Aug 30 2024

How to manage information in the cloud: Best practice frameworks

Category: Cloud computingdisc7 @ 10:13 am

It’s predicted that more than $1 trillion in IT spending will be directly or indirectly affected by the shift to cloud during the next five years. This is no surprise as the cloud is one of the main digital technologies developing in today’s fast-moving world. It’s encouraging that CEOs recognize that it’s crucial for them to champion the use of digital technologies to keep up with today’s evolving business environment.

However, there are still concerns about using cloud services and determining the best approach for adoption. It’s important to acknowledge that adapting to emerging technologies can be challenging, particularly with the constantly expanding range of products and services. As a business improvement partner, DISC collaborates with clients to identify key drivers and develop best practice standards that enhance resilience.

What Influences Organizations to Store Information on the Cloud?

Organizations should align their business strategy and objectives to determine the most suitable approach to cloud computing. This could involve opting for public cloud services, a private cloud, or a hybrid cloud solution, depending on their resources and priorities.

Security concerns remain the leading barrier to cloud adoption, especially with public cloud solutions. In fact, 91% of organizations are very or moderately worried about the security of public cloud environments. These concerns are not limited to IT departments; 61% of IT professionals believe that cloud data security is also a significant concern for executives.

Despite these challenges, many organizations are influenced by the benefits of managing information on the cloud. These benefits include:

  • Agility: you can respond more quickly and adapt to business changes
  • Scalable: cloud platforms are less restrictive on storage, size, number of users
  • Cost savings: no physical infrastructure costs or charges for extra storage, exceeding quotas etc
  • Enhanced security: standards and certification can show robust security controls are in place
  • Adaptability: you can easily adjust cloud services to make sure they best suit your business needs
  • Continuity: organizations are using cloud services as a backup internal solution

Standards to help you Manage Information on the Cloud

Standards that focus on putting appropriate frameworks and controls in place to manage cloud security.

ISO/IEC 27001 international standard for an Information security management system (ISMS). It is the foundation of all our cloud security solutions. It describes the requirements for a best practice system to manage information security including understanding the context of an organization, the responsibilities of top management, resource requirements, how to approach risk, and how to monitor and improve the system.

It also provides a generic set of controls required to manage information and ensures you assess your information risks and control them appropriately. It’s relevant to all types of organizations regardless of whether they are involved with cloud services or not, to help with managing information security against recognized best practices.

ISO/IEC 27017 is an international code of practice for cloud security controls. It outlines cloud-specific controls to manage security, building on the generic controls described in ISO/IEC 27002. It’s applicable to both Cloud Service Providers (CSPs) and organizations procuring cloud services.

It provides support by outlining roles and responsibilities for both parties, ensuring all cloud security concerns are addressed and clearly owned. Having ISO/IEC 27017 controls in place is especially important when you procure cloud services that form part of a service you sell to clients.

ISO/IEC 27018 is an international code of practice for Personally Identifiable Information (PII) on public clouds. It builds on the general controls described in ISO/IEC 27002 and is appropriate for any organization that processes PII. This is particularly important considering the changing privacy landscape and focus on protecting sensitive personal data.

All businesses need to continually evolve their cybersecurity management in order to effectively manage the cyber risks associated with cloud use. Request to learn more.

Adopt these standards today to ensure your organization effectively manages data in the cloud.

How to build a world class ISMS:

ISO 27001 serves as the foundation for ISO 27017, ISO 27018, and ISO 27701.

After conducting the risk assessment, it’s essential to compare the controls identified as necessary with those listed in Annex A to ensure no important controls were overlooked in managing the risks. This serves as a quality check for the risk assessment, not as a justification for using or not using any controls from Annex A. This process should be done for each risk identified in the assessment to see if there are opportunities to enhance it.

Any controls that you discover were unintentionally “omitted” from the risk assessment can come from any source (NIST, HIPAA, PCI, or CIS Critical Security Controls) and are not restricted to those in Annex A.

One should consider CIS Controls to strengthen one of the above frameworks when building your ISMS. CIS Controls is updated frequently than frameworks and are highly effective against the top five attack types found in industry threat data, effectively defending against 86% of the ATT&CK (sub)techniques in the MITRE ATT&CK framework.

Statement of Applicability (SoA) is typically developed after conducting a risk assessment in ISO 27001. The risk assessment identifies the information security risks that the organization faces and determines the appropriate controls needed to mitigate those risks.

In ISO 27001, the Statement of Applicability (SoA) is a key document that outlines which information security controls from Annex A ( or from (NIST, HIPAA, PCI, or CIS Critical Security Controls)) are applicable to an organization’s Information Security Management System (ISMS). The SoA provides a summary of the controls selected to address identified risks, justifies why each control is included or excluded, and details how each applicable control is implemented. It serves as a reference to demonstrate compliance with ISO 27001 requirements and helps in maintaining transparency and accountability in the ISMS.

The SoA is essential for internal stakeholders and external auditors to understand the rationale behind the organization’s approach to managing information security risks.

Cloud shared responsibilities:

Most companies appear to be operating in the hybrid or public cloud space, often without fully realizing it, and need to gain a better understanding of this environment.

Cloud shared responsibilities refer to the division of security and compliance responsibilities between a cloud service provider (CSP) and the customer. This model outlines who is responsible for specific aspects of cloud security, depending on the type of cloud service being used: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS).

The division of responsibilities varies based on the cloud service model:

  • IaaS: The CSP manages the basic infrastructure, but the customer is responsible for everything else, including operating systems, applications, and data.
  • PaaS: The CSP manages the infrastructure and platform, while the customer focuses on application development, data management, and user access.
  • SaaS: The CSP handles most security aspects, including applications and infrastructure, while the customer is primarily responsible for data security and user access management.

Understanding the shared responsibility model is crucial for ensuring that both the CSP and the customer are aware of their respective roles in maintaining cloud security, compliance and last but not the least managing risks in the cloud environment.

In summary, The shift to cloud computing is expected to influence over $1 trillion in IT spending over the next five years as companies increasingly adopt digital technologies to stay competitive. Despite the benefits of cloud computing—such as agility, scalability, cost savings, and enhanced security—many organizations face challenges, particularly around security concerns, which are a major barrier to cloud adoption. To navigate these challenges, businesses need to align their cloud strategies with their objectives, choosing between public, private, or hybrid cloud solutions. Additionally, implementing standards like ISO/IEC 27001, ISO/IEC 27017, and ISO/IEC 27018 can help manage cloud security and compliance effectively by providing frameworks for managing information security risks and ensuring data protection. Understanding the shared responsibility model is also crucial for cloud security, as it defines the distinct roles of cloud service providers and customers in maintaining a secure cloud environment.

Latest Cloud Security titles

Previous posts on Cloud Computing

ISO27701 – Privacy information management system

Check out these previous ISO27k posts

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: cloud computing benefits, Cloud computing frameworks, cloud computing security, cloud security, cloud security risks, Cloud shared responsibilities, isms, ISO27k, SoA


Nov 26 2021

There is no cloud…just someone else’s computer

Category: Cloud computing,Information SecurityDISC @ 5:27 pm

Practical Cloud Security: A Guide for Secure Design and Deployment

MicroMasters® Program in Cloud Computing

Tags: cloud computing security, cloud security


Jun 25 2021

Ensono: Security is a key factor when choosing a public cloud provider

Category: Information SecurityDISC @ 2:16 pm

There are many factors to considered when selecting a public cloud provider, but 56% in a recent survey said security concerns had the most significant influence during the selection process for public cloud providers, IT services management company Ensono said.There are many factors on selecting public cloud providers

Above: Ensono Cloud Clarity Report uncovered several areas that significantly influenced buying decisions.

Ensono: Security is a key factor when choosing a public cloud provider

Cloud security

Tags: cloud computing security, cloud security


Mar 09 2021

How to mitigate security risks as cloud services adoption spikes

Category: Cloud computingDISC @ 11:49 pm

The challenges of accelerated cloud adoption

The sheer number of organizations moving to the cloud is staggering: we’re seeing 3-5 years-worth of business transformation happening in just months due to the pandemic. As cloud-enabled digital transformation continues to accelerate, there are a variety of concerns.

For example, the visibility of data. Organizations (and users) must assess what controls cloud services providers offer in order to understand the security risks and challenges. If data is stored unencrypted, that implies significant additional risk in a multi-tenant environment. Or what about the ability of security models to mimic dynamic behavior? Many anomaly detection and predictive “risk-scoring” algorithms look for abnormal user behavior to help identify security threats. With the sudden and dramatic shift to remote work last year, most models require significant adjustments and adaptation.

Normally, companies begin exploring the move to a cloud service provider with a detailed risk analysis assessment. This often involves examining assets, potential vulnerabilities, exploitation probabilities, anticipated breach-driven outcomes, and an in-depth evaluation of vendors’ capacity to effectively manage a hybrid solution (including authentication services, authorization, access controls, encryption capabilities, logging, incident response, reliability and uptime, etc.).

How to mitigate security risks as cloud services adoption spikes

Tags: cloud computing risks, cloud computing security, cloud security


May 12 2014

Bestselling Books at Infosecurity 2014

Category: cyber security,Information SecurityDISC @ 9:36 am

InfoseEurope2014

by Lewis Morgan @ITG

It has now been a week since Infosecurity Europe 2014. This year was my first at Infosec, and I found it to be one of the most interesting and diverse events I have ever been to.

