Cloud Computing: Thunderstorms and Rainbows

Cloud computing and data storage technologies have increased in popularity over the past few years. This is due mainly to small- and medium-sized businesses ‘flying into the cloud’ solutions to improve business capabilities and backup critical data. The explosion of the web-based applications for mobile devices has also impacted the dramatic expansion of cloud computing vendors in the market. The belief that ‘the cloud’ is a safer and a more secure business solution, when compared to traditional storage devices, such as in-house servers or simple external HDDs, benefits the data solution centers as well. The cloud computing industry is expecting an even larger demand for its services from the data being created by the increasing quality of our video and image capture technologies, as well as the need to share our lives around the world.

With this rapid rise in data communications traffic, what are some of the possible risks inherent in such a dependency on external companies for critical data storage? What policies and procedures or laws are in place to aid in the quality assurance of these companies as the increased demand stretches their resources?

This post will seek to understand the current climate of cloud computing and the risks related to an organization. The future of the standards and controls related to cloud based solutions will also be discussed and explored.

Current Climate of Cloud Computing

The Information privacy laws that have been adopted by nearly all countries in the European Union and many in Asia and Latin America are comprehensive in protecting an individual’s or company’s right to privacy and data protection. The United States of America is a notable exception to this world wide acceptance of higher standards in data protection. The US legislation regarding electronic data protection (ECPA) was passed in 1986, when the World Wide Web did not exist and mobile phone cost more than $3000, which includes a section of the law that treats data stored on a server in the US for longer than 180 days as abandoned.

Data stored in the cloud is not legally protected in the same way that it would be if it were located on a storage device of your own.

Cloud computing security awareness was included in the European Commission’s strategy, Digital Agenda for Europe, to improve digital technologies. In April, a web-based public consultation launched by the European Commission Directorate General for Communications Networks, Content and Technology (DG Connect), issued a Report on the public consultation for the H2020 work programme 2014-15: Cloud Computing, Software and Services. A few of the report topics that emerged from the consultation included:

Quality/performance monitoring and independent performance verification

Increase confidence/trust and security for private and sensitive data

Common service level agreements (SLAs) with agreed terms

New services supporting a rapidly changing business world (B2B, not just end-user apps/social networks)

Cloud security was specifically mentioned as an objective of re-emphasis on increased trust and security transparency, security metrics and auditing, and overcoming issues of sensitive data in third party resources (data backups potentially makes confidential data more accessible).

The Body of European Regulators for Electronic Communications (BEREC) was formed in 2009 to assist the European Union and National Regulator Authorities in amending electronic communications laws. Personal privacy has been at the top of the list, but data protection as it relates to digital communications has recently gained more attention. In March the BEREC issued guidance on Article 28(2) of the Universal Service Directive, which suggests numerous updates to European and National local laws regarding all aspects of digital communications.

From an ISMS risk management perspective, we have to pay close attention to what we perceive as a safe haven for our data and quality data processing. If the nature of our business depends on a continuous flow of information between the cloud and our computing devices, then the risk assessment and treatment must have a higher attention to detail in the evaluation of this communication link.

How much attention does cloud computing receive under the ISO/IEC 27000 ISMS family of standards?

Today the current set of standards and controls for establishing guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization, ISO/IEC 27001/2:2005 certification process, contains no mention of cloud computing. The reason for this is obvious. In 2006, Amazon was establishing a collection of remote computing services that together made up a cloud computing platform, the first of its kind (Amazon EC2 and Amazon S3). We all know the ISO/IEC 27000 ISMS family, are due for the update we anticipate next year.

Cloud Computing on the Horizon

ISO/IEC 27017: IT – Security Techniques – Code of practice for Information security controls for cloud computing services

ISO/IEC 27018: Code of practice for data protection controls for cloud computing services

What are companies doing now? With an ever-growing desire/need to move data management into the cloud, are the proper steps being taken to ensure a secure, continuous flow of information between the expected parties?

If you are using an ISMS strategy created strictly from the current ISO/IEC 27000 family, then the answer on your risk assessment is “needs improvement.”

Taking a look at the controls outlined in ISO/IEC 27002 A.10.2 – Third party service delivery management, we ascertain a need to create our own additions to the Gap Analysis and Risk Assessment. Even if the third-party vendor you use for cloud services is ISO/IEC 27001/2 certified, your company must inspect and approve the data processing in order to attain the certification yourself. An auditor has to understand your processes and controls for the assurance of proper data handling and approve the ISMS methods in place in order to sign off on a successful strategy. Any SLAs in place between your company and third-party cloud service provider must be up to date and cover all relevant security requirements including specific language on accessing, processing, communicating or managing the organization’s information.

Remember Your Umbrella

The biggest mistake you can make is assuming the responsibility of the data protection is transferred to the cloud service provider with the data.

A few things to consider when selecting a cloud service provider

• Multiple backup locations
• Data encryption prior to transport
• Restricted access (only business owner can view data)
• Intellectual property rights
• Multiple operating system support including mobile device OS
• Incident response policies and procedures
• Security monitoring at both ends
• Treatment of data upon completion of SLA

I hope this helps to provide insight and knowledge regarding ISMS strategies and risk assessments as they pertain to cloud computing services and your organization. You are responsible for the security of your data regardless of where it is stored.

The RM Studio team is here to support your efforts in creating and maintaining a quality ISMS risk management strategy. We provide an intuitive, user-friendly software solution for Assessment and Treatment as well as Business Continuity Management. Our team of professionals is dedicated to producing a high quality, full-featured ISMS risk management solution that comes with common international standards and controls built-in and it is customizable to meet the needs of each individual client. Contact us today for an online demonstration.