There are a bunch of online services, and it’s hard to figure out who’s doing a good job unless you’re an expert. This list only has services most people need. There are lots of other secure solutions for each of these categories; this list only includes those I already know to be good.
Note: I am not compensated by anyone, in any way, for any item on this list: it comes only from my own professional analysis. Weird, I know.
Recommended Online Services
Google G Suite
Microsoft Office 365
Let’s say you need something weird that my list doesn’t talk about. You’ve narrowed it down to three choices, and security is important because you want to store nuclear launch codes in it and bad people are after you. One of the choices proudly advertises, “Guaranteed Secure by McAfee!” What exactly does that mean?
It usually means nothing.
Certifications exist because the technical parts of security are complicated. In theory, they are a low bar: if you are certified, it means that someone checked what you do, and then said you’re not terrible. But for a lot of reasons, most of them are just marketing. Some mean a little, those are listed at the end. None of them come close to guaranteeing that someone’s doing a good job. Here’s a quick summary of some of the most common certifications.
Completely worthless. It doesn’t mean anything about their security or even if they’re legitimate. Examples:
Completely worthless. People who work with credit cards need to have this, but anyone can self-certify, and their answers only get checked if something terrible happens and VISA sends a cleanup crew to figure out who should pay for all the fraud.
SOC1, SOC2, SOC3
Worth a little bit. They are the security version of “Nobody ever got fired for buying IBM.” It doesn’t tell you how good they are at the important things, and has lots of weasel-words.
Big companies like them because if something goes wrong, they can point and say, “Not our fault: See the SOC2? We did everything we’re supposed to!” when they get sued.
Worth a little bit. It mostly means that someone spent a lot of time writing policies about security. Like a SOC2, it doesn’t check for the important things.
Not a certification, but means a little bit. A SIG is a huge list of technical questions to which a company answers yes or no. If they have one, that sometimes means they thought about it. It may even mean that they get pressure from customers to actually do the things on the list. But sometimes all it means is that a sales rep spent 40 minutes clicking “yes” to every question.
Worth a fair bit. It means that they persuaded the US federal government to trust them to store government secrets. Think what you want about the federal government, but they put you through the wringer.
Not a certification, but still worth a fair bit. If a business advertises a BAA, it usually means that they know the federal laws for securing health info. Screwing those up gets you huge fines, so if you see one, it means they’ve thought about what they’re doing.