-by Eyal Estrin, Cloud Architect, Inter-University Computation Center (IUCC)

Institutions engaging with public cloud service providers need assurance that they can trust that provider with their data. One of the ways to assess the maturity level of the cloud providers in terms of security is to evaluate which standards the provider is accredited to and this information is usually readily available on the Cloud Service provider’s website.

This document provides an overview of some of some of the most common security standards relating to cloud security:

ISO/IEC 27001

ISO/IEC 27001 is the most commonly used information security standard for organizations.

The ISO 27001 (2013 version) addresses the following:

  • Information Security Policies
  • Organization of Information Security
  • Human Resource Security
  • Asset Management
  • Access Control
  • Cryptography
  • Physical and Environmental Security
  • Operations Security
  • Communications Security
  • System Acquisition, Development, and Maintenance
  • Supplier Relationships
  • Incident Management
  • Business Continuity Management
  • Compliance

ISO/IEC 27017

ISO/IEC 27017 provides guidelines for information security controls applicable for providing and using cloud services.

ISO 27017 address the following:

  • Access control
  • Operations security
  • Communications security
  • Supplier relationships
  • Compliance
  • Human resource security
  • Asset management
  • Physical and environmental security

ISO/IEC 27018

ISO/IEC 27018 is an ISO standard focused on the privacy aspects of cloud computing.

The five key principles of this ISO standard are:

  • Consent – Cloud provides must receive approval from the customer before using their personal data for advertising or marketing purpose
  • Control – Customer’s explicit control over their data stored in the cloud
  • Transparency – Cloud providers must inform customers where their data resides
  • Communication – Cloud providers need to notify customers in case of breach
  • Independent and yearly audit – Cloud providers must subject themselves to a yearly third-party audit

SOC (Service Organization Controls)

  • SOC I – Audit of financial statements
  • SOC II – Report on security, availability, integrity, confidentiality or privacy
    • Type 1 – Description of the systems and the suitability of the controls
    • Type 2 – Details about the effectiveness of the controls
  • SOC III – Management report on the security controls of SOC II (without technical details)

GDPR (General Data Protection Regulation)

  • GDPR is the EU legal framework on protecting personal data and addresses: Defining privacy policy
  • Appointing a DPO (Data Privacy Officer)
  • Adding privacy in system design considerations
  • Reporting data breaches
  • Customer consent
  • Auditing private data usage
  • The “right to be forgotten”

Reference: