Menu Close

ISO 27001 and Cloud Computing: What’s all the fuss about?

With the introduction and strong uptake of cloud computing in recent years, we are often asked how ISO 27001 and Cloud Computing work together. Specifically, organisations are unsure how to manage cloud computing in their environment, and whether cloud services should or shouldn’t be included within their scope.

Some organisations are keen to utilize the benefits of cloud computing for numerous reasons such as on-demand resources and a flexible pricing model, but are worried/concerned about how this may impact their ISO 27001 certification. In this article, we hope to dispel concerns regarding cloud computing and offer guidance on how organisations should manage the risks from cloud computing in their management system.

What is Cloud Computing?

Firstly, we need to understand exactly what cloud computing is. In short, cloud computing is the practice of utilizing remote servers hosted on the Internet to provide services to the organisation. This is in contrast to having on-premises servers, that are located within the organisations physical boundaries and managed by the company. An example might be an email service where historically exchange servers are located in the organisations data center, if a cloud service is used this would be hosted within the cloud service providers data center.

So what are the benefits of cloud computing and why are organisations using cloud over traditional in-house services? Well, cost is an important factor. Because cloud services are hosted on highly powerful virtualized servers, cloud service providers can offer a number of services on a multi-tenanted environment.

In short, this means that service providers can reduce their hardware costs by virtualising servers and hosting a large number of consumers. Similarly, organisations can reduce their costs in terms of hardware, management, physical locations and monitoring. Now that we have a brief understanding of what cloud computing is, let’s look at the security implications of using these services.

How does Cloud Computing affect security?

As cloud services are not hosted within the organisations control, there are a number of considerations that need to be made before using any cloud service. The organisation must have a level of assurance that the cloud service provider has implemented a sufficient level of technical controls to reduce the risk of attack.

As cloud service providers host a large number of customers, each with a gold mine of data sets, they often become a prize target for hackers due to aggregation. Therefore, the cloud service provider must have a technically secure environment, as well as ensuring non-technical controls are in place to manage the physical environment.

Let’s take an example. Imagine your organisation utilizes a SharePoint service provided by a cloud service provider. SharePoint is used by all employees within your company to store all levels of data, including sensitive items such as employee personal information and/or business strategy.

The cloud service provider also hosts numerous other clients with sensitive data on the same physical hardware as your SharePoint instance (remember, the hardware is segregated into tenants through virtualization technology).

However, the cloud provider also hosts a SharePoint instance that is used by malicious hackers. If the provider has not ensured that there is adequate separation in the virtualisation technology used, the hacker could feasibly hop across from their SharePoint instance to access all other data on that server. Thus compromising all tenants and their data.

Taking the above example one step further. How can we ensure that the data being transmitted from the cloud service to our end users or to our data centers is secured? If the cloud provider does not use suitable encryption there is a risk that a man in the middle attack could occur and data could be compromised in transit.

Another consideration may be the support team at the cloud providers data center. A malicious insider may compromise your data without your knowledge, and as the service is not hosted within your data center then there is less oversight in terms of logging and monitoring (unless the service provider provides this).

These are just some of the considerations that should be made when purchasing cloud services. The organisation must always weigh up the risks of storing and processing data in the cloud and performing due diligence against service providers before opting to take this route. So how does ISO 27001 and Cloud Computing work together? And what should the approach be for an organisation using cloud services?

ISO 27001 and Cloud Computing: Scope

The first consideration is scope of your ISMS. Are cloud services included within your scope, part of your reliance scope, or completely out of scope? The answer is that these services should be included either within the main or reliance scope of your ISMS if they are processing data considered within scope. For example, if your scope is to protect customer data and you have a cloud-based CRM service containing this data, then you must include this within scope.

We cannot transfer risk completely by saying “well, it isn’t within our building so it’s not our problem” – the risk is to your data so you must implement controls to reduce risk wherever the data resides.

In practice, the organisation must firstly conduct due diligence against the cloud service provider. Assurances should be gained that the provider operates in a secure manner, and that the environment is locked down and tested. Numerous frameworks exist to support this – and providers are often accredited or self-assure themselves against control frameworks. The Cloud Security Principles is one such set of security controls, as well as the Cloud Security Alliance (CSA) STAR framework. Organisations should ensure their providers have sufficient assurance initially.

Further to this, the organisation should define their functional and non-functional requirements – including security requirements. Cloud service providers should provide assurance they can meet these requirements, from both a technical and non-technical perspective. Once the organisation is satisfied there is a suitable level of control in place, service level agreements should be formed to ensure that the cloud provider understands their responsibilities for maintaining security.

The organisation should further define roles and responsibilities of the provider as well as themselves to ensure that full coverage is maintained at all times e.g. logging and monitoring of the service should be the responsibility of the provider who reports to the consumer.

ISO 27001 and Cloud Computing: Further Controls

A number of controls must be considered to secure cloud services, including secure separation, isolation and access control.
A number of controls must be considered to secure cloud services, including secure separation, isolation and access control.

Once the above assurances have been obtained, due diligence performed and SLA’s and security agreements in place, the organisation should ensure controls are implemented for the service in the same way as an internal service. For example, access controls should be in place and based on role for least-privilege.

This can often be implemented through policies on the cloud service, governed and monitored by the organisation. Numerous controls for ISO 27001 Annex A could be applied for specific applications or services, and these should be investigated.

Conclusion

In conclusion, ISO 27001 and Cloud Computing compliment each other well and the standard can be used to reduce risk to data when in the cloud. The organisation should ensure they perform the right amount of due diligence before proceeding with any cloud service to reduce their risk profile, and this should be documented and understood.

The organisation should understand that, although management of the service is outsourced, the risk to data remains with the organisation and should be managed appropriately. Risk assessments are always a good idea to begin with, identifying the highest risk services and ensuring these have priority.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *