Cloud computing allows businesses to enjoy more for less: it allows businesses to take advantage of next-generation technology at a fraction of the cost of buying their own, it frees up IT departments’ time, it improves accessibility and response, and it increases data security.
However, there are always potential risks where security is concerned, and cloud service providers should be doing everything they can to prevent these risks from materialising.
Data protection is both a commercial and legal requirement, but how can you be sure that your provider is doing everything in their power to conform to these requirements? Looking past physical data centre security, a good place to start is to assess their commitment to meeting industry-standard legislations, regulations and accreditations.
In this instance, the three most important standards are ISO 27001, the UK Data Protection Act (DPA) and the Payment Card Industry Data Security Standard (PCI DSS).
ISO 27001 is an Information Security Management System standard, developed with the intention of securing adequate and proportionate security measures for protecting valuable information assets.
The Standard was published in 2005 and is a formal specification, meaning that organisations which have adopted ISO 27001 can be formally audited and certified in compliance with it.
Specifically, ISO 27001 requires that businesses and organisations adhere to the following:
- Systematically examines IT security risks, including any potential threats, vulnerabilities and the associated impacts
- Adopts a reliable management process that ensures the security controls continue to meet the organisation’s information security needs on an ongoing basis
- Implements a comprehensive suite of information security controls and additional methods of risk treatment to address any potential risks that may be deemed unacceptable.
UK Data Protection Act
The Data Protection Act is the primary legislation that governs personal data protection in the UK, and all companies and organisations within the UK are bound to it by law. The Act was introduced in 1998, in order to bring UK law into line with the EU Data Protection Directive.
The Act defines eight key principles. Briefly, these are as follows:
- Data must be processed fairly and lawfully
- Data shall be obtained only for specified and lawful purposes
- Data obtained shall be adequate, relevant and not excessive
- Data shall be accurate and kept up to date
- Data shall not be kept for longer than is necessary
- Data shall be processed in accordance with the individual’s rights
- Data must be kept securely
- Data shall not be transferred to another country or territory without adequate protection.
Payment Card Industry Data Security Standard
The PCI DSS is an information security standard adopted globally by companies and organisations which transmit cardholder data in any way. The Standard was introduced to help reduce credit card fraud, by implementing strict controls around the way in which cardholder data is handled.
Compliance to the Standard is validated annually by an external assessor for large organisations, and in the form of a self-assessment questionnaire for smaller companies.
Put simply, the Standard requires any merchant which transmits cardholder data to do the following:
- Build and maintain a secure IT network
- Protect cardholder data
- Maintain a vulnerability management system
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy.
These regulations are the first things that you should ask about next time you meet with a prospective cloud services provider, as failure to conform to any of these could seriously compromise the security of the data they hold.
In a more positive light, cloud services managed by a provider with a serious commitment to security can be one of the most secure and reliable environments available. Combine this with the numerous other benefits that the cloud offers, and it’s clear to see why so many businesses are opting for the cloud over traditional in-house solutions.
For more information about cloud services for business, visit www.intechnology.co.uk.
About the Author: This article is written by Matt Batterham on behalf of inTechnology.