time. So instead of worrying about trying to secure your own server, you can focus your energy on a handful of simpler tasks.

Keeping the bulk of your information in the cloud helps with a range of common risks. Was someone’s computer left in a restaurant or their phone on the bus? Did your child tip a glass of juice onto your keyboard, leaving your device inoperable? Does a staffer have malware and need to erase their computer and start fresh? If most documents and data are in the cloud, it is easy to re-synchronize and start fresh on a cleaned or entirely new computer. Also if malware gets into a computer or if a thief scans a hard drive, there is nothing to steal if most documents are accessed through the web browser.

What cloud storage provider should we choose?

The two most popular cloud storage options are Google Workspace (formerly known as GSuite) and Microsoft 365. If you and your staff already use Gmail, signing up your organization for Google Workspace and storing data in Google Drive with its built-in Google Docs, Sheets, and Slides apps for word processing, spreadsheets, and presentations make a lot of sense. Similarly, if you are an organization reliant on Excel and Word, the easy choice is to sign up for Microsoft 365, which gives your organization access to Outlook for email and licensed versions of Microsoft Word, Excel, Powerpoint, and Teams.

Enhancing the Security of Organizational Cloud Accounts

If your organization chooses to set up a domain in Google Workspace or Microsoft 365, be aware that both companies offer higher levels of security (for free in many cases) to civil society organizations. Google’s Advanced Protection Program and Microsoft’s AccountGuard provide extra layers of robust security to all of your organization’s cloud accounts, and help you greatly reduce the likelihood of effective phishing and account compromise. If you believe that your organization qualifies and are interested in enrolling your organization in either plan, visit the websites linked above or contact [email protected] for further assistance.

Regardless of which provider you choose, storing data securely in the cloud requires implementing good sharing settings and training staff to understand how and when to share (and not share) folders and documents. In general, you should set up folders within your cloud storage drive that limit access to only the staff that need it for given files. Routinely audit your system to make sure that you are not “oversharing” any files (such as by turning on universal link sharing for files that should instead be limited to just a few people.)

What if we do not trust Google or Microsoft or other cloud storage providers?

If one of your adversaries (for instance, a foreign or local government) can legally force Google or Microsoft (or another cloud storage provider) to hand over data, then it might not make sense to choose them as data storage options. This risk might be higher if your adversary is the United States government, for example, but much lower if your adversary is an authoritarian regime. Keep in mind that Google and Microsoft both have policies about only handing over data when legally obligated to do so, and recognize that your organization could itself be vulnerable to the same sort of legal demands from your own government if hosting data locally. 

In situations where Google or Microsoft cloud storage do not make sense for your organization, an alternative option to consider is Keybase. The “teams” feature in Keybase allows your organization to share files, and messages, using end-to-end encryption in a secure cloud environment without having to rely on a third-party provider. As a result, it can be a good option for securely storing documents and files across your organization. However, Keybase is less familiar to most users, so be aware that adoption of this tool is likely to take more training and effort than other aforementioned solutions.

With that said, if you do opt to go it alone and not use cloud storage altogether, it is crucial that you invest time and resources into strengthening the digital defenses of your organization’s devices, and ensuring any local servers are properly configured, encrypted, and kept physically safe. You may save on monthly subscription fees, but it will cost your organization in staff time and resources, and in being far more vulnerable to attack.

Backing up data

Whether your organization stores data on physical devices or in the cloud, it is important to have a backup. Especially Keep in mind that if you rely on physical device storage, it is quite easy to lose access to your data. You could spill coffee on your computer and destroy the hard drive. Staff computers could be hacked and all local files locked with ransomware. Someone could lose a device on the train or have it stolen along with their briefcase. As mentioned above, this is another reason why using cloud storage can be a benefit, because it is not tied to a specific device that can be infected, lost, or stolen. Macs come with built-in backup software called Time Machine which is used together with an external storage device; for Windows devices, File History offers similar functionality. iPhones and Androids can automatically back up their most important contents to the cloud if enabled under your phone’s settings.

If your organization is using cloud storage (like Google Drive) the risk of Google being taken down or your data destroyed in a disaster is quite low, but human error (like accidentally deleting important files) is still a possibility. Exploring a cloud backup solution like Backupify or SpinOne Backup may be worthwhile.

If data is stored on a local server and/or local devices, a secure backup becomes even more critical. You can backup your organization’s data to an external hard drive, but be sure to encrypt that hard drive with a strong password. Time Machine can encrypt hard drives for you, or you can use trusted encryption tools for the whole hard drive like VeraCrypt or BitLocker. Be sure to keep any backup devices in a separate location from your other devices and files. Remember, a fire that destroys both your computers and their backups means you do not have backups at all. Consider keeping a copy in a very secure location, such as a safe deposit box.

Note: if using a cloud provider in a country with specific data localization laws, check with legal experts to better understand how a cloud storage solution can comply with any local requirements. Many cloud storage providers, including Google and Microsoft, now offer options that allow some customers to choose the geographic location of their data in the cloud, for example.

Storing Data Securely

  • Store sensitive data exclusively in a trusted cloud storage service.
    • Ensure any connected accounts used to access such a service have strong passwords and 2FA.
  • Set and enforce a policy to limit sharing settings within the cloud.
    • Train all staff on how to properly share (and not overshare) documents.
  • If your organization opts to store data locally, invest in skilled IT staff.
  • Keep your data backups secure - encrypt backup hard drives or other backup devices.