Information security for the use of cloud services

With many organisations adopting remote working practices, the need for cost savings, scalability and security has made reliance on cloud-based technology the preferred choice. To ensure their systems are secure and confidential data remains protected, it is important that the security pitfalls that could result from the use of these cloud services are assessed, and that businesses put controls in place to evaluate, address, and mitigate any resulting information security risks. 

The recent update to ISO 27001 introduced some changes, one of which focuses on ensuring and maintaining information security and outlines the processes required for the acquisition, use, management and exit from cloud services in relation to the organisation’s unique information security requirements. If you need support with understanding the changes to ISO 27001:2022 or you need an ISO 27001 internal audit in order to help you on your way to certifying to the standard, we can help, view our ISO27001 consultancy services page. 

Understanding the risks of adopting cloud services

Many of the security threats facing on-premises facilities and traditional data centres also exist within the cloud computing environment. Apart from the vulnerabilities found in most software which make organisations susceptible to cyber criminals, the shared responsibility for information security between the organisation and the Cloud Service Provider (CSP) means that information security risks are split between both parties.   

Some of the security risks to consider when engaging a cloud service include: 

• Limited visibility – Migration to the cloud limits an organisation’s visibility into the operation of its networks. These blind spots in a network are security risks that make it difficult to identify vulnerabilities, leaving gaps where malware can remain undetected. It is therefore important that an organisation has clear visibility of the network perimeter. 
• Compliance – The use of unauthorised cloud services not only results in an increase in malware infections, but it can also result in cloud security misconfiguration leading to data leakage and unauthorised access to sensitive information.  
• API compromise -Cloud service providers provide the APIs that customers use to manage and interact with cloud services. These are used in turn to provision, manage, orchestrate, and monitor their assets and users. Vulnerabilities in the APIs can be a tool in the hands of cybercriminals to attack organisations and compromise their data. 
• Vendor lock-in – This becomes an issue when an organisation’s move from one service provider to another is hampered by factors such as non-standard data formats, non-standard APIs or reliance on the service provider’s proprietary tools. This can result in data loss and delayed services. 
• Data loss – Aside from malicious attacks, data in the cloud could be lost as a result of accidental deletion by the Cloud Service Provider and physical catastrophes such as fire, flooding or earthquake in the data centre leading to permanent loss of customer data. Also, the loss of an encryption key after a customer has uploaded encrypted data to the cloud could lead to data loss. 

How do we choose the right Cloud Service Provider?

When an organisation uses cloud services, it delegates management of parts of its service and security responsibility to the cloud provider. Before selecting a suitable cloud provider, your organisation needs to understand its specific business and security needs and carry out security due diligence on the prospective service provider. Clarifying the technical, service, data governance, security and service management requirements will help inform the choice of the right service provider. 

According to the NCSC Cloud Security Guidance, an organisation’s choice of a Cloud Service Provider is determined by the level of confidence in the service required and the sensitivity of the data they are prepared to share in the cloud. 

10 things to consider when choosing a Cloud Service provider

How do you select the right cloud provider from so many?  

We have identified some ISO 27001 context best practices to consider when choosing a Cloud Service Provider.  

1. Ensuring that Cloud Service Providers have effective threat detection and monitoring capabilities to identify and respond to incidents in a timely manner. 
2. Establishing clear data classification and guidelines for data ownership and responsibility in the cloud, including requirements for segregation and access control. 
3. Conducting regular security audits of Cloud Service Providers to ensure they remain compliant with relevant security standards and regulations. For instance, if security is a priority, look for suppliers accredited with certifications like ISO 27001 or the government’s Cyber Essentials Scheme.,  including requirements for data retention, audit-ability and reporting. 
4. Ensuring that the Cloud Service Providers have effective incident response plans in place that outline the steps to be taken in the event of an incident as well as the roles and responsibilities. This will minimize the impact of security incidents and prevent future security incidents from occurring. They should also regularly back up data stored in the cloud to ensure that it can be recovered in the event of a security incident or data loss. 
5. Ensuring that Cloud Service Providers have effective identity and access management controls in place and established clear guidelines for the use of multi-factor authentication in the cloud. 
6. Establishing clear guidelines for data portability and ensuring that Cloud Service Providers provide a mechanism for data export and transfer in the event of service termination or provider lock-in. 
7. Monitoring Cloud Service Provider’s compliance with service level agreements (SLAs) and taking action if SLAs are not met. 
8. Establishing clear guidelines for the use of third-party applications and services in the cloud, including requirements for authentication, authorisation and data protection. 
9. Conducting regular vulnerability assessment and penetration testing to address potential security weaknesses in the cloud environment. 
10. Establishing clear guidelines for encrypting sensitive data both in transit and at rest to ensure that it cannot be intercepted or accessed by unauthorised parties and that Cloud Service Providers have effective key management controls in place to protect encrypted data. 

Conclusion

Choosing the right Cloud Service Provider is a critical decision for any organisation. When considering your choice of a Cloud Service Provider from an information security perspective, it is important to assess their certifications, policies, procedures, controls, incident response plan, compliance program and service level agreements.  

By taking a holistic approach to evaluating Cloud Service Providers, you can ensure that you select a provider that meets your organisation’s needs, provides reliable and secure services and offers excellent support and help you achieve your information security goals. 

Take a deep dive into Cloud security

Download our FREE Guide to Cloud Security.

Need help with cloud security? 

If your organisation needs help or advice on managing cloud security, we’re here to help. We can advise on your security vulnerabilities, select the right security technology and check that your systems are configured correctly. We specialise in Microsoft 365 security reviews, AWS security reviews and Azure security reviews, each can be delivered over four days. We can also put policies in place and run staff cyber training exercises. Contact us for a friendly chat.