During my short time on the IT Governance stand, I spoke to several people who were showing a keen interest in our wide range of books. It was a common opinion that our range of books is one of the broadest in the industry – something of which we are very proud.

To demonstrate our range of books and their popularity, We have created the below list of the 5 bestselling books at Infosecurity 2014*. All of the following books are available in multiple formats.

PCI DSS Pocket Guide

    A quick guide for anyone dealing with the PCI DSS and related issues. Now also covers PCI DSS version 3.0.

ISO27001 / ISO27002 Pocket Guide

    Now updated for the 2013 editions of ISO27001/ISO27002, this pocket guide gives a useful overview of two important information security standards.

Governance of Enterprise IT based on COBIT®5

    A perfect introduction to the principles and practice underpinning the governance of enterprise IT using COBIT®5.

Penetration Testing –  Protecting Networks and Systems

    An essential guide to penetration testing and vulnerability assessment, which can be used as a preparation guide for Certified Penetration Testing Engineer exams.

Securing Cloud Services

    This book provides an overview of security architecture processes, and explains how they may be used to derive an appropriate set of security controls to manage the risks associated with working in the Cloud.

 




Tags: Certified Penetration Testing Engineer, Cloud computing, cloud computing security, London, Payment Card Industry Data Security Standard, Penetration test


Jan 22 2010

How to manage risk in the cloud

Category: Cloud computingDISC @ 3:06 am

What is Cloud Computing and does it provide more protection to your business?

  • Pre-order the Softcover;

  • Pre-order the eBook.
  • Cloud Computing will bring many benefits to organisations, some of which include reducing operating costs, reducing power consumption and freeing you up to focus on your core business.
    The concept of shifting computing to a shared service provider is not new. What may be new is that the cost of Cloud Computing is falling so dramatically that considering outsourcing to the Cloud is no longer rare, and it is now accessible enough that any individual or organisation can use it to their advantage.

    Above the Clouds: Managing Risk in the World of Cloud Computing
    For Cloud Computing to be a viable option, you need to be confident that your business information will be secure and that the service you offer to your customers will still be reliable. So if you want to adopt a Cloud Computing strategy, you need to make sure you carry out due diligence on the service provider before you entrust this firm with your vital data. However, the author challenges the assumption that Cloud Computing will offer less protection to your data than relying on an in-house server. Buy Now!>

    Cloud Computing not only allows you to make economies of scale; it can also offer you the increased security that comes from sharing the resource. The author argues that moving over to Cloud Computing can actually help to defend your organisation from threats such as denial of service attacks, viruses and worms.

    Cloud service providers will tell you that Cloud Computing is bound to be better, faster and cheaper. The reality is that before switching over to Cloud Computing, you need to think carefully about whether it will really work for your business. This book shows you what you need to do to ensure that with Cloud Computing you will continue to give the standard of service your customers require. It also offers you some valuable tips on how to choose your provider of Cloud services.

    Published date: 9th February 2010.

    Pre-order this book using Voucher Code: “cloud2010” to save 10%!

  • Pre-order the Softcover;

  • Pre-order the eBook.



  • Tags: Business, cloud, Cloud computing, cloud computing benefits, cloud computing concerns, cloud computing risks, cloud computing security, cloud security, cloud services, cloudcomputing, Computer Science, Denial-of-service attack, Distributed Computing, due diligence, Economy of scale, Outsourcing, Security


    Sep 10 2009

    Way beyond the edge and de-perimeterization

    Category: Cloud computing,Information SecurityDISC @ 2:59 pm

    Wie eine Firewall arbeitet / how a firewall works
    Image by pittigliani2005 via Flickr

    De-perimeterization term has been around almost for a decade and finally industry is taking it seriously because of virtualization and cloud computing popularity. Is it time for businesses to emabrace de-perimeterization?

    De-perimeterization is a double edge sword for industry which creates scalable options for operation and huge challenges for safeguarding the assets beyond the edge. One of the major advantages for de-perimeterization is that user can access corporate information over the internet; in this situation user can access corporate data from any where, it’s hard to draw the line where the edge begins and where it ends. All you basically need a functional laptop with internet connection. On the other hand, de- perimeterization poses a great challenge due to possibility of viruses, spywares and worms spreading in your internal protected infrastructure.

    In de-perimeterized environment, security attributes shall follow the data, wherever the data may go or reside.

    In security architecture where firewall was considered a very effective perimeter defense has been weakens by virtualization and cloud computing. In early days of firewall defense, organization only needed to open few necessary protocols and ports to do business. Internet accessible systems were located on the DMZ and the communication was initiated from the corporate to internet. Now there are whole slew of protocols and ports which needs to be open to communicate with application in the cloud. As corporate application move out of the organization network into the cloud, the effectiveness of firewall diminished.

