Cloud Security Governance
An organisation’s board is responsible (and accountable to shareholders, regulators and customers) for the framework of standards, processes and activities that, together, ensure the organisation benefits securely from Cloud Computing.
We are the leading provider of information, books, products and services that help boards develop, implement and maintain a Cloud governance framework.
Trust boundaries in the Cloud
Organisations are responsible for their own information. The nature of Cloud Computing means that at some point the organisation will rely on a third party for some element of the security of its data. The point at which the responsibility passes from your organisation to your supplier is called the ‘trust boundary’ and it occurs at a different point for IaaS, PaaS and SaaS . Organisations need to satisfy themselves of the security and resilience of their Cloud service providers; they also need to observe their Data Protection Act obligations.
Cloud Controls Matrix
The Cloud Security Alliance has developed and maintains the Cloud Controls Matrix, a set of additional information security controls designed specifically for Cloud services providers (CSP), and against which customers could seek to carry out a security audit. BSI and the CSA have collaborated to offer a certification scheme (designed as an extension to ISO 27001) against which CSPs can achieve independent certification.
Cloud security certification
The CSA offers an open Cloud Security certification process: STAR (Security, Trust and Assurance Registry). This scheme starts with self-assessment and progresses through process maturity to an externally certified maturity scheme, supported by an open registry of information about certified organisations.
Continuity and resilience in the Cloud
Cloud service providers are as likely to suffer operational outages as any other organisation. Physical infrastructure can also be negatively affected. Buyers of Cloud services should satisfy themselves that their CSPs are adequately resilient against operational risks. ISO 22301 is an appropriate business continuity standard.
Data protection in the Cloud
EU organisations that store personal data in the Cloud, or which use a CSP, are not absolved from compliance with the eighth principle of the Data Protection Directive, which forbids export of personal data from the EEA except to a country that has a recognised equivalent data protection framework. While Canada’s PIPEDA is a recognised equivalent, the USA has no such recognition. US CSPs can, however, apply for a Safe Harbor registration at the Federal Trade Commission; without such a Safe Harbor, they are not legally allowed to hold personal data on EU citizens.
Cloud Security Products