Cloud security definition: what is Cloud security?
Cloud security is a subset of cyber security concerned with securing data, applications and infrastructure in the Cloud. The Cloud itself is a virtualisation of networks, servers, applications and data storage that is accessible via the Internet.
Cloud services include IaaS (Infrastructure as a Service), PaaS (Platform as a Service) and SaaS (Software as a Service). These provide on-demand access for users wherever they are, without their direct management.
Why is Cloud security important?
With hybrid working now the norm, many organisations are increasingly reliant on the Cloud to ensure their staff can access the data and services they need wherever they are.
However, there are security risks associated with Cloud services.
These are especially concerning as the nature of Cloud computing means organisations will inevitably rely on third parties for some element of their information security.
If you use Cloud services, you need to satisfy yourself of the security and resilience of your Cloud service providers at the trust boundary – the point at which the responsibility passes from your organisation to your supplier.
This is particularly important when it comes to observing your legal and regulatory compliance obligations.
For instance, the DPA (Data Protection Act) 2018 and GDPR (General Data Protection Regulation) apply to the processing of personal data regardless of where that processing takes place.
If you are a data controller, the Cloud service providers you use need to be able to demonstrate that their technical and organisational security measures comply with the data protection law(s) to which you are subject.
Learn more about DPA 2018 and GDPR compliance
Learn more about data sovereignty and the Cloud
Top Cloud security challenges
According to the (ISC)2 2021 Cloud Security Report, 96% of organisations are moderately to extremely concerned about Cloud security. Their biggest concerns are:
- Data loss/leakage (64% of respondents)
- Data privacy/confidentiality (62%)
- Accidental exposure of credentials (46%)
For Cloud service providers, addressing these concerns by following Cloud security best practices is of paramount importance.
Cloud security best practices
There are many established approaches to Cloud security, including:
The EU Data Protection Code of Conduct for Cloud Service Providers or EU Cloud CoC (Code of Conduct)
The EU approved the Cloud CoC in 2021 to help Cloud providers demonstrate that they meet their obligations under Article 40 of the GDPR.
Covering SaaS, PaaS and IaaS, the Code sets out requirements for business-to-business Cloud service providers that act as processors.
It is supported by a Controls Catalogue that maps these requirements to the GDPR, ISO 27001, ISO 27017, ISO 27018, ISO 27701, SOC 2, C5:2016 (Cloud Computing Compliance Controls Catalog), NIST SP 800-53 and the NIST Cybersecurity Framework.
Declarations of adherence to the Code are overseen by an independent monitoring body, SCOPE Europe.
The EDPB (European Data Protection Board) published its positive opinion of the Belgian Data Protection Authority’s approval of the Code in May 2021.
The 14 CSPs (Cloud Security Principles)
The 14 CSPs are defined by the NCSC (National Cyber Security Centre) and provide a comprehensive set of security controls for operation within the Cloud:
- Data in transit protection
- Asset protection and resilience
- Separation between users
- Governance framework
- Operational security
- Personnel security
- Secure development
- Supply chain security
- Secure user management
- Identity and authentication
- External interface protection
- Secure service administration
- Audit information for users
- Secure use of the service
CSA CCM (Cloud Security Alliance Cloud Controls Matrix)
The CSA developed and maintains the CCM, a set of additional information security controls designed specifically for Cloud service providers, and against which customers can carry out a security audit.
BSI and the CSA have collaborated to offer a certification scheme (designed as an extension to ISO 27001) against which Cloud service providers can achieve independent certification.
The CSA CCM provides a framework that gives a detailed understanding of security concepts and principles that are aligned with the CSA guidance in 16 domains:
- Application & Interface Security
- Audit Assurance & Compliance
- Business Continuity Management & Operational Resilience
- Change Control & Configuration Management
- Data Security & Information Lifecycle Management
- Datacenter Security
- Encryption & Key Management
- Governance and Risk Management
- Human Resources
- Identity & Access Management
- Infrastructure & Virtualization Security
- Interoperability & Portability
- Mobile Security
- Security Incident Management, E-Discovery & Cloud Forensics
- Supply Chain Management, Transparency and Accountability
- Threat and Vulnerability Management
CSA STAR (Security, Trust and Assurance Registry)
The CSA STAR provides a comprehensive framework for Cloud governance and security controls. It complements other standards, such as ISO 27001, by providing a risk-based assessment of Cloud security risks and remediation strategies.
STAR consists of three levels of assurance, which cover four unique offerings based on the Cloud-centric control objectives in the CSA CCM.
Cloud service providers can achieve certification to STAR.
The STAR programme includes a registry that documents the security controls provided by popular Cloud computing offerings.
There are two levels:
Level 1 – self-assessment
- Free and open to all Cloud service providers, this levels allows them to submit self-assessment reports that document their compliance with CSA-published best practices, either:
- i. Consensus Assessments Initiative Questionnaire (CAIQ); or
- ii. The CSA CCM.
Level 2 – third-party assessment
- CSA STAR attestation
- STAR attestation is an independent third-party assessment of the security of a Cloud service provider, based on Type I or Type II SOC attestations supplemented by the criteria in the CCM.
- CSA STAR certification
- STAR certification is an independent third-party assessment of the security of a Cloud service provider. The technology-neutral certification is based on the requirements of the ISO 27001 standard and the CSA CCM.
- CSA C-STAR assessment
- C-STAR assessment is an independent third-party assessment of the security of a Cloud service provider for the Greater China market, which harmonises CSA best practices with Chinese national standards.
ISO 27017 and ISO 27018
The international standard ISO 27017 was designed to provide guidance on applying 37 of ISO 27001’s Annex A information security controls to Cloud environments. It also provides seven additional controls that relate specifically to Cloud services.
ISO 27018 provides guidance for Cloud service providers on selecting and implementing security controls from Annex A of ISO 27001.
Both standards’ controls can be adopted as part of an ISO 27001-compliant ISMS (information security management system).
Learn more about ISO 27017 and ISO 27018
Other Cloud security products and services
You might also be interested in: