Tag Archives: Cloud Computing

Understanding ISO/IEC 27018 for securing personal data in the cloud

Featured | Posted by

Securing Personal Data in the Cloud: A Closer Look at ISO/IEC 27018 Clauses and Controls

In an era where data privacy and protection are paramount, organizations face the daunting task of safeguarding personal information stored and processed in the cloud. ISO/IEC 27018 emerges as a beacon of guidance, offering a comprehensive framework for protecting personally identifiable information (PII) in cloud environments. This international standard provides organizations with a set of clauses and controls specifically tailored to address the unique challenges and considerations associated with cloud data privacy. Let’s explore ISO/IEC 27018, unraveling its clauses and controls to shed light on its significance and potential impact on data privacy practices.

Understanding ISO/IEC 27018

ISO/IEC 27018, part of the broader ISO/IEC 27000 series on information security management systems (ISMS), focuses specifically on the protection of PII in cloud computing environments. Developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), ISO/IEC 27018 provides guidance for cloud service providers (CSPs) and cloud customers on implementing measures to protect personal data and ensure compliance with privacy regulations. By adhering to ISO/IEC 27018, organizations can enhance trust, transparency, and accountability in cloud data processing activities.

Key Clauses and Controls

  1. Clause 5: PII Controllers and PII Processors Responsibilities
    • Control 5.1: Roles and Responsibilities: This control delineates the respective roles and responsibilities of PII controllers (data owners) and PII processors (CSPs) in ensuring compliance with data protection requirements. It emphasizes the need for clear contractual agreements, transparency, and accountability in data processing activities.
  2. Clause 6: Transparency and Control Over PII
    • Control 6.1: Consent and Purpose Limitation: This control addresses the collection, use, and disclosure of PII, emphasizing the importance of obtaining user consent and limiting data processing activities to specific purposes. It provides guidance on ensuring transparency, fairness, and lawfulness in PII processing activities.
  3. Clause 7: Information Security
    • Control 7.1: Data Security and Confidentiality: This control focuses on ensuring the security and confidentiality of PII stored and processed in cloud environments. It includes provisions for encryption, access controls, data segregation, and incident response to protect against unauthorized access, disclosure, or alteration of PII.
  4. Clause 8: Cross-Border Data Transfers
    • Control 8.1: Cross-Border Data Transfer Mechanisms: This control addresses the transfer of PII across national borders, emphasizing the need for mechanisms to ensure data protection and compliance with relevant regulatory requirements. It provides guidance on implementing safeguards such as encryption, data localization, and adherence to international data transfer agreements.
  5. Clause 9: Data Subject Rights
    • Control 9.1: Data Subject Access and Rectification: This control addresses data subjects’ rights to access, rectify, and erase their personal data held by cloud service providers. It emphasizes the need for transparent and user-friendly mechanisms to facilitate data subject requests and ensure compliance with data protection regulations such as GDPR.

Benefits of ISO/IEC 27018 Clauses and Controls

  1. Enhanced Data Privacy Protection: By adhering to ISO/IEC 27018 clauses and controls, organizations can enhance the protection of personal data stored and processed in cloud environments, reducing the risk of unauthorized access, disclosure, or misuse.
  2. Compliance with Privacy Regulations: ISO/IEC 27018 helps organizations ensure compliance with privacy regulations such as GDPR, HIPAA, and CCPA by providing guidance on data protection requirements and best practices for cloud data processing activities.
  3. Improved Trust and Transparency: ISO/IEC 27018 promotes trust and transparency in cloud computing by establishing clear roles and responsibilities, providing mechanisms for user consent and control over personal data, and enhancing accountability in data processing activities.
  4. Risk Mitigation and Incident Response: The standard includes provisions for data security, encryption, access controls, and incident response mechanisms to mitigate the risk of data breaches and ensure a timely and effective response to security incidents.

Conclusion

ISO/IEC 27018 serves as a valuable resource for organizations seeking to protect personal data in cloud computing environments. By delineating key clauses and controls, the standard provides organizations with a structured framework for enhancing data privacy protection, ensuring compliance with regulatory requirements, and fostering trust and transparency in cloud data processing activities. By leveraging ISO/IEC 27018, organizations can strengthen their data privacy practices, mitigate risks, and demonstrate their commitment to protecting personal data in an increasingly digital and interconnected world.

