Before migrating your data and applications to the cloud, it is critical and can be a strategic advantage to ask for greater levels of security those previously achieved in the traditional IT environment.

Customers must understand the associated risks in case of a worst case scenario and the amount that is tolerable based on their business model.

Cloud service customers have to ensure their applications/data hosted on the cloud are secured in accordance with their security and compliance policies and must be reflected in the master service agreement between the customer and the provider, along with associated documents such as the service level agreement (SLA). The terms and conditions for response to security contingencies and affixing responsibility must be well understood and accepted. The category of cloud service offered by the provider (IaaS, PaaS or SaaS) has a significant impact on the delineation of security responsibilities between the customer and the provider.  Service providers must inform customers in the case of a security breach as soon as possible and this must be enforced in the agreement. Before migrating to a cloud, it is important to understand the laws or regulations that apply and the culpability imposed on both the customer and the provider (e.g. data retention, data protection, interchangeability, disclosure to authorities etc).

It is considered a best practice for a cloud provider to demonstrate that they are compliant with a security certification. This will give potential leads more confidence in the security competence of the provider, and in the ability to respond appropriately in a contingency. The choice and relevance of the certification also depends on the category of the cloud service (IaaS, PaaS, SaaS).

The most widely recognized international standard for information security compliance is ISO/IEC 27001. ISO has new standards, ISO/IEC 27017-“Code of practice for information security controls based on ISO/IEC 27002 for cloud services” that was launched in Nov 2016 and has been hailed by experts. ISO/IEC 27018 “Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors” was launched earlier in 2015 after being completed in 2014. Both of these new standards address cloud service security and privacy considerations and add to the competence of ISO/IEC 27001.

Others provide frameworks and certifications for evaluating IT security which can also be applied to cloud service providers, including the American Institute of Certified Public Accountants (AICPA) and Information Systems Audit and Control Association (ISACA), which respectively provide the SSAE 16 and CoBIT 5 frameworks. Some provide frameworks for specialized services such as the Payment Card Industry (PCI) Data Security Standard (DSS).

Some groups such as the Cloud Security Alliance (CSA) provide self assessment methodologies which includes a Cloud Controls Matrix (CCM) – a provider self-assessment program; Consensus Assessment Initiative (CAI) – a certification of cloud security knowledge for personnel; Certificate of Cloud Security Knowledge (CCSK)- a web-based examination of individual competency in key cloud security issues; and a registry to publish the self-evaluation results (STAR)-self assessment reports that document compliance to CSA-published best practices.

By evaluating the service provider against conformance to industry standards and incorporating the right clauses in the agreements, the customer or user of the cloud environment can be protected against virtually any kind of security threat possible. Before choosing a cloud based solution, it would be beneficial for you to do due diligence in this regard. It is best to gather as much information as possible and make an informed choice for selecting the appropriate cloud solution for their business by considering the security aspects of the environment, platform and the solution.

Since the standards and technologies related to the cloud are still evolving, this space will see a lot of improvements in the time to come. Cloud is already the preferred choice for solutions due to its affordability, easy & anytime/anywhere access, lower financial entry barriers and minimal set up times.

We at VersAccounts have created a secure cloud based one stop comprehensive ERP solution. It addresses key security concerns in the most effective manner possible. It is affordable and targeted towards SMB’s and is backed by a promise of dedicated support. It is being used by clients in diverse verticals and could help you redefine the way you operate and grow your business.

We’d love to hear from you.

To know more, please visit www.versaccounts.com or contact us directly.

Tags: grc, governance, risk, compliance, security and compliance, security, security certification, certification, security, privacy, security threat, security concerns, standards

References and further information:

http://www.cloud-council.org/deliverables/CSCC-Security-for-Cloud-Computing-10-Steps-to-Ensure-Success.pdf

https://www.kuppingercole.com/blog/small/isoiec-27017-was-it-worth-the-wait

https://cloudsecurityalliance.org/group/cloud-controls-matrix/

http://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/

https://cloudsecurityalliance.org/group/consensus-assessments/

https://cloudsecurityalliance.org/education/ccsk/#_info-video1

https://cloudsecurityalliance.org/star/self-assessment/

http://www.datacenterknowledge.com/archives/2011/09/27/why-data-centers-need-ssae-16/

http://www.isaca.org/COBIT/Pages/default.aspx

http://searchfinancialsecurity.techtarget.com/definition/PCI-DSS-Payment-Card-Industry-Data-Security-Standard