Topics

Building a Culture of
Security
A Strong Foundation:
Securing Accounts and
Devices
Communicating and
Storing Data Securely
Staying Safe on
the Internet
Protecting Physical
Security
What To Do When
Things Go Wrong

Communicating and Storing Data Securely

Storing Data Securely

For most parliaments, one of the most important decisions to make is where to store their data. Is it “more secure” to store data on staff computers, on a local server, on external storage devices, or in the cloud? In 99 percent of situations, the easiest and most secure option is to keep data stored in trusted cloud storage services. Perhaps the most common examples include Microsoft 365 and Google Drive. Without a comprehensive cloud storage plan, it is likely that your parliament's data is stored in a variety of places - including staff and MPs’ computers, external hard drives, and even a few local servers. While it is possible to secure data on all these devices, it is very hard to do so successfully without spending a lot of money and hiring significant IT staff.

Data Storage and Parliaments

Two long banks of computers in a server room.

The advent of affordable (sometimes free) cloud-based data storage has made life easier and more secure for many parliaments and other organizations. Unfortunately, many still attempt to host their own servers with relatively limited IT skills or support. In March 2021, the threat of such organizational infrastructure became real for tens of thousands of organizations, including parliaments, across the world when a Chinese government-affiliated threat actor, called Hafnium, unleashed a global cybersecurity catastrophe with a sophisticated attack on self-hosted Microsoft Exchange servers. The attack compromised local servers, including that of Norway’s parliament, enabling the hackers to gain access to parliamentary email accounts, install additional malware on the victim’s servers and connected systems, and ultimately extract sensitive data.

While Microsoft quickly published an update and instructions to identify and remove potential intruders once the hacks became public, many smaller organizations lacked the IT capacity to quickly apply such updates, leaving them exposed for extended periods of time. The scope and impact of this global hack reveals the danger of parliaments and other organizations choosing to self-host email servers and other types of sensitive data, particularly without significant investment in dedicated cybersecurity staff.

Benefits of cloud storage

Even if you take all the right steps to protect your computers against malware and physical theft, it is still possible for a determined adversary to hack into your computer or local parliamentary server. It is much harder for them to defeat the security defenses of, for example, Google or Microsoft. Good cloud storage companies have unparalleled security resources and have a strong business incentive to provide maximum security to their users. In short: a trusted cloud storage strategy will be much easier to implement and keep secure over time. So instead of trying to identify (and retain) the number of dedicated and highly skilled cybersecurity staff required to protect local servers in your parliament, focus your energy on a handful of simpler tasks. These include choosing the right cloud storage option for your data privacy and localization needs, implementing good account security, training staff to properly share (and not share) folders and documents (in general, you should set up folders within your cloud storage drive that limit access to only the staff that need it for given files), and routinely auditing your system to make sure that staff and members are not “oversharing” any files (such as by turning on universal link sharing for files that should instead be limited to just a few people).

Keeping the bulk of your information in the cloud helps with a range of common risks. Was someone’s computer left in a restaurant or their phone on the bus? Did your child tip a glass of juice onto your keyboard, leaving your device inoperable? Do you need to compartmentalize data that belongs to an MP herself from information she generates for parliament itself? Does a staffer have malware and need to erase their computer and start fresh? If most documents and data are in the cloud, it is easy to re-synchronize and start fresh on a cleaned or entirely new computer. Also if malware gets into a computer or if a thief scans a hard drive, there is nothing to steal if most documents are accessed through the web browser.

Can we really trust cloud storage?

In short, there is nothing inherently untrustworthy about cloud storage. As mentioned above, most major cloud storage providers have teams of the world’s best security engineers working to protect their products every day, and offer security support to their customers beyond what most small IT departments might be able to provide on their own. Keep in mind, however, that traditional cloud storage services usually require granting access to sensitive data to a third-party company that provides the service. With that said, every individual parliament will have its own political considerations and legal requirements (such as data localization mandates) to consider when choosing whether it can trust and use a given cloud storage provider.

What cloud storage provider should we choose?

If your parliament does not have to consider any data localization requirements, and has no issue with a trusted third-party company sharing access to data, the two most popular cloud storage options are Google Workspace (formerly known as GSuite) and Microsoft 365. If your parliament already uses Gmail, signing it up for Google Workspace and storing data in Google Drive with its built-in Google Docs, Sheets, and Slides apps for word processing, spreadsheets, and presentations make a lot of sense. Similarly, if your parliament is reliant on Excel and Word, the easy choice is to sign up for Microsoft 365, which grants access to Outlook for email and licensed versions of Microsoft Word, Excel, PowerPoint, and Teams.

