On November 30th, 2015 the final version of the standard ISO/IEC 27017 was published. This standard provides guidelines for information security controls applicable to the provision and use of cloud services. This standard has been some time in gestation and was first released as a draft in spring 2015. Has the wait been worth it? In my opinion yes.
The gold standard for information security management is ISO/IEC 27001 together with the guidance given in ISO/IEC 27002. These standards remain the foundation but the guidelines are largely written on the assumption that an organization’s processes its own information. The increasing adoption of managed IT and cloud services, where responsibility for security is shared, is challenging this assumption. This is not to say that these standards and guidelines are not applicable to the cloud, rather it is that they need interpretation in a situation where the information is being processed externally. ISO/IEC 27017 and ISO/IEC 27018 standards provide guidance to deal with this.
ISO/IEC 27018, which was published in 2014, establishes controls and guidelines for measures to protect Personally Identifiable Information for the public cloud computing environment. The guidelines are based on those specified in ISO/IEC 27002 with controls objectives extended to include the requirements needed to satisfy privacy principles in ISO/IEC 29100. These are easily mapped onto the existing EU privacy principles. This standard is extremely useful to help an organization assure compliance when using a public cloud service to process personally identifiable information. Under these circumstances the cloud customer is the Data Controller and, under current EU laws, remains responsible for processing breaches of the Data Processor. To provide this level of assurance some cloud service providers have obtained independent certification of their compliance with this standard.
The new ISO/IEC 27017 provides guidance that is much more widely applicable to the use of cloud services. Specific guidance is provided for 37 of the existing ISO/IEC 27002 controls; separate but complementary guidance is given for the cloud service customer and the cloud service provider. This emphasizes the shared responsibility for security of cloud services. This includes the need for the cloud customer to have policies for the use of cloud services and for the cloud service provider to provide information to the customer.
For example, as regards restricting access (ISO 27001 control A.9.4.1) the guidance is:
- The cloud service customer should ensure that access to information in the cloud service can be restricted in accordance with its access control policy and that such restrictions are realized.
- The cloud service provider should provide access controls that allow the cloud service customer to restrict access to its cloud services, its cloud service functions and the cloud service customer data maintained in the service.
In addition, the standard includes 7 additional controls that are relevant to cloud services. These new controls are numbered to fit with the relevant existing ISO/IEC 27002 controls; these extended controls cover:
- Shared roles and responsibilities within a cloud computing environment
- Removal and return of cloud service customer assets
- Segregation in virtual computing environments
- Virtual machine hardening
- Administrator's operational security
- Monitoring of Cloud Services
- Alignment of security management for virtual and physical networks
In summary ISO/IEC 27017 provides very useful guidance providers and KuppingerCole recommends that this guidance should be followed by cloud customers and cloud service providers. While it is helpful for cloud service providers to have independent certification that they comply with this standard, this does not remove the responsibility from the customer for ensuring that they also follow the guidance.
KuppingerCole has conducted extensive research into cloud service security and compliance, cloud service providers as well as engaging with cloud service customers. This research has led to a deep understanding of the real risks around the use of cloud service and how to approach these risks to safely gain the potential benefits. We have created services, workshops and tools designed to help organizations to manage their adoption of cloud services in a secure and compliant manner while preserving the advantages that these kinds of IT service bring.