When legendary Canadian singer-songwriter Joni Mitchell released her hugely successful album “Clouds” in May 1969 little could she have guessed that nearly 50 years later the subject of clouds would be part of the global conversation around the protection of personal information (PI).
Her words “I’ve looked at clouds from both sides now” with the conclusion “I really don’t know clouds at all” might well apply to information officers (IOs) here in South Africa and data protection officers (DPOs) across the globe and who are trying to understand how to go about selecting their cloud service providers from a security perspecitve.
In fact, Mitchell was prophetic in looking at multiple clouds, not just one, because that’s a reality for today’s IOs/DPOs who need to satisfy the demands of multiple stakeholders who are unlikely to be satisfied with a single cloud services supplier. Of course Mitchell has not been alone in looking at clouds closely. The European Network and Information Security Agency in 2015 launched its Cloud Certification Schemes Metaframework. “CCSM is a metaframework, which maps detailed security requirements used in the public sector to describe security objectives in existing cloud certification schemes. The goal of CCSM is to provide more transparency about certification schemes and to help customers with procurement of cloud computing services. This first version of CCSM is restricted to network and information security [NIS] requirements. It is based on 29 documents with NIS requirements from 11 countries (United Kingdom, Italy, Netherlands, Spain, Sweden, Germany, Finland, Austria, Slovakia, Greece, Denmark). It covers 27 security objectives, and maps these to 5 cloud certification schemes.” (source https://www.enisa.europa.eu/news/enisa-news/enisa-cloud-certification-schemes-metaframework). The rest of this article will take a look at just some of those 27 security objectives as an aid to helping you select your cloud services providers.
Cloud security objectives when selecting a cloud services provider
This list is the full 27 (title and brief description) in the ENISA CCSM and should give you a flavor of the potential complexity involved in evaluating your suppliers from a security perspective. Of course a full evaluation will cover a number of other areas, such as functionality, value for money and relevant experience. This list has not been prioritized to reflect the issues which you evaluate as more or less important in the specific circumstances, such as the risk appetite, applicable to you organisation.
The text that follows is all sourced from the CCSM document.
- Information security policy. Cloud provider establishes and maintains an information security policy.
- Risk management. Cloud provider establishes and maintains an appropriate governance and risk management framework, to identify and address risks for the security of the cloud services.
- Security roles. Cloud provider assigns appropriate security roles and security responsibilities.
- Security in Supplier relationships. Cloud provider establishes and maintains a policy with security requirements for contracts with suppliers to ensure that dependencies on suppliers do not negatively affect security of the cloud services.
- Background checks. Cloud provider performs appropriate background checks on personnel (employees, contractors and third party users) if required for their duties and responsibilities.
- Security knowledge and training. Cloud provider verifies and ensures that personnel have sufficient security knowledge and that they are provided with regular security training.
- Personnel changes. Cloud provider establishes and maintains an appropriate process for managing changes in personnel or changes in their roles and responsibilities.
- Physical and environmental security. Cloud provider establishes and maintains policies and measures for physical and environmental security of cloud data centres.
- Security of supporting utilities. Cloud provider establishes and maintains appropriate security of supporting utilities (electricity, fuel, etc.).
- Access control to network and information systems. Cloud provider establishes and maintains appropriate policies and measures for access to cloud resources.
- Integrity of network and information systems. Cloud provider establishes and maintains the integrity of its own network, platforms and services and protect from viruses, code injections and other malware that can alter the functionality of the systems.
- Operating procedures. Cloud provider establishes and maintains procedures for the operation of key network and information systems by personnel.
- Change management. Cloud provider establishes and maintains change management procedures for key network and information systems.
- Asset management Cloud provider establishes and maintains asset management procedures and configuration controls for key network and information systems.
- Security incident detection and response. Cloud provider establishes and maintains procedures for detecting and responding to incidents appropriately.
- Security incident reporting. Cloud providers establishes and maintain appropriate procedures for reporting and communicating about security incidents.
- Business continuity. Cloud provider establishes and maintains contingency plans and a continuity strategy for ensuring continuity of cloud services.
- Disaster recovery capabilities. Cloud provider establishes and maintains an appropriate disaster recovery capability for restoring cloud services provided in case of natural and/or major disasters.
- Monitoring and logging policies. Cloud provider establishes and maintains systems for monitoring and logging of cloud services.
- System tests. Cloud provider establishes and maintains appropriate procedures for testing key network and information systems underpinning the cloud services.
- Security assessments. Cloud provider establishes and maintains appropriate procedures for performing security assessments of critical assets.
- Checking compliance. Cloud provider establishes and maintains a policy for checking compliance to policies and legal requirements.
- Cloud data security. Cloud provider establishes and maintains appropriate mechanisms for the protection of the customer data in the cloud service.
- Cloud interface security. Cloud provider establishes and maintains an appropriate policy for keeping he cloud services interfaces secure.
- Cloud software security. Cloud provider establishes and maintains a policy for keeping software secure.
- Cloud interoperability and portability. Cloud provider uses standards which allow customers to interface with other cloud services and/or if needed migrate to other providers offering similar services.
- Cloud monitoring and log access. Cloud provider provides customers with access to relevant transaction and performance logs so customers can investigate issues or incidents when needed.
Summary and next steps
It is recommended that you evaluate how to deploy this list of security objectives to best meet the needs of your own organisation. If you have not already, open the conversation about cloud security with your suppliers or potential suppliers. Challenge them to satisfy you in terms of their ability to meet these objectives, in particular whether they can offer one or more of the 11 certifications to which the CCSM is mapped. If they are not willing to do that it may be time to start looking for another supplier. While you are doing all that you may even enjoy listening to Joni Mitchell.