Cloud computing is undoubtedly one of the most significant shifts in information technology in recent times. The availability of seemingly limitless capacity paired with rich functionality in a greatly accelerated timeframe and at a generally reasonable cost is an attractive formula that is winning converts the world over. Most organizations large and small are now taking advantage of these facilities and the delivery model for IT is changing, with data increasingly held outside the walls of the organization’s internal network.
But data security is seen as a problem. We’ve looked previously at how cloud software providers are embracing ISO27001 but that’s really only part of the story. If you make use of cloud services, you have a responsibility to fulfil your part of the security bargain. And the ISO27001 information security standard can help with that too. Here we outline eight ways in which ISO27001 can help you to make your organization’s use of cloud as secure as possible.
If you don’t know much about the information you have in the first place, then protecting it becomes much more difficult. The ISO27001 standard proposes that you create an information asset register and then classify your data according to legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification. You can use whatever classification names you like such as “Confidential” or “Restricted”; the key point is that you know which information is particularly important to your organization and can protect it accordingly, especially when it’s in the cloud. You may even decide to have a policy that restricts which data can be placed into the cloud according to its classification. Either way, classifying your information makes decisions that much easier.
A key part of ISO27001 is the emphasis on identifying, assessing and treating your risks. A risk is something that hasn’t happened yet, but if it did it would have a detrimental impact on your organization. Ok, it’s hard to see into the future, but by at least thinking about what could happen, you start to become much more proactive in putting in place those “just in case” actions. This also applies to how you assess potential cloud suppliers – is there more risk with one than another? What would the impact be if the data you place in the cloud were compromised? What controls do you need the cloud provider to have in place?
You may have decided that the cloud is the way to go, but you’re not the only one that has a say in this. You may have legal and contractual obligations that have an impact on what you decide to do. If you breach these obligations, a law suit or even jail time could follow so you’d best know what they are. This is a key aspect of ISO27001 – understanding what it is you are trying to achieve and how much freedom you have to play with.
We’ve all done it; encounter a problem, start wondering whether there’s a cloud app for it and before you know what’s happened you’ve entered your credit card information and begun logging data with a company that you hadn’t even heard of ten minutes earlier. How much do you know about them?; where do they keep your data?; what security controls do they have in place?; are they even a real company? These are all questions that may be ignored in the heat of the moment. You owe it to yourself, your customers and your shareholders to take basic precautions when choosing a cloud supplier.
For an in-house project you will often have the time to consider how an IT service is going to be delivered. With cloud it can all happen much faster and some basic controls can go out of the window. One of these is the idea that one person should not have complete control over a process. This reduces the temptation to get creative on your own simply because you can. A common example is that of being able to raise a purchase order and approve the invoice that pays it, but less common ones may be to do with who can create a user in a cloud app and who decides what they can do within it. Try to ensure that duties in a cloud environment are designed to be secure, and that means segregated.
ISO27001 places great emphasis on access control and this is even more important in a cloud situation than with internal systems. Cloud systems lack many of the defense in depth features of internal networks which means that basically anyone with a browser can get to the login screen. This makes policies on password strength and expiry much more important and the use of some form of two factor authentication a very good idea.
Ok, nobody likes to be audited, but you have to admit that having somebody else check over your security has got to be a good idea. If you sign up for a cloud service and never check that all the promises you were made at the start have been delivered then you’re asking for trouble. The ISO27001 regime of internal audits, management reviews and external audits should help to keep you on your toes enough to avoid any embarrassing security breaches. Or if they do happen, you can blame the auditor (only kidding, auditors).
You may have checked the supplier out when you signed up, and you may be happy with the promised level of service but how do you know that’s actually what you’re getting? Checking that the service being received is the service you’re paying for is the objective of several ISO27001 controls. These also deal with any changes that the supplier makes that could lay you open to a reduced level of security. Like everything else, cloud is a moving target and an ISO27001 management system helps you to cope with change.
Making use of cloud services is one of the most effective business enablers of the 21st century so far. Wrapping the ISO27001 standard around the cloud gives you the tools to capitalize on the advantage without risking your security.
Cloud and ISO27001 – a formidable combination.