The Cloud is Someone else’s Computer: a Service accessed over the Internet, but technically still a client accessing data held on a shared server. The only differences are in the commercial arrangements, and in the sharing of the service by different unrelated customers with potentially different expectations.

The ownership of the data, and their responsibilities do not change.

Cloud Security Standards

While the principles of ISO27001 apply to any security management regime, there are several specific areas of concern as the information that is the responsibility of customer is now being held and processed in its entirety by a third party supplier outside of the customer’s normal security arrangements.

There is no single recommended security framework specifically for the management of cloud services, however the principles of ISO27001:2013 (and 2005 before it) along with the best practice in ISO27002 and ISO27017, form a sound basis for approaching all information security including Cloud Service provision.

Ideally, the Cloud Service provider should have some form of independent accreditation or certification of their service by a third party that has audited their security arrangements. The scope of this certification should be checked to ensure it covers the service being offered.

Certification will be against one of the pre-existing standards, such as ISO27001, or against one of the emerging standards such as that being developed by the Cloud Security Alliance. Where card and payment details are being handled, then compliance to PCI-DSS v3 would be expected as well.

As a quick reference, the UK Government’s Guidance is to be recommended.