Understanding ISO/IEC 27017 for Cloud Security

Posted on by

ISO/IEC 27017 for Cloud Security

In an era where cloud computing reigns supreme, ensuring robust security measures is paramount to safeguarding sensitive data and maintaining trust in digital ecosystems. ISO/IEC 27017 emerges as a beacon of guidance, offering comprehensive directives tailored specifically for cloud security. This International Standard provides a framework of clauses and controls designed to address the unique challenges and considerations inherent in cloud environments. Let’s delve into ISO/IEC 27017, deciphering its clauses and controls to illuminate the path towards fortified cloud security.

Introduction to ISO/IEC 27017

ISO/IEC 27017, part of the broader ISO/IEC 27000 series on information security management systems (ISMS), focuses specifically on cloud security. Developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), this standard offers guidance on implementing effective security controls and practices within cloud computing environments. By adhering to ISO/IEC 27017, organizations can bolster their cloud security posture, mitigate risks, and foster trust among cloud service providers and consumers.

Key Clauses and Controls

  1. Clause 4: Cloud Security Policy
    • Control 4.1: Cloud Security Policy Definition: This control emphasizes the importance of defining and implementing a comprehensive cloud security policy tailored to the organization’s specific requirements and objectives. It includes provisions for data protection, access control, encryption, incident response, and regulatory compliance within cloud environments.
  2. Clause 5: Responsibility and Accountability
    • Control 5.1: Cloud Service Provider Responsibilities: This control delineates the responsibilities of cloud service providers (CSPs) in ensuring the security and integrity of cloud services and infrastructure. It includes provisions for data confidentiality, integrity, availability, and legal compliance, clarifying the division of responsibilities between CSPs and cloud consumers.
  3. Clause 6: Human Resources Security
    • Control 6.1: Cloud Security Awareness and Training: This control underscores the importance of cloud security awareness and training programs for personnel involved in cloud operations, including administrators, developers, and end users. It recommends training initiatives to raise awareness of cloud security risks, best practices, and regulatory requirements.
  4. Clause 7: Cloud Risk Management
    • Control 7.1: Cloud Risk Assessment: This control advocates for the adoption of robust risk management practices tailored to cloud environments. It includes provisions for conducting risk assessments, identifying cloud-specific threats and vulnerabilities, and implementing risk mitigation measures to protect cloud assets and data.
  5. Clause 8: Cloud Data Security
    • Control 8.1: Data Classification and Encryption: This control addresses data security considerations within cloud environments, emphasizing the importance of data classification, encryption, and access controls to protect sensitive information. It includes provisions for encrypting data at rest, in transit, and during processing, as well as implementing access controls based on data sensitivity.
  6. Clause 9: Cloud Compliance and Legal Considerations
    • Control 9.1: Regulatory Compliance: This control focuses on ensuring compliance with relevant laws, regulations, and industry standards governing data protection and privacy in cloud environments. It includes provisions for data residency, cross-border data transfers, privacy regulations (e.g., GDPR), and industry-specific compliance requirements (e.g., PCI DSS for payment card data).

Benefits of ISO/IEC 27017 Clauses and Controls

  1. Enhanced Cloud Security Posture: By adhering to ISO/IEC 27017 clauses and controls, organizations can strengthen their cloud security posture, mitigate risks, and protect sensitive data and assets from cyber threats and vulnerabilities.
  2. Clear Responsibilities and Accountability: ISO/IEC 27017 clarifies the responsibilities and accountability of both cloud service providers and consumers, fostering transparency and trust in cloud service relationships.
  3. Compliance with Regulatory Requirements: The standard helps organizations ensure compliance with relevant regulatory requirements, such as GDPR, HIPAA, and PCI DSS, by providing guidance on data protection, privacy, and legal considerations in cloud environments.
  4. Risk Management and Resilience: ISO/IEC 27017 encourages the adoption of robust risk management practices tailored to cloud environments, enabling organizations to identify, assess, and mitigate cloud-specific risks effectively.

Conclusion

ISO/IEC 27017 serves as a valuable resource for organizations seeking to enhance their cloud security practices. By delineating clauses and controls tailored specifically for cloud environments, this international standard provides a comprehensive framework for addressing security challenges, mitigating risks, and ensuring compliance with regulatory requirements. By adhering to ISO/IEC 27017, organizations can fortify their cloud security posture, foster trust among cloud service providers and consumers, and embrace the benefits of cloud computing with confidence in an increasingly digital world.