What if we need to control our own data or comply with data localization laws?

For many parliaments, such a simple option might not be feasible given either data localization requirements or specific expectations that require exclusive parliamentary control over its own data. The good news is that recently, secure cloud storage providers have developed options that allow enterprise customers to either choose the location of their data (note that this is mostly limited to European customers for now), or to control their own encryption keys. In practice, this means that your parliament has options to control its own data while still benefiting from the infrastructure and security of cloud storage.

If your parliament is currently using or interested in Google Workspace for cloud data storage and sharing, Google introduced a feature enabling Client-side encryption for Enterprise Plus organizations. While currently in a testing phase and available only to the most expensive Google Workspace plans, this feature provides an option to take advantage of Google Drive’s full suite of data storage and sharing functions - and the security features built into them - while limiting Google’s ability to access your parliament’s sensitive or private information. With client-side encryption, you can choose to integrate an additional key management service, such as Virtru, and allow users to manage their own encryption keys without allowing access to Google itself. Such a service requires everyone to take great care in protecting those keys to properly protect access to whichever key management system you choose to integrate into Google Workspace. Account administrators can learn more about how to enable client-side encryption on Google Workspace’s support page.

If your parliament is currently using or interested in Microsoft 365 for cloud data storage and sharing, it offers a slightly more complex but well established option for managing your own encryption keys known as Microsoft 365 Double Key Encryption. This security option requires Microsoft 365 E5, but allows you to keep control of any sensitive or private parliamentary data and limit access even to Microsoft itself.

Tresorit is another option that is simpler to implement if your parliament is concerned about allowing a third-party to access your internal information. Tresorit provides end-to-end encryption for cloud storage and file sharing, and offers a range of data residency options.
 

Enhancing the Security of Parliamentary Cloud Accounts

If your parliament chooses to set up a domain in Google Workspace or Microsoft 365, be aware that both companies offer higher levels of security for at-risk accounts. Google’s Advanced Protection Program and Microsoft’s AccountGuard provide even more robust security to eligible organizations’ cloud accounts, and help you greatly reduce the likelihood of effective phishing and account compromise. If you believe that your organization qualifies and are interested in enrolling your parliament in either plan, visit the websites linked above or contact [email protected] for further assistance.

What if we cannot trust any cloud storage solution?

If you do opt to go it alone and rely on local servers to store your parliament’s data instead, it is crucial that you invest substantial time and resources into strengthening the digital defenses of your parliament's devices, and ensure such servers are properly configured, encrypted, and kept physically safe. As stated above, such an approach requires identifying, hiring, and retaining a number of dedicated and highly skilled cybersecurity staff to maintain the security of your local server infrastructure.

Backing up data

Whether your parliament stores data on physical devices and servers or in the cloud, it is important to have a backup. Keep in mind that if you rely on physical device storage, it is quite easy to lose access to your data. You could spill coffee on your computer and destroy the hard drive. Staff computers could be hacked and all local files locked with ransomware. Someone could lose a device on the train or have it stolen along with their briefcase. As mentioned above, this is another reason why using cloud storage can be a benefit, because it is not tied to a specific device that can be infected, lost, or stolen. Macs come with built-in backup software called Time Machine which is used together with an external storage device; for Windows devices, File History offers similar functionality. iPhones and Androids can automatically back up their most important contents to the cloud if enabled under your phone’s settings.

If your parliament is using cloud storage (like Google Drive) the risk of Google being taken down or your data destroyed in a disaster is quite low, but human error (like accidentally deleting important files) is still a possibility. Exploring a cloud backup solution like Backupify or SpinOne Backup may be worthwhile.

If data is stored on a local server and/or local devices, a secure backup becomes even more critical. You can back up your parliament’s data to an external hard drive or series of drives, but be sure to encrypt such drives with a strong password. Time Machine can encrypt hard drives for you, or you can use trusted encryption tools for the whole hard drive like VeraCrypt or BitLocker. Be sure to keep any backup devices in a separate location from your other devices and files. Remember, a fire that destroys both your computers and their backups means you do not have backups at all. Consider keeping a copy in a very secure location, such as a safe deposit box.

Storing Data Securely

  • Store sensitive data exclusively in a trusted cloud storage service.
    • Ensure any connected accounts used to access such a service have strong passwords and 2FA.
  • Set and enforce a policy to limit sharing settings within the cloud.
    • Train all members and staff on how to properly share (and not overshare) documents.
  • If your parliament opts to store data locally, invest in skilled IT staff.
  • Keep your data backups secure - encrypt backup hard drives or other backup devices.