New to cloud compliance and data security? You may know already that protocols for cloud infrastructure are a must. But what's involved? Read our full guide here.
Christina Harker, PhD
Having protocols around digital data and information security is a must. If you want your organisation to be secure in this digital age, you need a tight operation. Technology continues to adapt and change. Therefore, keeping a close eye on information security should be a top priority. This article is here to help newcomers navigate cloud compliance and ISO 27001 as they relate to data security: what they are, why they're important and their benefits. Divio can help you with this, as we are ISO 27001, 27017 and 27018 certified. Here's what we'll be covering:
What is compliance?
What is cloud compliance?
What is ISO 27001?
What are the benefits to ISO 27001?
What happens if there aren’t compliance protocols?
Why do I need cloud providers to be compliant?
Compliance, at the most basic level, is about following protocols or standards that you’ve agreed to use or that are legal requirements. Although other topics like cost optimisation and reliability are part of compliance within the cloud industry, often greater emphasis is placed on information security, which is the focus of this article.
To keep your data secure, you need compliance protocols. Data is a hot commodity. It’s vital to make sure that data management, from its collection to how and where it is stored and processed, is a tight process. This is important for both your organisation and your customers. Compliance ensures that the whole process of data gathering and storing remains secure from threats.
When thinking about compliance, consider how information security is affected by three factors. These are people, processes and technology. How can you manage and prevent security risks from these three factors? First, ask yourself questions. For instance, when it comes to people - who can easily access the data? When it comes to processes - how is data being stored? And so on.
Cloud compliance is a set of security protocols for organisations that use cloud services. Privacy and security remain primary concerns for cloud users. Because cloud technology functions across a range of remote locations, it can store a lot of data in different places. If it’s not managed correctly, it can be vulnerable against security threats.
So what does cloud information security compliance look like? Typically, it’s based around a framework that looks at all aspects of data security. Common areas a cloud compliance audit would touch on are:
How is sensitive data protected and concealed? How is it tracked and how can it be retrieved? What are the configurations that manage this process? This part of the framework can review the cloud architecture, as well as, for example, any interconnected cloud financial systems your organisation uses.
How are changes made in a cloud infrastructure? Who has authorisation to make them? Are any of these automated? If so, how are these monitored? This part of the framework can address individual and team responsibilities. It can also evaluate who has ownership over particular sets of data, and why.
How are potential threats monitored and logged? How do you preempt emerging threats? And what is your strategy to stay on top of monitoring and changes in the landscape?
What security protocols have been actioned and how are they reported? This is useful to review for a number of reasons. Among other things, it shows potential clients on-going compliance activity. It also provides historical information on previous security breaches and their fixes.
You may note that a lot of the points in this overview centre around understanding, planning and prevention. They are proactive rather than reactive. When it comes to cloud compliance standards, prevention is the best form of defence.
This is a standard set of rules that helps any organisation protect and manage their data. You may see this be referred to as an ISMS - this stands for Information Security Management System.
ISO 27001 is also known as ‘ISO/IEC 27001 - Information technology - Security technique - Information security management systems - Requirements.’ ISO 27001 is a little easier to remember. This set of rules was published by the International Organization for Standardization (IOS) and the International Electrotechnical Commission (IEC).
The ISO 27001 compliance framework is based around three key objectives. These are:
Confidentiality: Only people who are authorised can access data
Integrity: Only people who are authorised can make changes to data
Availability: Data is easily accessible to authorised people
These three objectives are addressed in controls (also known as safeguards) that it lists. These controls address the following:
Identifying and establishing stakeholders that need access to data. For instance, individuals, teams and suppliers will require access to different data sets.
Setting company-wide expectations for data security. Everyone is on board with data security protocols and has access to what they need to.
Identifying data risks, both internal and external to the organisation.
Defining and establishing controls that meet company-wide expectations and mitigating risks.
Setting clear objectives for managing data security.
Implementing controls and risk management protocols.
Continuously monitoring and managing controls, to ensure they’re performing.
Continuing to improve the ISMS. It needs to remain secure alongside new and evolving technologies.
Almost all controls apply in most cases. While in theory not all the listed controls need to be implemented, and organisations sometimes focus on just the ones relevant to them, in practice, all the controls or almost all the controls will be applied. There is a very high bar to justify not implementing a control.