Cloud Computing – SaaS Solutions by SAP ERP

Posted on by

SAP ERP Cloud Computing – SaaS Solutions

SAP is the world’s largest used enterprise resource planning solution that provides solutions for business process automation based on industry best practice standards. Given the IT service industry shift from Shared Services to Utility based ICT services, SAP has come up with two suite of SaaS solutions.

SAP Business By Design

SAP Business by design is focused on providing large organization’s subsidiaries and small & medium enterprises a full application suite that can help automate their idea to market, market to order and order to cash business processes while still paying based on usage instead of huge deployment costs. It gives them flexibility to configure functionality they need including Analytics and reporting that complete the full suite.

SAP Business One Cloud

SAP Business One Cloud is focused on providing small organization’s an application suite that can help automate their marketing, sales, delivery and service processes while still paying a low fees based on usage instead of huge ICT costs. The suite is preconfigured and ready to use for small size organisations. Being a cloud based solution it allows small businesses to become flexible and IT ready while giving them scalability to ramp up usage based on need.

CONCLUSION

Cloud Computing has started in past decade as a natural transition from ICT Shared Services to ICT Utility based services. The use, need and availability of Internet has made ICT traditional services transition to Cloud Computing service even more faster.

Cloud Computing Service benefits are now out weighing the issues faced and most the issues faced are by and large overcome by service providers. Cloud computing services are being adopted by most organisations and the adoption continues to increase every year.

Its clear that cloud computing services and specially SaaS solutions would continue to grow as this allows the organisations to become agile in adopting new solutions while reducing ICT investments and paying for use only.

The existing SAP ERP SaaS solutions are targeting and meant for use by SMEs and Smaller organisations.  SAP has to look into how it can create an offering for even the large size organisations traditional SAP ERP solution to SaaS SAP ERP solution. Delay in doing so could result in lost opportunity e.g. in saleforce.com is a fast growing SaaS offering for CRM solutions and many organisations are adopting it.

Lastly Cloud Computing Services open a vast opportunity for service providers to build and offer new internet based services and solutions that can help organisations achieve their goals.

Cloud Computing Service Evolution and Predictions

Posted on by

Cloud computing is opening doors for businesses and organisations to have IT services available as utility service with predictable cost and quality as per customer needs and pay for use models while still allowing flexibility of needs based selection of SaaS, PaaS, IaaS service and its components.

IT is becoming an essential part of companies DNA and Fabric as organisations realize that ICT services and solutions will give them a competitive edge to achieve their growth using real time information and insights as well as making products and services available using digital presence. Organisations are awakening and becoming to redefine their strategies to become a real time company, at the core of this is IT but now its not just another IT project but a business transformation enabled with word class IT solutions and services.

In most organisations ICT services are already served as Shared Service Model for past decade and organisations have become mature in having ICT services delivered using shared service model. The move from Shared Service Model towards Cloud Computing is a natural progression where organisations go from Shared Services to Utility Services model.

Internet and the need for doing things online and real time is now well embedded in most organisations as well as consumers. This is leading towards having ICT services being available through internet around the clock and in a secured manner. Could Computing Services and Service Model is fulfilling this need.

Forrester Research white paper of he Evolution Of Cloud Computing Markets” of july 2010 shows that organisations are spending around USD 2.4 Trillion for ICT services. Cloud computing is opening up a new space where the organisations will transition towards. A big part of the overall ICT spending would be moving towards cloud computing services. A macro shift of services already began from year 2009 and its expected to grow rapidly in coming year.

The report from delloite consulting of year 2009 suggests that cloud computing services would grow to the size of USD 1 Trillion in current decade and would continue to grow further. Cloud Services offerings from major players like Microsoft – Office 360, Azure and SAP – Business By Design and Business One Cloud and Amazon EC2 and S3 will lead the transition of Traditional ICT services and solutions to Cloud SaaS, PaaS and IaaS services.

Cloud Computing Services are on number 4 position of IDC’s Top 10 Predictions report of 2012. IDC report suggests that Spending on public and private cloud services, and the building of those services (the “cloud arms dealer” opportunity), will reach USD $60 billion. Amazon will join the $1 billion IT vendor club, and the strategic focus in the cloud will shift from infrastructure to application platforms and the race to build the largest portfolios and ecosystems around those platforms.

