Is it safe up there? The case for ‘Cloud Provider Compliance Audits’

It’s an understatement to say that security is a common topic for businesses considering a transition to the cloud. It’s also fair to say that the cloud is the future.

Cloud providers want to convince potential customers that cloud services are safe. Some providers – Google for instance – go a step further and champion the position that the cloud is safer than the environment found in a typical IT shop because large cloud vendors have the resources available to make more substantial security investments. Knowing what some SME IT security is like, this does ring true to me.

Cloud customers though will still need persuading. Giving up their trusted firewall for a Port 80 world does not appeal to the senior level IT manager who has fought to protect confidentiality and integrity of data through knowing the external threats.

Their instinct is to audit the cloud data facilities for evidence of security compliance.

It is not practicable to inspect all cloud providers as part of due diligence

It is unlikely that the majority of cloud providers will open their doors to clients in this way either to carry out an ISO27001 security audit. Apart from anything else, they have their own security considerations to think about before opening said doors, protected as they often are by strong physical security and biometric identification such as fingerprint and even retinal scanners. The option to inspect their premises is not therefore a practicable one for some obvious logistic reasons. However, before you conclude that assessing cloud security simply comes down to trust, read a recent ICO publication. Consider Point 58 of the ICO Guidance on the use of cloud computing, 20120904, Version: 1.0:

One way for cloud providers to deal with this problem would be for them to arrange for an independent third party to conduct a detailed security audit of its service and to provide a copy of the assessment to prospective cloud customers. The assessment should be sufficiently detailed to allow the cloud customers to be able to make an informed choice as to whether the provider’s security is appropriate and will, in turn, help the cloud customer to comply with its data protection obligations.”

Clients from organisations of all sizes – both private as well as public sector – are increasingly likely – given this advice – to insist on proof that their cloud providers are ISO27001 information security compliant. After all, there have been multiple instances of cloud vendors making mistakes such as reusing disk space with traces of customer data still intact. Cloud vendors can also be attractive targets for attackers, simply because they aggregate data for multiple companies. However, for many business — especially those operating in the small and medium sector — using the cloud is likely to have a positive impact on security.

Google is doing some things right … like achieving ISO27001 certification

Given these facts, it is much in the interests of cloud providers to certify their security systems as ISO27001 compliant, and it’s worth noting that Google is leading the field by proving their compliance by means of ISO27001 external audits. To quote popular web magazine “Obtaining ISO won’t be the last effort that Google makes to wrestle market share away from traditional on-premises players such as Microsoft, but a checkmark in the security box is always a good start. At the end of last year, the company reported it had over 4 million business users and 5,000 new businesses were subscribing each day.”

Could 2013 be the year that cloud providers adopt ISO27001 as its preferred benchmark for information security? There is more evidence emerging, this time from the Standards world. The ISO/IEC 27017 standard is about to make an impact, specifically addressing the need for Security in cloud computing.

ISO27000 series standards are the best … for evaluating cloud security

Here’s another recent comment on the subject of assessing cloud security from Joseph Granneman, CISSP, who has over 20 years in information technology and security with experience in both healthcare and financial services: “The ISO27000 standards are the best prepackaged standards available today for evaluating the security programs of cloud service providers. The information security professional can look for this certification and also utilize it as a foundation to build a custom due diligence assessment.” [Source: Cloud risk assessment and ISO 27000 standards, found on SearchCloudSecurity]. In my view, there is no argument about ISO27001 being the standard that, once adopted, demonstrates security resilience. I would question, though, whether customizing your own due diligence in order to assess a cloud service provider’s security is ever really an appropriate answer – especially for ISO27001 compliant organisations. Shouldn’t the onus be on the provider to achieve certification to the standard? After all, this requires third party audits by accredited certification bodies, such as BSI, LRQA, NQA, etc.

Wouldn’t seeking an ISO27001 certificate from your cloud service provider be the best – indeed – the right approach to ‘due diligence’ in all cases?

For more information on how to plan your cyber security defences based on ISO27001 and keeping your business safe, download our free whitepaper here >>