1 Executive Summary
This report is one of a series of documents around the use of cloud services. It identifies the information security risks associated with their use and defines a set of controls that organizations using cloud services should implement to manage these risks.
Many organizations are now using cloud services although some do not realize how many. Some of these services are being used to enable business transformation and to allow them to get closer to their customers to provide enhanced services. Some are being used to reduce the costs of commodity IT functions such as email and CRM systems as well as to facilitate rapid development of business systems. Other are being used by employees just to get the job done.
Cloud computing is not a strategic business or IT question. Cloud services simply offer an alternative way to obtain what the business requires. Cloud services provide some benefits and involve some risks. The challenge is to balance the risks and rewards for each specific business need.
Using cloud services places control of the service and infrastructure in the hands of the Cloud Service Provider (CSP) and this changes the risk and compliance landscape. However, since the customer does control some aspects, the overall responsibility is shared between the customer and the CSP. The best approach to manage risk and compliance is one of good governance for all IT services however they are delivered.
The level of the risks and the details of how responsibility is shared depends upon the kind of cloud service and the way in which it is deployed. However, most large CSPs implement a high level of control over the security of the infrastructure and the service that they provide. This makes it more likely that security breaches will result from a misunderstanding of the shared responsibilities by the customer or poor controls on their part. Therefore, the report picks out the controls that the customer and the CSP should implement to manage each risk.
Compliance when using cloud services can be trickier. In many cases the customer may remain responsible for compliance irrespective of failures by the CSP. Cloud contracts are mainly written by CSPs and typically provide very limited liability. It is vital that organizations using the cloud to process regulated data look for independent verification that the service is compliant and, where necessary, implement supplementary controls. More information on this subject is provided in KuppingerCole Advisory Note 72562 How to Assure Cloud Services.
Organizations need to take a risk-based approach to the security challenges from the use of cloud services. This should be part of a consistent governance process that covers all IT services no matter how they are delivered.