1. Bijender MISHRA (B.Tech, MBA,PMP ITIL SAP CISM ) bijendermishra@gmail.com
Cloud security governance
An organisation’s board is responsible (and accountable to shareholders,
regulators and customers) for the framework of standards, processes and
activities that, together, ensure the organisation benefits securely from Cloud
Computing
Every organisation which uses Cloud must develop, implement and maintain
a Cloud governance framework.
Trust boundaries in the Cloud
Organisations are responsible for their own information. The nature of Cloud
Computing means that at some point the organisation will rely on a third
party for some element of the security of its data. The point at which the
responsibility passes from your organisation to your supplier is called the
‘trust boundary’ and it occurs at a different point for IaaS, PaaS and SaaS .
Organisations need to satisfy themselves of the security and resilience of
their Cloud service providers; they also need to observe their Data Protection
Act obligations.
Cloud Controls Matrix
Many CSP’s has developed and maintains the Cloud Control Matrix, a set of
additional information security controls designed specifically for Cloud
services providers (CSP), and against which customers could seek to carry
out a security audit. BSI and the CSA have collaborated to offer a
certification scheme (designed as an extension to ISO27001) against which
CSPs can achieve independent certification.
Cloud security certification
Many SP’s offers an open Cloud Security certification
process: STAR (Security, Trust and Assurance Registry). This scheme starts
with self-assessment and progresses through process maturity to an
2. Bijender MISHRA (B.Tech, MBA,PMP ITIL SAP CISM ) bijendermishra@gmail.com
externally certified maturity scheme, supported by an open registry of
information about certified organisations.
Continuity and resilience in the Cloud
Cloud service providers are as likely to suffer operational outages as any
other organisation. Physical infrastructure can also be negatively affected.
Buyers of Cloud services should satisfy themselves that their CSPs are
adequately resilient against operational risks. ISO22301 is an appropriate
business continuity standard.
Data protection in the Cloud
Majority of organisations that store personal data in the Cloud, or which use
a CSP, are not absolved from compliance with the eighth principle of the
Data Protection Directive, which forbids export of personal data from the EEA
except to a country that has a recognised equivalent data protection
framework. While Canada’s PIPEDA is a recognised equivalent, the USA has
no such recognition yet.
G-Cloud
In a strategic effort to make Cloud services available to public sector
organisations, the many countries has set up the G-Cloud Programme, now
called the Digital Marketplace. Cloud services can be procured through the
CloudStore. In order to be listed, a Cloud Service provider has to go through
a formal accreditation process which builds on a fully-scoped ISO27001
certification, in addition to a specific selection and approval process. Impact
Levels are no longer relevant to describe the security properties and
accreditation of different services. Instead, in the OFFICIAL tier, the Country
has adopted the cloud security principles.
Under the new process, G-Cloud suppliers will need to provide statements
that correspond to "predefined assertions" drafted by the Government Digital
Service (GDS) that relate to their adherence to the cloud security principles.
The principles address issues such as the protection of data in transit,
information governance and the security offered within businesses' supply
chains.
The principles address issues such as the protection of data in transit,
information governance and the security offered within businesses' supply
chains. Many countries are now subject to a cloud first policy that requires
them to consider cloud-based IT solutions before other options.