The Information Security Forum (ISF) has examined the security and privacy implications of the cloud in reports such as Data Privacy in the Cloud and Securing Cloud Computing.
We have drawn two important conclusions:
- There are no inherent reasons for preventing private data from going into the cloud; the risks have to be managed like any others. It is not that difficult if organisations use existing information risk management approaches, enhancing them where necessary to manage cloud-related risks.
- Privacy obligations do not change when information moves into the cloud. This means that most organisations’ efforts to manage privacy and information risk can be applied to cloud-based systems with only minor modifications.
These modifications comprise five points:
- The security professional should adopt an information-led, risk-based approach and assess what information will be placed in the cloud and the risks associated with the compromise, loss or alteration of that information.
- The relevant legal and regulatory obligations must be taken into account, especially if personally identifiable information is to be placed in the cloud.
- Risk treatment options – including control – can then be defined.
- The type of cloud to be used should be investigated. Using a scheme such as the NIST classifications of cloud services and types (SP800-145), the combination of a particular cloud service deployed on a particular cloud type can be examined from the perspectives of risk and control. The most suitable combination of cloud service and type – providing lowest risk, highest control and acceptable cost – can then be chosen, taking into account the information going to the cloud, its legal and regulatory obligations and the chosen risk treatment options.
- Finally, you should embed the processes for assessing and managing information risk in the cloud into the procurement and vendor management lifecycle, where the ISF Securing the Supply Chain work can assist.
Adrian Davis is principal research analyst at the Information Security Forum (ISF)
This was first published in February 2014