Cloud Computing Basics

Posted on by

The term cloud computing came in existence is last decade while the concept and types of cloud computing services existed in one or the other form for past two decades. The name cloud computing is given to specify that organisations don’t have to worry about where there IT Infrastructure and Application Software are hosted, instead organisations can focus on the IT services they need to meet their fast changing customer requirements.

In past three decades business process automation has gone to the extent that IT has become a key part of all business transformation initiatives to help automate and enable the organisations to achieve their goals. IT services are more and more seen similar to utility services that are reliable, scalable and paid by usage. Cloud computing is also focusing on provide IT services as utility while keeping in mind that utility service needs vary from organisation to organisation. E.g. The power supply and water are the generic utility services and full fill basic need of electricity and water for the customer. But as the need for customer varies so the utility services vary and accordingly the service costs. The need of an industrial organisation is different to the need of an individual customer.

Cloud Computing focuses on providing IT services as utility services and has three types of service offerings which are briefly explained below,

SaaS – Software as a Service : SaaS offering covers the full stack of IT from the hardware all the way up to the software application service. The service is focused on pay for use and generally operates on the pay per use based on number of users and duration of use. E.g. Microsoft Office 360 costs $30 per user per month for online office application software usage.

PaaS – Platform as a Service: PaaS offering covers the IT stack up to providing a platform that business can use to build / manager their own applications. This service is also focused on pay for use and operates based on type of platform and number of applications to be run on the platform as well as any value added service additions. E.g. A company offering PHP and My SQL platform that can be used by organisations to build and host their own applications.

IaaS – Infrastructure as a Service: IaaS offering covers the IT stack upto the Infrastructure layer, in simple words up to Operating System level. The service is also focused on pay for use and operates based Infrastructure usage like hardware and storage. E.g. Hosting providers like Rackspace, Amazon and T-systems offering standardized, virtualized and secured infrastructure hosting that individuals as well as organisations can use for hosting their application platform and application software solution.

What does it mean to be moving towards cloud computing…

Posted on by

Cloud computing has started in the decade of 2000 and has been becoming a future of Data Centre Hosting. It is closely linked to the term “Platform as a Service” for infrastructure hosting related solutions. It aims to make the business Asset Free and move them towards Pay as you Go model. Given the dynamic economic situations, growth in number of internet sites and growing number of individuals becoming self made entrepreneurs is igniting the need for Cloud Computing and Cloud Hosting solutions.

Cloud computing is the buzz word and real good thing for individuals, small and medium enterprises. The need for individuals, small and medium enterprises is driven by low cost, pay as you go strategy while they don’t have to take care of assets, facility and services. They simply buy the so called Utility services from existing cloud solution providers and start using the hosting almost instantly. The challenge still remains on ensuring the effective use of cloud solutions in the right manner. Like all technology changes the cloud solutions are also evolving and it will take some more time for people & businesses to get use to the Cloud solutions effective use for their needs.

For the multinationals (MNCs), cloud computing and hosting are still seen as risky as well as time consuming in terms of transformation from existing asset based data centre hosting to cloud hosting solutions. The MNCs are moving towards private cloud solutions that enable their businesses with high secure cloud solutions based on their needs. For MNCs the other challenges are,

  1. Multiple locations with all sizes of office, small, medium, big, requiring different scale of solutions and accessibility needs
  2. Latency issues due to remote users, remote sites, 3rd party access
  3. Multiple vendors involved in IT end to end service delivery chain
  4. Every changing speed of acquisition and disentanglements due to dynamic economic situations and drive for growth
  5. Wide variety of application platforms resulting in complex hosting needs and making upgrades even more difficult
  6. Multiple new and change projects in IT service delivery chain
  7. Scattered or Consolidated but too big, multiple billing within IT service delivery chain from various vendors
  8. Loss of touch and feel (Control) over assets and their management
  9. Multi company shared datacenters can pose security and control risks if not managed properly

Like all new innovations Clould Computing/Hosting is also a good thing from future perspective and is evolving. Companies are preparing to be ready for the next versions of cloud computing/hosting solutions. In few years from now the real view and use of cloud computing will come to light as more and more businesses/individuals start to use it and demand/suggest/ask for improvements in services.