This website uses cookies. View our cookie policy
Close
Asia
Select regional store:

Cloud security governance

An organisation’s board is responsible (and accountable to shareholders, regulators and customers) for the framework of standards, processes and activities that, together, ensure the organisation benefits securely from Cloud computing.

We are the leading provider of information, books, products and services that help boards develop, implement and maintain a Cloud governance framework.

Trust boundaries in the Cloud

Organisations are responsible for their own information. The nature of Cloud Computing means that at some point the organisation will rely on a third party for some element of the security of its data. The point at which the responsibility passes from your organisation to your supplier is called the ‘trust boundary’ and it occurs at a different point for IaaS, PaaS and SaaS . Organisations need to satisfy themselves of the security and resilience of their Cloud service providers; they also need to observe their Data Protection Act obligations.

Cloud Controls Matrix

The Cloud Security Alliance has developed and maintains the Cloud Controls Matrix, a set of additional information security controls designed specifically for Cloud services providers (CSP), and against which customers could seek to carry out a security audit. BSI and the CSA have collaborated to offer a certification scheme (designed as an extension to ISO27001) against which CSPs can achieve independent certification.

Cloud security certification

The CSA offers an open Cloud Security certification process: STAR (Security, Trust and Assurance Registry). This scheme starts with self-assessment and progresses through process maturity to an externally certified maturity scheme, supported by an open registry of information about certified organisations.

Continuity and resilience in the Cloud

Cloud service providers are as likely to suffer operational outages as any other organisation. Physical infrastructure can also be negatively affected. Buyers of Cloud services should satisfy themselves that their CSPs are adequately resilient against operational risks. ISO22301 is an appropriate business continuity standard.

Data protection in the Cloud

EU organisations that store personal data in the Cloud, or which use a CSP, are not absolved from compliance with the eighth principle of the Data Protection Directive, which forbids export of personal data from the EEA except to a country that has a recognised equivalent data protection framework. While Canada’s PIPEDA is a recognised equivalent, the USA has no such recognition. US CSPs can, however, apply for a Safe Harbor registration at the Federal Trade Commission; without such a Safe Harbor, they are not legally allowed to hold personal data on EU citizens.

G-Cloud

In a strategic effort to make Cloud services available to UK public sector organisations, the UK Government has set up the G-Cloud Programme, now called the Digital Marketplace. Cloud services can be procured through the CloudStore. In order to be listed, a Cloud Service provider has to go through a formal accreditation process which builds on a fully-scoped ISO27001 certification, in addition to a specific selection and approval process. Impact Levels are no longer relevant to describe the security properties and accreditation of different services. Instead, in the OFFICIAL tier, the Government has adopted the Cloud Security Principles.

Under the new process, G-Cloud suppliers will need to provide statements that correspond to "predefined assertions" drafted by the Government Digital Service (GDS) that relate to their adherence to the cloud security principles. The principles address issues such as the protection of data in transit, information governance and the security offered within businesses' supply chains.

The principles address issues such as the protection of data in transit, information governance and the security offered within businesses' supply chains. Central government departments are now subject to a 'Cloud first' policy that requires them to consider cloud-based IT solutions before other options.

Cloud Security Products