When companies want to move their data or entire value chains to the cloud, they are more concerned about the security of cloud computing. More or less all cloud providers advertise being very, very, very secure. But how can companies check which cloud services are really secure? What should companies look for that do not have enough expertise themselves to determine the true IT security and privacy of cloud computing?
Who Is Responsible for Data Security and Privacy in the Cloud?
Anyone who stores or processes their data in the cloud generally enters into an order data processing relationship with the provider. Thus in the processing of data on behalf of the customer the client remains responsible for the protection of data protection and, in connection therewith, also IT security. In addition to a valid contract for order data processing, the client is therefore required by law to review the technical and organizational measures of the contractor.
But checking cloud providers poses several challenges. On the one hand, there is often a greater spatial distance to the data center of the provider. On the other hand, the necessary specialist knowledge is often missing in order to be able to assess the safety and protective measures taken accordingly. In addition, the test and its result must be documented to prove your own diligence, which requires further effort and appropriate knowledge.
Self-Information of the Cloud Provider
As a tool in the review, therefore, own evidence or self-information of the cloud provider can serve, describing the existing degree of data protection and IT security. Often a data protection concept or similar document is presented here. It should include technical and organizational measures as well as data protection management. The description should refer to all data centers of the cloud provider as well as to all locations from which employees work (including administration, support, administration).
Quality Seals & Certificates for Cloud Computing
In addition to self-disclosure, the cloud storage provider should also have third-party certifications. Here exists an almost unmanageable variety of quality seals, certificates, and confirmations. In order to separate the wheat from the chaff, attention should be paid to the recognition of certification by (independent) experts. Because many of the so-called quality labels do not guarantee compliance with existing normative or legal requirements or best practices.
However, good quality seals are at least characterized by the following properties:
- The requirements (for IT security or data protection etc.) must be comprehensible. Ideally, the examination catalogs are publicly available or based on a publicly recognized standard.
- The requirements must be appropriate for the relevant area. For example, a valid ISO 9001 certification indicates that quality management is in place in the company, but does not say anything about data security, etc.
- The proof must be current or valid. Especially the review of IT security measures and data protection must take place regularly.
- The proof must refer to all relevant locations. A certified data center is praiseworthy, but if access to data can be done by other – unaudited – locations, this is not enough.
ISO Certifications for Cloud Computing
Those who want to go “number-safe” in the face of this cloud security diversity in practice should focus exclusively on providers with ISO data security certification. The following standards are eligible for this:
ISO 27001 – Information Security Management
With an ISO 27001 (native) certification, an independent auditor testifies that the audited company has a planned and controlled approach to achieving and maintaining appropriate information security standards. The ISO 27001 standard, however, states above all that a suitable approach to achieving information security exists; however, not necessarily that a high level of safety has already been achieved.
Tip: Since an information security management system (ISMS) is designed for continuous improvements, it can at least be assumed that the level of information security is already more mature in the case of already existing or repeated certification.
ISO 27018 – Privacy for Cloud Services
The ISO 27018 standard supplements ISO 27001 with requirements that are specific to cloud providers. Unfortunately, an official ISO 27018 certificate issued by an accredited testing laboratory is not yet available. If the provider has a corresponding certificate, this is awarded by a private body and does not have the same guarantee.
ISO 27001 Based on British Standards Institution
A certification according to ISO/IEC 27001 Information Security Management currently ensures the best estimate of the actual IT security level of the provider from the outside. After all, a BSI Certificate certifies not only a functioning information security management system but also the appropriate implementation of the IT. ISO 27001 certification describes many hundreds of concrete security measures, based on information security management systems (ISMS) on a data security level that actually exists and can be proven.
Conclusion: Especially ISO Certificates help in the testing
Overall, it can be seen that checking the cloud provider with regard to IT security and data protection is a very demanding task if it is to be compliant with the law. As a rule, it is, therefore, advisable to involve your own data protection officer and other specialist personnel at an early stage or to resort to external experts.
If documents, quality seals or certifications of the cloud provider are to partially replace their own examination, their relevance, relevance, and validity must be taken into account. Recognized ISO protection standards such as ISO 27001 and ISO 27001 based on IT-Basic Protection ensure the highest level of security.
Contact us today to secure your data in the cloud.