Rhand Leal
August 23, 2016
Cloud solutions are attractive answers for those who look for cost savings and quick demand response infrastructure, and Internet searches can show you how these kinds of solutions are rapidly growing and being adopted by organizations of all sizes, especially by small and medium-sized organizations.
However, their very nature requires customers and providers to share management and operational activities to some extent, and the lack or failure to observe the responsibilities regarding these activities may bring significant damage to interested parties.
This article will present how information security activities should be viewed in cloud environments and how ISO 27001 and ISO 27017 (a code of practice for information security for cloud services) can help organizations to properly define responsibilities in cloud environments and ensure information protection.
Before an information security assessment can be made, we must first understand how cloud services may be provided to customers. The most common cloud service models available in the market, in order of increasing complexity, are:
Infrastructure as a Service (IaaS): model that offers only basic computing infrastructure (e.g., physical and virtual machines, location, network, backup, etc.).
Platform as a Service (PaaS): model that offers, beyond computing infrastructure, a development environment for application developers (e.g., operating systems, programming-language execution environment, databases, etc.).
Software as a Service (SaaS): model that offers to final users access to application software and databases (e.g., email, file sharing, social networks, ERPs, etc.).
Figure 1 – Assets control by cloud service models
Note that, as complexity increases from IaaS to SaaS, the assets under the control of the organization start to go under the control of the provider; however, in terms of information security, some activities must still remain under the control of the customer organization, as we will see in the next section.
From an information security point of view, the main concerns involving the above-mentioned cloud models, and what you should have the common sense to consider in terms of security, are:
Information classification, labeling, and handling. The data stored and processed in provided cloud environments ultimately belong to, or are under the responsibility of, the customer organization, so the final decision about how they must be classified, labeled, and handled must always be made by the customer. So, even if all assets are under the control of the provider, like in the SaaS model, is a good thing that its responsibility regarding information security covers only the implementation of the controls related to the classification given by the customer organization.
Identity management. In PaaS and SaaS models, depending upon the information system considered (e.g., an ERP), users’ groups may be divided into users required to maintain the running of the system (operational activities), often under the provider’s control; and users required to manage access to systems’ functionalities (e.g., ERP’s financial and HR functions) and final users, these last two often under the customer organization’s control. So, in a similar system, it is a good thing to maintain strict control over which users can belong to which groups.
Monitoring. Regardless of the cloud model adopted, monitored data can be related to assets’ performance (e.g., bandwidth, throughput, etc.) or data processing (e.g., registries accessed, users’ activities, user login time, etc.), and in the latter case, sensitive information may be compromised through monitored data, so it is a good thing to define which data the provider can monitor and which data must be made available only to the customer organization.
Privacy. This is perhaps the most critical information security aspect related to cloud services adoption, since the service provider, by controlling the basic infrastructure, can access all data that are in the cloud at any time. Besides that, the locations from where the cloud provider operates may have laws and regulations that can pose risk to information confidentiality.
The “commons sense” we saw in the previous section is already considered in a formal way in ISO security standards. While ISO 27001 provides controls to ensure proper responsibilities definition regarding information security (e.g., A.6.1.1 – Information security roles and responsibilities and A.6.1.2 – Segregation of duties), ISO 27017 offers an integrated view, considering how customers and providers should approach the same control. See this article: ISO 27001 vs. ISO 27017 – Information security controls for cloud services.
So, considering this integrated view, the standard’s general recommendations about shared responsibilities in cloud environments can be described as:
Security policies: Customer organizations should state the cloud service’s relevance to its business activities and information security processes, and providers should state that cloud service customers’ requirements should be considered in the management of its own information security processes.
Contractual clauses: Customer organizations should include clauses in cloud SLAs regarding information security aspects to be fulfilled by the provider. These clauses should cover the organization’s requirements as well as those of its own clients, including privacy concerns. Providers should include clauses in their contracts with customers clearly specifying the capabilities they can offer regarding cloud services provided, and privacy-related information (e.g., where the provider operates and with which laws and regulations they must comply).
Access control and monitoring: Providers should make available functionalities to allow customers to manage, control, and monitor functionalities by themselves, without depending on the provider’s intervention (e.g., defining information classification, managing users, and monitoring resources performance).
Cloud services benefits have enabled many organizations, especially those with limited resources, to expand their activities and improve their chances of success, and it would be terrible to see all efforts compromised because of something so simple as failure to resolve responsibilities definition.
ISO 27001 and ISO 27017 controls and recommendations can be used to establish clear responsibilities for both providers and customers, minimizing the risks that undefined responsibilities may lead to information compromising and failure to achieve business objectives.
Check out Conformio compliance and cybersecurity platform to help you manage a complete information security system.