Ten Rules For Security Cloud

8 March 2010 | infman | 0 Comments

Announcement Development Information Internet

Cloud Services are on everyone’s lips, but what about the safety of these services? The debate today is often conducted at the technological level, but the real key to success lies in the activities around risk analysis, service level agreements and provider management. Then can be targeted by external cloud services at a reasonable cost to achieve a higher security level than in-house version.

“The situation seems paradoxical: in principle, allow external cloud services to raise the majority of customers, the security of certain applications and services to a higher level than previously,” says Wolfram Funk, Senior Advisor at the Experton Group. “Because external cloud service providers to offer their services for a variety of customers, they have the economies of scale that allow large investments in a highly secure infrastructure.”

Solid technical measures for the protection of cloud services are important and already largely used. More importantly, however, is the embodiment of the relationship with the cloud service provider and the associated activities that shape the framework for the technological design. “Risk analysis, service level agreements and provider management are firmly in view of Cloud Security is the key to success,” says Wolfram Funk. The ISO 2700x series, BSI IT baseline protection and ITIL to provide a suitable framework for this purpose.

The Experton Group has produced an action guide for those reasons, recommendations and checklists for cloud security governance, compliance and technical safeguards – and these are the ten rules for a high security of cloud services purchased externally:

First, the internal organizational structure to bring up to scratch and to clarify responsibilities and roles for information internally. This also applies to the information security management and control (governance) of information security.
The responsibility for information security as a whole and for coordination, management and quality control of external service always remains within the company – even with external cloud services purchased.
A detailed risk analysis for the specific cloud-like service that is externally related, and perform under debate information and processes. This includes compliance risks with this book.
If the business case consistent? Economic aspects, internal and customer-oriented process improvements and other potential benefit effect to the expected (remaining are compared) risks.
Security Architecture: Defining the division of labor and interfaces between the provider and the company’s detailed. Are the technical and organizational security gaps?
Processes for reporting, incident management and audit perpetuate the service provider.
Can the Cloud service provider requested services are actually provided? Here is also to question whether he uses subcontractors, which could lead to a (negative) changes in risk exposure.
Compliance with regulatory requirements and clarify it enacted by the provider, including with regard to the handling of data and storing them in certain regions.
For safety, only those criteria should be agreed upon service levels that can be measured. The proposed method must be carefully examined.
The customer should determine in advance what the exit conditions in the event of a provider change. A “vendor lock-in can be very expensive for the company in an emergency case.