You may be trying to access this site from a secured browser on the server. Please enable scripts and reload this page.
Turn on more accessible mode
Turn off more accessible mode
Skip Ribbon Commands
Skip to main content
Turn off Animations
Turn on Animations
Nyheder & Media
Industrier & Services
Outsourcing af applikationer
Outsourcing af infrastruktur
NNIT Digital Together
Kunder & Cases
IT for life sciences
Om Life Sciences
Valiance – an NNIT Group Company
Your career at NNIT
Make your mark
Your future workplace
Start your career
Beware of the RATs (Remote Administration Tool)
A 4-step approach to protecting your sensitive data with Data Access Governance
How to Keep Industrial Computer Systems (ICS/SCADA) Running in an Age of Cybercrime?
Control Your Security & Privacy in the Cloud
Identity and Access Management becomes a top priority due to the EU GDPR
What to watch out for in IT Security for 2017
Steps to protect you and your organization from Phishing - yes, we need protection, all of us!
10 Steps to Successful Patch Management Framework
On Cyber Warfare
Cybersecurity Awareness – The First Line of Defense
The security risks of black box technology
The Fine Art of Aligning Business Strategy and Information Security Strategy
Privacy – why it is worth fighting for
The C.I.A. of application security!
Building a sustainable defence: How to secure your operational technology (OT) environment
Migrate to Cloud Services without Jeopardizing Security and Compliance
The Devil is (often) in the Software
Control Your Security & Privacy in the Cloud
By Morten Dichmann Hansen - IT Security Architect at NNIT A/S - Security Advisory ServicesMany companies worry about security and privacy when migrating to cloud services. The cloud providers often demonstrate compliance with a comprehensive list of standards and certification programs, but does that mean that you can relax and feel safe when migrating to cloud services?I have talked with a number of decision makers about their concerns when migrating company data to cloud services. Fortunately most of the decision makers have a risk based approach. They understand the business criticality, data classifications, threats and risks – and they apply additional controls to mitigate the unacceptable risks.Unfortunately some of the decision makers consider cloud services as ‘black boxes’ and believe that the cloud providers by default provide sufficient protection of their data in regards to security and privacy. Some wrongly believe that the cloud providers are obligated to protect customer data hosted in their cloud services.I normally convince the last group of decision makers by referring to the International Organization for Standardization (ISO) standards for cloud computing. They explain very clearly that the cloud customers are accountable for protecting their data.The key is the contract part that has to get much more attention and will require more time and new skills in the IT departments.Supporting ISO StandardsThe International Organization for Standardization (ISO) organization develops worldwide and recognized standards for almost everything. More than 160 countries participate in the development of standards and 75% of the national bodies must approve new standards before they are going to be released.Many companies have implemented the ISO27001 standard within their organization. The standard describes how to implement and operate an Information Security Management System (ISMS) controlling the risks to the company information assets. The standard includes five mandatory clauses and 114 optional controls. The ISO27002 standard provides best practice recommendations for implementation of the control set. Controls are only applied when mitigating an identified risk to the organization.ISO has released the ISO27017 and ISO27018 standards related to cloud computing. The standards are intended to be used in conjunction with the ISO27002 standard. The standards describe specific implementation guides for certain of the existing ISO27002 controls, and provide a set of additional controls and guidance not addressed by the ISO27002 control set.The ISO27017 standard for cloud computing provides guidelines for the implementation of information security controls. The standard states that “…the cloud customer should manage the use of the cloud service in such a way as to meet its information security requirements…” and that “…the cloud customer may need to implement additional controls of its own to mitigate risk”.The ISO27018 standard provides guidelines for implementation of controls protecting Personal Identifiable Information (PII). Here the cloud customer’s responsibility with regards to own data is also underlined: “…the cloud customer has authority over the processing and use of the data. A cloud customer might be subject to a wider set of obligations governing the protecting personal identifiable information than the cloud provider”.My conclusion after reading the standards is that the standards are very useful for implementing security and privacy controls. The standards are especially useful for the cloud providers, but cloud customers can also benefit by knowing that the cloud providers have implemented the basics.Steps to Regain Control of Your Data Privacy in the CloudIn order to regain control of your data privacy in the cloud, consider including the following steps. The steps are partly covered by the ISO 270017/27018 standards.1. Data ownershipIt is important to agree on data ownership to prevent the cloud providers from using your data to other purposes than agreed in the contract, e.g. to data mining for marketing.Data ownership is also important if you someday want to terminate the cloud service and migrate to another cloud provider or in-house hosting. Specify that data must be delivered in a commonly used format within an acceptable timeframe after termination.Furthermore, ensure that your cloud providers are obligated to notify you in case of data breaches and disclosures, and that the cloud providers must reject any requests for data disclosure that are not legally binding.2. LegislationsIdentify any Personal Identifiable Information (PII) or other sensitive data you may store, where these are physically located, who has access, and how the data is used. Logging of access to data might be recommended or required. Data protection and privacy legislation varies from country to country, and there might be restrictions for where data can be stored and accessed from.The focus on data privacy is increasing further with the new EU General Data Protection Regulation (GDPR) and there is still uncertainty about the long term validity of the EU Privacy Shield and EU contract clauses.3. InsidersFind out how your cloud providers restrict access to your data. Some cloud providers are mature and have implemented controls preventing the cloud operations staff (or subcontractors) from accessing your data without your knowledge and acceptance.You might be able to mitigate this risk by encrypting sensitive data in transit, in use and at rest. Unfortunately it is not always possible to apply encryption sufficiently. Then you must log when data is being accessed by the cloud providers and ultimately trust the cloud providers.4. Access controlEnsure that you have implemented sufficient access controls for the cloud service. The cloud service is often highly exposed on the network which might require a strong authentication process to mitigate the risk for unauthorized access. Consider to implement multi-factor authentication (one-time passwords, text-messages etc.) and location-aware authentication to strengthen the authentication process. 5. Data Deletion and Technical bugsEnsure that your cloud providers have mature procedures for how to securely delete data media before being reused by the next customer. There have been examples of cloud providers just removing pointers to data and not securely shredding the data itself.Cloud services are often designed as multi-tenant environments where multiple cloud customers share the same infrastructure and computing units. Technical bugs and faulty operation procedures constitute a risk to you data privacy.6. AuditEnsure rights to audit the cloud providers. Alternatively be satisfied with cloud providers compliance with one or more of the common audit and compliance frameworks. The Cloud Security Alliance (CSA) Star program is one of the most recognized programs providing security assurance.Have I Overlooked Something Important?This article is based on my professional experiences and personal view from working with IT for more than 20 years. Please share your thoughts if you find that I overlooked important things. I look forward to hearing about your views and experiences.You are welcome to contact me at email@example.com and +45 3079 5368, if you want to know more about how NNIT can help you migrating to cloud services.