How Nonprofits Can Ensure Security and Compliance of Sensitive Data in the Cloud

The vast majority of nonprofits employ cloud computing in some way, but they may not know or think about it. If you use Gmail, Google Docs, Microsoft Office Live Workspace, Salesforce, or Yahoo mail, you’re in the cloud. These companies give you access to their software apps over the Internet, which you access through your web browser.

The cloud delivers key advantages for nonprofits, who often possess limited funds, space, and IT staff.

CEO Chris Hanson of software provider thedatabank notes that the ability of nonprofits to store their donor data in the cloud puts them at an incredible advantage from a cost, flexibility, and security standpoint. Hosting a database offsite gives nonprofits adequate technology support without the time and money needed to buy servers and support a full-time IT employee.

Cloud solutions can also be deployed rapidly, and your staff and volunteers can access data in the cloud from practically any Internet connection via their login – a desirable feature for organizations with flexible work hours and locations for staff.

Still, security and compliance are critical issues; many nonprofits worry just how protected they are and how they can meet compliance regulations. It’s rare for a nonprofit to have a compliance manager. If your nonprofit is in a medical- or retail-related field and must conform to regulations, make sure your cloud service provider is compliant and certified where appropriate.

So, how can a nonprofit ensure that its vital data is secure from any modern-day hacker and that certification obligations are also met? Here are some “best practices” to help:

  1. Focus on the security basics: Because a nonprofit is likely to have countless individuals linked to its database – from employees and volunteers to donors and those it serves – it’s vital to do everything necessary to keep those who could phish, spam or hack your site at bay. Make sure you or your cloud provider are employing corrective patches, antivirus protection, backups, egress blocking, administrative passwords, and the like. These low-cost fixes remove the vast majority of attack routes. It pays to be extra-cautious when storing sensitive financial or personal information online about your supporters and clients. Further, remember that many security breaches can be sparked by human error.
  2. Know and handle your compliance realities: Be sure that everyone adheres to relevant rules and regulations that apply to your field or industry, and this includes your staff, volunteers and vendors – including your cloud provider. Compliance issues are becoming more complex for many nonprofits because their funders often require various compliance-related controls. This is critical because if you don’t meet compliance mandates, it could lead to denial of federal funds or grants. A cloud-based computing services provider can help assess and avoid issues that could snag compliance rules.
  3. Test annually: A controls-based annual review and penetration test will make sure your safety processes and practices stay consistent over time. Testing will also determine if vulnerabilities are present and what risks they may pose. Compliance requirements can drive the need for penetration tests, too. Know, however, that performing scans and penetration tests in the cloud differ from those run on a typical network or application. Communication and coordination with a cloud service provider will ensure a successful outcome.
  4. Use trusted providers: Your provider should be highly competent and service-oriented to ensure you encounter fewer problems. Make sure you have copies of and access to your data, especially if your services should go down. Also, make sure the provider ensures an acceptable level of uptime and responds rapidly when issues arise. Since cloud computing (like all technology) changes continually, be sure that your cloud provider has several thoroughly tested options for backing up and extracting your data in a standard, nonproprietary format. It’s also beneficial to choose a provider that isn’t likely to go out of business or change its service substantially. For all these reasons, as one cloud authority put it, think of the agreement with your cloud service provider as a prenuptial pact!

Look at how one nonprofit organization, Children’s Bureau of Southern California, benefits from the cloud and how the cloud has lessened its security and compliance concerns. Children’s Bureau, a leader in child abuse prevention and treatment, serves more than 28,000 children and parents annually.

To do that well, it developed the Family Assessment Form (FAF), a web-based software for assessing families, planning services, and evaluating family and program outcomes.   Children’s Bureau uses the FAF with its families and sells the software to other family support providers and government agencies. FAF uses a software distribution model in which applications are hosted by a service provider – usually in the cloud – and made available to customers.

The agency specifically chose a vendor that helps it meet data privacy and security requirements set forth by HIPAA federal regulatory requirements, which protect confidential client health information, as well as Canadian provincial regulations around outcomes reporting and data security.

Cloud computing almost certainly will play a bigger role in the life of virtually every nonprofit. By being proactive and thinking through security and compliance issues and relationships with vendors, you can resolve any cloud computing concerns you may have and keep your focus on your nonprofit’s core mission.

Matt Goche
Director of Security Consulting
Sungard Availability Services
Matt Goche is Director of Security Consulting at Sungard Availability Services.