An organisation’s board is responsible (and accountable to shareholders, regulators and customers) for the framework of standards, processes and activities that, together, make sure the organisation benefits securely from Cloud computing.
We are the leading provider of information, books, products and services that help boards develop, implement and maintain a Cloud governance framework.
Discover our range of bestselling Cloud products and services today >>
Trust boundaries in the Cloud
Organisations are responsible for their own information. The nature of Cloud computing means that at some point the organisation will rely on a third party for some element of the security of its data. The point at which the responsibility passes from your organisation to your supplier is called the ‘trust boundary’ and it occurs at a different point for Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). Organisations need to satisfy themselves of the security and resilience of their Cloud service providers. They also need to observe their Data Protection Act 1998 (DPA) – and, from May 2018, General Data Protection Regulation (GDPR) – obligations.
Cloud Controls Matrix
The Cloud Security Alliance (CSA) developed and maintains the Cloud Controls Matrix, a set of additional information security controls designed specifically for Cloud services providers (CSPs), and against which customers can carry out a security audit. BSI and the CSA have collaborated to offer a certification scheme (designed as an extension to ISO 27001) against which CSPs can achieve independent certification.
Cloud security certification
The CSA offers an open Cloud security certification process: STAR (Security, Trust and Assurance Registry). This scheme starts with self-assessment and progresses through process maturity to an externally certified maturity scheme, supported by an open registry of information about certified organisations.
Continuity and resilience in the Cloud
Cloud service providers are as likely to suffer operational outages as any other organisation. Physical infrastructure can also be negatively affected. Buyers of Cloud services should satisfy themselves that their CSPs are adequately resilient against operational risks. ISO22301 is an appropriate business continuity standard.
Data protection in the Cloud
UK organisations that store personal data in the Cloud or that use a CSP must currently comply with the DPA.
However, since the GDPR came into effect on 25 May 2018, data processors and data controllers are now accountable for the security of the personal data they process.
CSPs and organisations that use them will need to implement appropriate technical and organisational measures to make sure that processing meets the GDPR’s requirements and protects the rights of data subjects.
The UK government’s G-Cloud framework makes it faster and cheaper for the public sector to buy Cloud services. Suppliers are approved by the Crown Commercial Service (CCS) via the G-Cloud application process, which eliminates the need for them to go through a full tender process for each buyer.
Suppliers can sell Cloud services via an online catalogue called the Digital Marketplace under three categories, or ‘lots’:
- Cloud hosting – Cloud platform or infrastructure services.
- Cloud software – applications that are accessed over the Internet and hosted in the Cloud.
- Cloud support – services to help buyers set up and maintain their Cloud services.
IT Governance G-Cloud consultancy services
IT Governance has been approved to provide six cyber security services via the Digital Marketplace for Cloud support:
Find out more about our G-Cloud consultancy services >>
Becoming a G-Cloud supplier
G-Cloud suppliers are required to complete a number of defined security statements asserting how their services meet the Cloud Security Principles, and must provide evidence and documentation to support their assertion to customers who wish to validate them.
IT Governance can provide expertise in the form of information assurance audits, ISO 27001 certification and National Cyber Security Centre (NCSC) Certified Professionals (CCPs) to undertake the necessary assurance activities.
Find out more about becoming a G-Cloud supplier >>