Security in Cloud Environment and ISO / IEC 27017: 2016 - Code of practice for information security controls based on ISO / IEC 27002 for cloud services
* Ricardo Ambrizzi
With the technological advance of society 4.0 and the world scenario in which we live, organizations are increasingly being transformed with the technology of cloud computing.
According to Gartner studies, there is a forecast of an increase in global costs for end-users of cloud computing of approximately 18% in 2021, this is due to the increase in organizations that are increasingly operating in home office and the concern to establish an infrastructure with high-performance, scalable and accessible availability.
From the simplest to the most complex processes, the treatment of data that involves storage, data sharing have been migrated to cloud services, bringing facilities and benefits and at the same time bringing new threats and risks to be controlled by organizations.
What are the main risks with the increased consumption of this technology?
In the report presented by the Cloud Security Alliance in 2020, major threats were highlighted that still persist in 2021 and that generate great risks in the use of the cloud computing like:
- Data breach
With the absence of effective controls and monitoring of cloud environments, organizations are suffering from increased cyber attacks and leakage and exposure of stored and shared data.
- Incorrect configuration and improper change control
With the absence of well-established technical standards and documents, controls to audit compliance with the execution of defined security activities, it can cause a vulnerability to be exploited by cyber attacks.
- Lack of cloud security architecture and strategy
With the absence of a security planning and strategy for controlling and monitoring the transition to cloud architecture, it can cause future information security incidents. Being of paramount importance, the detailed analysis of the risks in this transition process, controls on the changes to be carried out and a management of the accesses and the environments with regard to the confidentiality, integrity and availability of the environments.
How to establish a secure and reliable cloud environment?
When we analyze the structure of a cloud environment, we identify two agents with different responsibilities, however, they intersect at a certain time to ensure the pillars of information security: confidentiality, integrity and availability.
The “cloud service customer” and the “cloud service provider”, who have responsibilities for implementing security controls to be established in their organizations. Seeking the definition and good practices worldwide, ISO (International Organization for Standardization) structured ABNT NBR ISO / IEC 27017: 2016 - Information technology - Security techniques - Code of practice for information security controls based on ABNT NBR ISO / IEC 27002 for cloud services.
The standard provides additional guidelines and controls for specific implementations for the cloud environment and for developing actions addressing information security threats and risks, specific to cloud environments, based on ISO / IEC 27002.
Through specific controls for cloud environments, the standard establishes controls for the relationship between cloud service customers and cloud service providers, mitigating the end-to-end risks of the customer and provider environment.
Several organizations in the current scenario already hold this certification from ABNT NBR ISO / IEC 27017: 2016, thus demonstrating the commitment and good faith in the protection and security in the storage and sharing of data, reducing the risks of financial losses due to breaches of data and adding new customers through the reliability of its structure.
With Safeway, our customers better understand their Information Security needs, as well as having the necessary tools to detect, respond and mitigate threats. We will help you to protect your critical assets, your brand and your business through our Consulting and Professional Services.
* Ricardo Martins Melo Ambrizzi, Information Security Consultant at [SAFEWAY]