What is Cloud Security?

Cloud security is a subset of cyber security concerned with securing data, applications and infrastructure in the Cloud. The Cloud itself is a virtualisation of networks, servers, applications and data storage that is accessible via the Internet.

Cloud services include IaaS (Infrastructure as a Service), PaaS (Platform as a Service) and SaaS (Software as a Service). These provide on-demand access for users wherever they are, without their direct management.

With hybrid working now the norm, many organisations are increasingly reliant on the Cloud to ensure their staff can access the data and services they need wherever they are.

However, there are security risks associated with Cloud services.

These are especially concerning as the nature of Cloud computing means organisations will inevitably rely on third parties for some element of their information security.

If you use Cloud services, you need to satisfy yourself of the security and resilience of your Cloud service providers at the trust boundary – the point at which the responsibility passes from your organisation to your supplier.

This is particularly important when it comes to observing your legal and regulatory compliance obligations.

For instance, the DPA (Data Protection Act) 2018 and GDPR (General Data Protection Regulation) apply to the processing of personal data regardless of where that processing takes place.

If you are a data controller, the Cloud service providers you use need to be able to demonstrate that their technical and organisational security measures comply with the data protection law(s) to which you are subject.

Learn more about DPA 2018 and GDPR compliance

Learn more about data sovereignty and the Cloud

Looking to improve your Cloud security?

We are the leading provider of information, books, products and services that help boards develop, implement and maintain a Cloud governance framework.

If you’re looking for guidance, practical advice or consultation, we can help.

Our team of experts are on hand to help you at any stage of your Cloud security journey.

According to the (ISC)² 2021 Cloud Security Report, 96% of organisations are moderately to extremely concerned about Cloud security. Their biggest concerns are:

• Data loss/leakage (64% of respondents)
• Data privacy/confidentiality (62%)
• Accidental exposure of credentials (46%)

For Cloud service providers, addressing these concerns by following Cloud security best practices is of paramount importance.

There are many established approaches to Cloud security, including:

The EU approved the Cloud CoC in 2021 to help Cloud providers demonstrate that they meet their obligations under Article 40 of the GDPR.

Covering SaaS, PaaS and IaaS, the Code sets out requirements for business-to-business Cloud service providers that act as processors.

It is supported by a Controls Catalogue that maps these requirements to the GDPR, ISO 27001, ISO 27017, ISO 27018, ISO 27701, SOC 2, C5:2016 (Cloud Computing Compliance Controls Catalog), NIST SP 800-53 and the NIST Cybersecurity Framework.

Declarations of adherence to the Code are overseen by an independent monitoring body, SCOPE Europe.

The EDPB (European Data Protection Board) published its positive opinion of the Belgian Data Protection Authority’s approval of the Code in May 2021.

The 14 CSPs are defined by the NCSC (National Cyber Security Centre) and provide a comprehensive set of security controls for operation within the Cloud:

1. Data in transit protection
2. Asset protection and resilience
3. Separation between users
4. Governance framework
5. Operational security
6. Personnel security
7. Secure development
8. Supply chain security
9. Secure user management
10. Identity and authentication
11. External interface protection
12. Secure service administration
13. Audit information for users
14. Secure use of the service

The CSA developed and maintains the CCM, a set of additional information security controls designed specifically for Cloud service providers, and against which customers can carry out a security audit.

BSI and the CSA have collaborated to offer a certification scheme (designed as an extension to ISO 27001) against which Cloud service providers can achieve independent certification.

The CSA CCM provides a framework that gives a detailed understanding of security concepts and principles that are aligned with the CSA guidance in 16 domains:

1. Application & Interface Security
2. Audit Assurance & Compliance
3. Business Continuity Management & Operational Resilience
4. Change Control & Configuration Management
5. Data Security & Information Lifecycle Management
6. Datacenter Security
7. Encryption & Key Management
8. Governance and Risk Management
9. Human Resources
10. Identity & Access Management
11. Infrastructure & Virtualization Security
12. Interoperability & Portability
13. Mobile Security
14. Security Incident Management, E-Discovery & Cloud Forensics
15. Supply Chain Management, Transparency and Accountability
16. Threat and Vulnerability Management

The international standard ISO 27017 was designed to provide guidance on applying 37 of ISO 27001’s Annex A information security controls to Cloud environments. It also provides seven additional controls that relate specifically to Cloud services.

ISO 27018 provides guidance for Cloud service providers on selecting and implementing security controls from Annex A of ISO 27001.

Both standards’ controls can be adopted as part of an ISO 27001-compliant ISMS (information security management system).

Learn more about ISO 27017 and ISO 27018

Accelerate your compliance with ISO 27017 and ISO 27018 with customisable templates, documents, policies and records. This toolkit was designed to integrate with our ISO 27001 Toolkit to give you complete control over the security of your Cloud services.

Buy now

Our ISO 27017/ISO 27018 FastTrack™ 20 consultancy service is a bolt-on service to our ISO 27001 FastTrack™ 20.

It extends your ISO 27001-compliant ISMS following the ISO 27017 and ISO 27018 standards.

Buy now

Review the security of your Cloud services with our Cloud Configuration Penetration test.

Our advanced manual testing techniques, configuration benchmarking and automated scans will be used to perform an in-depth health check looking for misconfigurations and vulnerabilities.

Buy now

You might also be interested in:

• Cloud Security FastTrack™ Toolkit – ISO 27017 & ISO 27018
• ISO/IEC 27017 2015 Standard
• ISO/IEC 27018 2019 Standard
• Data Protection and the Cloud – Are you really managing the risks?
• Securing Cloud Services: A pragmatic guide, second edition