The cloud is here. I don’t think anyone doubts this now; what started as an unusual business and technology model a few short years ago with innovators like Salesforce.com has now become almost a de facto way of implementing new services for organizations large and small.
Cloud Service Providers (CSPs) from a significant part of the CertiKit customer base so we thought we’d take a look at why so many companies in this growing industry are getting themselves certified.
Idea behind the cloud is great, because it leverages big economies of scale to make processing facilities available at a fraction of the cost that it would take for a single company to do it themselves. It allows even the smallest company to do what previously was the preserve of those with big IT budgets.
But the downside is that we now have a huge store of data from many companies all in one place. This presents a much more attractive target for hackers to go at because, not only does it have to be internet-accessible, but there is only one set of security controls to breach in order to get access to all that lovely data. So many CSPs feel as though they have a big round target painted on their backs, and “threat actors” from all over the world are queuing up to try their luck.
Ask any CSP what their most valuable asset is, the one they fear to lose the most, and they may well tell you that it’s their reputation. The cloud is a competitive market and customer loyalty is in many cases a thing of the past. So if a CSP suffers a security incident in which information is lost then that can affect their reputation and so lose them many customers. The press love a good hacking story, whichever country you’re in, so the chances of keeping it quiet are pretty slim.
Furthermore, even if you weren’t required to make an incident public before, chances are you will in the future. Many states of the USA have mandatory breach notification laws and with the coming of the European Union’s General Data Protection Regulation (GDPR) in 2018, companies will be more obligated than ever to tell the world when something bad happens. Add to this the increase in the fines applicable if an organization is judged not to have protected personal data effectively (up to 4% of worldwide turnover) and the stakes have definitely risen.
All of this hasn’t escaped the notice of most corporate customers of CSPs; they don’t want to be publicly shamed and fined any more than the CSPs they use do. So they now look very carefully at the CSPs they consider making use of to get a fair degree of reassurance that their data will be protected. And how do they judge that?
By asking whether the CSP has ISO27001 certification. This tells them that the CSP has an Information Security Management System (ISMS) in place and is actively managing its information security risks and controls. This is testified to by a reputable third party, a Registered Certification Body (RCB) who has audited the CSP and issued a certificate to say they meet the ISO27001 standard.
So what does all this mean for the CSPs themselves? Well, it means that:
All of which adds up to a solid business case to become certified to the ISO27001 standard.
And if you use the CertiKit ISO27001 Toolkit, you will get there even quicker.