1 Executive Summary
This report is one of a series of documents around the use of cloud services. It identifies how standards as well as, independent certifications and attestations can be used to assure the security and compliance of cloud services.
Many organizations are now using cloud services although some do not realize how many. Some of these services are being used to enable business transformation and to allow them to get closer to their customers to provide enhanced services. Some are being used to reduce the costs of commodity IT functions such as email and CRM systems as well as to facilitate rapid development of business systems. Other are being used by employees just to get the job done.
Using cloud services places control of the service and infrastructure in the hands of the Cloud Service Provider (CSP) and this changes the risk and compliance landscape. However, since the customer does control some aspects, the overall responsibility is shared between the customer and the CSP. The best approach to manage risk and compliance is one of good governance for all IT services however they are delivered.
Since the responsibility for security and compliance is shared between the cloud customer and the CSP, some of these controls will apply within the organization using the cloud and others will relate to the way the cloud service is provided.
The customer organization must ensure that the controls for which it is responsible are implemented. However, since the delivery of the cloud service is outside the direct control of the customer, it can only assure that the service is delivered, and controls are implemented as agreed.
Cloud Access Security Brokers (CASB) are an important tool to ensure that policies for cloud usage are followed and cloud services are appropriately used. They also help to detect the use of unsanctioned cloud services and control the presence of sensitive data in the cloud.
Not all risks are equal – the cloud customer needs to prioritize which risks are important and require an appropriate level of assurance based on this. KuppingerCole Advisory Report – Cloud Services and Security 72561 summarizes the inherent risks of cloud services and their potential impact without assurance.
The procurement process is important because it matches potential vendors against business needs and this must take account of the assurances provided for the service. Once a service has been procured these assurances must also provide a on ongoing measure of conformance.
Cloud customers should adopt the best practices, relevant to their business, from one of the major frameworks and require the CSP do the same. This report provides advices on how standards, as well as independent auditing and certification can be used to provide assurance that a cloud service matches the risk and compliance requirements.