I have recently been researching the information security challenges faced by organisations which have decided to adopt cloud based technology to run their IT systems. Cloud despite the hype is not new technology and managed shared applications and infrastructure have been with us for many years. What has really changed is the speed and reliability of these services coupled with a dramatic reduction in the cost. Low costs have particularly attracted small to medium sized companies who sadly often neglect the management of their information security.
As usual the CEO says to IT Manager ‘Make it faster, better AND cheaper. Oh and don’t forget the security…’
The bad news is that infosec risks associated with cloud computing are greater than those of the traditional ‘nuclear’ model. However, given that email and the Web (and possibly virtualisation) are already a key part of the IT in your company, you are already engaged with the cloud.
The key to managing the risks associated with the cloud is to have a complete understanding of technical and commercial service offering from your 3rd party suppliers. Yes, it is crucial to understand ‘every nut and bolt’ of the service offered by your outsource partner. This means that an effective Information Management System is a rapidly becoming a compulsory requirement!
The good news is that the risk management process as defined by the ISO27005:2011 standard and underpinned by ISO27001 certification provide an excellent framework for cloud risk analysis and treatment. With its emphasis on risk management, continual improvement and regular audits of your organisation and 3rd party suppliers, certification to ISO27001 is rapidly becoming the ‘defacto ’ standard for ensuring that the infosec management of cloud services really works.