The controls can be written down as policies and/or in documentation. Organisations and businesses determine what these are by undertaking a risk assessment and then writing up risk mitigation in response.
If not already established, setting up a ISO 27001 cloud compliance framework for your cloud infrastructure may seem like a big task. However, it is well worth the effort and can offer a return on investment. Here’s why:
Some clients will only work with organisations if they’re ISO 27001 certified. Not only does this create business prospects, but it can encourage customer loyalty. Clients recognise organisations that take significant steps to protect their data.
This compliance framework is an international standard. As such, it could open up business opportunities all over the world for businesses that can show their entire cloud infrastructure is compliant.
ISO 27001 covers the entire scope for cloud compliance. By mapping out the whole process, everything can be accounted for.
An efficient cloud compliance framework will result in less downtime. Protocols will ensure that security fixes are quick and infrequently needed.
As you can see, the benefits of an ISO 27001 framework go from the organisation to the individual customer and then back to the organisation. Both parties benefit from building on previous industry experience that’s incorporated into the ISO process, and both benefit from not needing to reinvent the wheel. Although the process can seem resource-intensive at first glance, it is well worth the investment
The advantages of a cloud compliance framework speak for themselves. However, the disadvantages can spell out countless troubles. Without a robust system in place, you can expect, for example, breached insecure access points. This is likely to happen if system vulnerabilities aren't identified, protected and monitored. This can lead to cyberattacks and fraud.
In terms of repercussions, you could expect to see (among other issues):
There are legal requirements regarding compliance, cloud services and data management. These vary across the world. For example, GDPR in the EU. Failing to adhere to these can result in legal issues.
Some clients may not work with you if you don’t have a compliance protocol, do not adhere strictly to it or cannot show compliance throughout your infrastructure. Customers expect transparency and control surrounding their data.
Having a set of clear compliance protocols helps everyone understand their responsibilities. If these aren’t in place, security breaches are more likely.
The lack of robust cloud data compliance affects both organisations and customers, and can hit the bottom line negatively. Having a system in place is a long-term, cost effective solution that focuses on prevention.
However, what happens if you use external cloud providers or vendors? How does this affect your security?
Using a cloud provider can be a security vulnerability in your cloud infrastructure. These are third party integrations. This means that at least part of your data is going to be stored outside of your organisation and you want to make sure it remains secure. As such, a mark of a trustworthy cloud provider is one that has a robust compliance framework.
However, using a compliant third party cloud doesn’t mean your organisation should no longer have a framework. If anything, it should make your compliance protocols more rigorous.
Cloud providers like Google Cloud, Amazon AWS and Microsoft Azure provide shared responsibility models. Both you and the provider take responsibility over compliance. In the case of big names like these, they offer basic security compliances. The security tools are there, but they 1) need to be switched on, 2) adapted to your organisation and 3) routinely managed and reviewed. You may need to bring in additional tools if these are required by your compliance framework. It’s recommended that you don't rely on these external measures to cover full compliance protocols.
In the case of Divio, we provide a PaaS that can help you by integrating the management of your cloud vendors, streamlining development, directly deploying limitless sites and apps and, in general, cutting costs while returning development time. When you use a service like Divio’s, it’s important to also ensure that this layer within your infrastructure is also compliant.
Divio is ISO 27001, 270017, and 270018 compliant. The combination of any compliant cloud providers and Divio results in a lock-tight compliance system for the middle layer and bottom layer of your infrastructure system.
Cloud compliance and information security are very important, and they are not something to be rushed or given short shrift. People, processes and technology all need to be considered when developing protocols. Compliance benefits are long term, from smoother day-to-day operations to broadening business relationships. The absence of a compliance framework can result in reputational damage, high costs and miscommunication. A recognised framework like ISO 27001 can build a robust set of processes that keep costs down and productivity up, something Divio is happy to help you with.
If you’re after a cloud solution that meets cloud compliance standards, the Divio platform may just be what you’ve been looking for. We’re GDPR and ISO compliant, so you can be rest assured that your web applications are fully compliant. If you have any questions about cloud compliance and our PaaS, let’s talk!
Divio Method and Compliance Part 2: GRC Tool
In this interview with Divio’s Jonathan Stoppani, read about how we set out to build our own Governance, Risk, and Compliance tool. The project exemplifies Divio’s approach to problem solving.