    Defense in depth is required for additional protection of data because as new threats emerge, the firewall cannot be used as an only layer of security. The key to the security of de-perimeterization is to push security at each layer of infrastructure including application and data. Data is protected at every layer to ensure the confidentiality, integrity and availability (CIA). Various techniques can be utilized for safeguarding data including data level authentication. The idea of data level authentication is that data is encrypted with specific privileges, when the data move, those privileges are moved with the data.

    layered-defense

    Endpoint security is relevant in today’s business environment especially for laptop and mobile devices. Agents on laptops and mobile devices utilized pull/push techniques to enforce relevant security policies. Different policies are applied depending on the location of the laptop. Where security policy will ensure which resources are available and what data need to be encrypted depending on the location of the device.

    When corporate application and important data reside in the cloud, SLA should be written to protect the availability of the application and confidentiality of the data. Organizations should do their own business continuity planning so they are not totally dependent on the cloud service provider. For example backup your important data or utilize remote backup services where all data stored is encrypted.


    Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance


    Download a free guide for following cloud computing applications

    Hosted email solution
    Hosted email archiving
    Hosted web monitoring
    Hosted online backup


    Reblog this post [with Zemanta]




    Tags: business continuity, Cloud computing, cloud computing article, cloud computing concerns, cloud computing email, cloud computing hosting, cloud computing information, cloud computing security, cloud computing services, cloud security, cloud services, de-perimeterizations, DMZ, iso assessment


    Jul 07 2009

    Cloud Computing Pros and Cons

    Category: Cloud computingDISC @ 6:19 pm

    Cloud Application Architectures: Building Applications and Infrastructure in the Cloud

    Cloud computing is the future of the computing, which happens to provide common business applications online that run from web browser and is comprised of virtual servers located over the internet. Basic idea behind cloud computing is the accessibility of application and data from any location as long as you are connected to the internet. Cloud computing makes the laptop the most essential tool to get the job done.

    For example Hosted Email (SaaS) Security provides safeguards at the Internet level, eliminating spam and malware before they reach your internal network infrastructure. The hosted email provides centralized security with built-in redundancy, failover, and business continuity, while easing network and security administration. In the hosted email software as a service the security controls are at work at the internet level. It’s about time to expand the corporate perimeter beyond firewall and one of the major benefit of cloud computing is to give organizations capability to implement security controls at internet level and eliminate threats before they reach the internal network.

    An online backup service is another example of software as a service (SaaS) which provides users with an online system for backing up and storing computer files.

    Cloud computing incorporates several different types of computing, including:
     software as a service (SaaS)
     platform as a service (PaaS)
     infrastructure as a service (IaaS)

    It is a range of technologies that have come together to deliver scalable, tailored and virtualized IT resources and applications over the Internet.

    Cloud Computing have several benefits and potential risks which you may want to know before signing a contract with a cloud vendor.



    Cloud Computing benefits

  • Users can avoid capital expenditure on hardware, software, and other peripheral services, when they only pay a provider for those utilities they use;

  • Consumption is billed as a utility or subscription with little or no upfront cost;

  • Immediate access to a broad range of applications, that may otherwise be out of reach, due to:

  • The lowering barriers to entry;

  • Shared infrastructure, and therefore lower costs;

  • Lower management overhead.

  • Users will have the option to terminate a contract at any time, avoiding return on investment risk and uncertainty.

  • Greater flexibility and availability of ‘shared’ information, enabling collaboration from anywhere in the world – with an internet connection.


  • Cloud computing associated risks

  • Cloud computing does not allow users to physically possess the storage of their data which leaves responsibility of data storage and control in the hands of their provider;

  • Cloud Computing could limit the freedom of users and make them dependent on the cloud computing provider;

  • Privileged user access – how do you control who has access to what information?

  • Security of sensitive and personal information lay with the vendor. How do you explain this to your customers when their data is compromised without sounding like you’re ‘passing the buck’?

  • From a business continuity stand point, can you rely on each vendor to have adequate resilience arrangements in place?

  • Long-term viability — ask what will happen to data if the company goes out of business; how will data be returned and in what format?



  • Complexities of cloud computing will introduce new risks and complexity is the enemy of security. The organizations and end users should be mindful of this security principle before introducing this new variable into their risk equation. As a consumer you need to watch out and research your potential risks before buying this service and consider getting a comprehensive security assessment from a neutral third party before committing to a cloud vendor.

    Recomended books on cloud computing

    Reblog this post [with Zemanta]




    Tags: Cloud computing, cloud computing article, cloud computing benefits, cloud computing concerns, cloud computing email, cloud computing hosting, cloud computing information, cloud computing network, cloud computing platform, cloud computing risks, cloud computing security, cloud computing services, cloud computing solutions, cloud security, cloud services, Infrastructure as a service, Platform as a service