Let’s think about the past 12 months or so. We’ve seen large government agencies falter, security breaches, celebrity phone pics hacked, data leaks and compromised websites galore. Nobody is asking about certifications… Why on earth would you put anything in the cloud with all that uncertainty in the market?
Don’t get me wrong, the cloud is phenomenal both personal or business use. What I am seeing though is people blindly trusting large enterprises or cloud companies and it needs to stop. NOW!
The level of visibility that my Android and Apple devices have into my personal and professional life is ridiculous. Google, Microsoft and Apple know EVERYTHING about my private life and use their big data analytics engines to make my life “better”.
People initially were very sceptical of the level of access that Google and the like had into the own personal lives. Fast forward to 2017 and it is just accepted that they can see everything and it’s no big deal.
In business, the same was initially true. Companies were very aware and cautious of the likes of AWS and Azure having access to all their data. We are at a tipping point and people are now simply accepting that “cloud providers” have access to everything. The thing is it’s not ok, a cloud provider could be a 22yr old in his mum’s basement hosting websites.
What security is needed then?
Ok, don’t get me wrong, I work for Zettagrid and would love to have everyone running in the cloud. I am calling for architects and IT managers to take a little more time when deciding WHO to go with.
The market is being flooded by new cloud players and hosting providers. This is great as it keeps the industry advancing and keeps the bigger players honest.
Certification, Security and Audits
Where the problem arises is that the industry is severely lacking from a certification, security and audit perspective. We are maturing and many providers are now adhering to the newest standards but a great many unfortunately are not.
I see new VMware vCloud Air Network Partners popping up all the time. Unfortunately, it doesn’t take much to make a snazzy website and setup vCloud Director.
Businesses are unaware of the need for stringent security policies, certifications from their cloud provider. They jump in blindly with a new cloud player based on performance or perception. Often forgetting to ask about PCI Compliance potentially exposing them to credit card fraud. This is just one example but there are many others.
What certifications are important?
In Australia, the following certifications are VERY important for any business looking at choosing a cloud provider;
The payment card industry data security standards are designed to ensure that all companies store credit cards properly and maintain a secure environment.
Make sure that at the very least your provider has this or run from them as fast as you can.
This one has been around for a while so is likely commonplace. Essentially it is a quality management system (QMS) to ensure that a certain level of quality is maintained. Also ensuring that they are reliable, safe, consistent and meet expectations.
Did you know that there is a new ISO:9001 standard and that most are certified to the 2008 level? ISO 9001:2015 now exists and has a much stronger focus on risk management, leadership and commitment.
Enquire specifically what version of ISO 9001 they have and if on the old version ask when they are updating it to ISO 9001:2015
This is in the same family as the ISO 9001 certification but centres around cloud services. It is the guidelines for information security controls applicable to the provision and use of cloud services.
It is generally understood that it is a subset of the IRAP certification. Ask whether the cloud provider either has this already or is on the path towards its replacement IRAP.
Released by the Australian Signals Directorate this is probably the single certification with the most traction in the last year. It was designed as an initiative to provide high-quality ICT services to government in support of Australia’s security.
IRAP is an incredibly laborious task and getting on the ASD Certified Cloud Services List is an impressive task. It really indicates that the cloud provider you are dealing with is taking security and the protection of your data seriously.
Have a look on the list and find out if your provider is on the list or not. If not then ask them why not! If they’re not in the final stages of certification or they haven’t started the process then leave. They obviously don’t take security seriously enough…
Did you know there are two flavours of IRAP? Unclassified and Protected, I suggest looking into the difference between the two and determine what is the best fit for your organisation.
Security breaches and incidents happen all the time but I’m not writing this to scare anyone off.
What I want is for Architects and IT Managers to start to ask the questions BEFORE rather than after a security breach.
So, if you are already in bed with a cloud provider why don’t you ask to see some certifications, let them prove to you that they take security seriously. If you don’t like the answer you get, then move on to someone who does take it seriously.
For more info check out whether you can trust the cloud www.whatwouldlukedo.com/cloud-burnt-past-can-trust-now-part-1/. Also have look whether data locality or data sovereignty matter www.whatwouldlukedo.com/data-sovereignty-data-locality/.