How do we implement cyber security for cloud services?
Amethyst's Andy Heathcote explains
Before deciding how to implement cyber security in the Cloud, we need to clarify what the Cloud is, agree and identify what we are providing or receiving from it, and ascertain where help in determining cyber security measures can be obtained from.
In the simplest terms, cloud computing means storing and accessing data and programs over the Internet instead of your computer's hard drive. The cloud is just a metaphor for the Internet. Cloud cyber security is a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing.
However, in deciding on what cyber security measures we wish to implement we need to determine whether we are a cloud service provider, a cloud service customer or in some cases maybe both. The approach to implementing security controls is common in many cases, but in some instances there are subtle and sometimes significant differences. For instance, some controls are for cloud service customers to implement, while others are for cloud service providers to support that implementation.
Having now decided which angle we are coming from, the next question is how do we go about identifying the risks and forming a risk management plan with the required security controls. Whether the IT system is a Cloud based service, or a Wide Area Network or Local Area Network managed from within the organisation’s building or infrastructure, a good place to start is with the ISO 27000 series – primarily ISOs 27001 for risk assessment and management (information security management systems) and ISO 27002 for the information security (cyber security) controls. The controls cover all aspects of security (personnel, physical, information and technical). To assist with cloud services there is a specific ISO, ISO 27017:2015 (Code of practice for information security controls based on ISO/IEC 27002 for cloud services).
So how do we design our risk management plan? Below is a snapshot of our recommended approach.
As with any other IT system we need to identify the assets and their value to us (or our business partner), confirm the threats and calculate the risks to our system and information/data, in this case our cloud services (as a customer or as a provider). Then we use the control set from 27002 with the 27017 specifics to assess which controls we need and how we wish to implement them. It is a good idea to use the two ISOs together. Conveniently, 27017 looks at every 27002 control. For 2/3 of the controls it recommends that the 27002 approach is used; for the remaining 1/3 it provides additional guidance or ‘tweaks’ to how that control is relevant to the cloud services (from the perspective of customer and provider).
However, we are not yet quite finished; there are some unique risks within the Cloud; such as relationship between the cloud service customer & provider, and technical issues like segregation in virtual computing environments. ISO 27017 has identified 7 specific controls to be considered for addressing the unique issues/relationships/design that are associated with cloud services; again from both perspectives.
Using ISOs 27001, 27002 and 27017 is an excellent start to risk managing and implementing cyber security for cloud services; though, like any standard or approach it is not the panacea to all ills. It is, therefore, a sound idea to identify if there are any national requirements that may impact (e.g. the Australian Government has specific policies for cloud security tenants) or other policies and approaches that could provide more relevant or specific controls; such as: ENISA 2009, Cloud Computing Security Risk Assessment; ISACA 2012, Security Considerations for Cloud Computing; and NIST, SP 800-144 2011, Guidelines on Security and Privacy in Public Cloud Computing.
So, cyber security for cloud services is not too different from what has been the way for years with 27001/27002 – we just need to be clear on where we are coming from – customer or provider.
Amethyst can help with this using our considerable knowledge of cyber security across the board but especially with ISOs 27001 and 27002 gap analysis and assisting companies to achieve certification.We also have extensive experience of working with cloud and data hosting providers so fully understand implementing ISO 27017 for cloud security.