Regardless of which provider you choose, storing data securely in the cloud requires implementing good sharing settings and training staff to understand how and when to share (and not share) folders and documents. In general, you should set up folders within your cloud storage drive that limit access to only the staff that need it for given files. Routinely audit your system to make sure that you are not “oversharing” any files (such as by turning on universal link sharing for files that should instead be limited to just a few people.)
What if we do not trust Google or Microsoft or other cloud storage providers?
If one of your adversaries (for instance, a foreign or local government) can legally force Google or Microsoft (or another cloud storage provider) to hand over data, then it might not make sense to choose them as data storage options. This risk might be higher if your adversary is the United States government, for example, but much lower if your adversary is an authoritarian regime. Keep in mind that Google and Microsoft both have policies about only handing over data when legally obligated to do so, and recognize that your organization could itself be vulnerable to the same sort of legal demands from your own government if hosting data locally.
In situations where Google or Microsoft cloud storage do not make sense for your organization, an alternative option to consider is Keybase. The “teams” feature in Keybase allows your organization to share files, and messages, using end-to-end encryption in a secure cloud environment without having to rely on a third-party provider. As a result, it can be a good option for securely storing documents and files across your organization. However, Keybase is less familiar to most users, so be aware that adoption of this tool is likely to take more training and effort than other aforementioned solutions.
With that said, if you do opt to go it alone and not use cloud storage altogether, it is crucial that you invest time and resources into strengthening the digital defenses of your organization’s devices, and ensuring any local servers are properly configured, encrypted, and kept physically safe. You may save on monthly subscription fees, but it will cost your organization in staff time and resources, and in being far more vulnerable to attack.
Backing up data
Whether your organization stores data on physical devices or in the cloud, it is important to have a backup. Keep in mind that if you rely on physical device storage, it is quite easy to lose access to your data. You could spill coffee on your computer and destroy the hard drive. Staff computers could be hacked and all local files locked with ransomware. Someone could lose a device on the train or have it stolen along with their briefcase. As mentioned above, this is another reason why using cloud storage can be a benefit, because it is not tied to a specific device that can be infected, lost, or stolen. Macs come with built-in backup software called Time Machine which is used together with an external storage device; for Windows devices, File History offers similar functionality. iPhones and Androids can automatically back up their most important contents to the cloud if enabled under your phone’s settings.
If your organization is using cloud storage (like Google Drive) the risk of Google being taken down or your data destroyed in a disaster is quite low, but human error (like accidentally deleting important files) is still a possibility. Exploring a cloud backup solution like Backupify or SpinOne Backup may be worthwhile.
If data is stored on a local server and/or local devices, a secure backup becomes even more critical. You can backup your organization’s data to an external hard drive, but be sure to encrypt that hard drive with a strong password. Time Machine can encrypt hard drives for you, or you can use trusted encryption tools for the whole hard drive like VeraCrypt or BitLocker. Be sure to keep any backup devices in a separate location from your other devices and files. Remember, a fire that destroys both your computers and their backups means you do not have backups at all. Consider keeping a copy in a very secure location, such as a safe deposit box.
Note: if using a cloud provider in a country with specific data localization laws, check with legal experts to better understand how a cloud storage solution can comply with any local requirements. Many cloud storage providers, including Google and Microsoft, now offer options that allow some customers to choose the geographic location of their data in the cloud, for example.