Cloud computing

Cloud adoption continues to increase as users realise the benefits it can bring including greater agility, continuity and scalability. However to drive business success using the cloud, clarity over individual roles and responsibilities is essential. This was widely recognized by industry leaders who participated in the development of ISO/IEC 27017, which requires organizations to consider roles and responsibilities for both cloud service providers and users (cloud customers) who are procuring services.

ISO/IEC 27017 is the international standard on Information technology - Security techniques - Code of practice for information security controls based on ISO/IEC 27002 for cloud services. It provides guidelines for information security controls that are applicable to providing and using cloud services by outlining: additional implementation guidance for relevant controls specified in ISO/IEC 27002 additional controls with implementation guidance that specifically relate to cloud services

ISO/IEC 27017 not only provides you as a cloud service customer with practical information on what you should expect from Cloud Service Providers (CSPs), it also outlines your roles and responsibilities as users of cloud services. It helps you understand the shared responsibilities of the cloud and be confident that you are effectively utilizing cloud services and protecting your organization.

The cloud stack brings together the different types of cloud services and provides visibility on how your responsibilities as a cloud customer will change based on what you adopt. One thing that is consistent is the responsibility to protect your information and assets and ensure you can recover in a timely manner from disruptions.

Within each layer of the cloud stack there are specific roles and responsibilities that must be accounted for and ISO/IEC 27017 makes it very clear that this is the responsibility of both service provider and user. Whilst the cloud may reduce time, resources and cost, it by no means reduces your responsibility to protect the confidentiality, integrity and availability of your information

Outages, interruptions, breaches and disaster are still a fact of life, even for the cloud. Question is how are you prepared to handle it? From legal and regulatory requirements to intellectual property rights and protection of records, these all have specific customer requirements within ISO/IEC 27017.

From a legal perspective, it is critical that you can show due diligence and that you have applied a standard of care. This is especially important when called upon to provide digital evidence or other information from within the cloud computing environment. Working to and complying with ISO/IEC 27017 as a best practice framework will help you feel prepared should you encounter any forensic investigations or challenges around the privacy of information.

Offering or adopting the cloud can still cause misunderstandings and apprehension. Any organization entrusting sensitive customer data to a third party has come to know there are grey areas where rights and responsibilities have not been clearly defined. There’s a lot that’s been taken on trust and that’s not necessarily the best long-term approach for success – especially when ISO/IEC 27017 now makes responsibilities crystal clear.

ISO/IEC 27017 builds on the solid foundation outlined in both ISO/IEC 27001 the information security management system framework, as well as ISO/IEC 27002 as a best practice control set. Certification to ISO/IEC 27017 demonstrates compliance to internationally recognized best practice, building your organizational resilience in the cloud and wider operations. CIOs and IT managers will be encouraged by the changes to their relationships with CSPs where they both support and adopt the standard. It introduces a real common ground for assurance to cloud computing security. And as a user of cloud services, your customers and interested parties will also have an increased level of trust in you, knowing that you’ve done your homework and addressed your responsibilities as their supplier.

You can get a clearer overview into the ISO/IEC 27017 key requirements, as well as how to implement them, with some training. It will give you the knowledge to make considered decisions about adopting cloud services and ensure you select the best business to partner, who shares a common understanding on the importance of cloud services and taking shared accountability. Remember, you have real responsibilities in the cloud and by adopting the processes under ISO/IEC 27017 you can better protect your organization from potentially harmful accusations or law suits. So make sure you build your organizational resilience and protect your most importance assets by taking your cloud responsibilities seriously.