Data belonging to organizations should only be stored with cloud services after relevant approvals have been obtained (Top Management, ISMS Manager, etc.)
Appropriate risk assessment should be carried out regarding the proposed or continued use of cloud services.
Due diligence must be conducted prior to sign-up to a cloud service provider to ensure that appropriate controls will be in place to protect data. Preference should be given to suppliers who are certified to the ISO/IEC 27001:2013 international standard.
Service level agreements and contracts with cloud service providers must be reviewed, understood, and accepted before sign-up to the service.
The location of the data must be understood e.g., UK, EU, USA, and the applicable legal basis established, such as the country whose law applies to the contract.
Where available, two-factor authentication must be used to access all cloud services.
Sufficient audit logging should be available to allow the organization to understand how its data is being accessed and to identify whether any unauthorized access has occurred.
Confidential data stored in cloud services must be encrypted at rest and in transit using acceptable technologies and techniques.
Where possible encryption keys should be held by the organization rather than the supplier.
Backups must be taken of all data stored in the cloud. This may be performed either directly by the organization or under contract by the cloud service provider.
All data must be removed from cloud services in the event of a contract coming to an end for whatever reason. Data must not be stored in the cloud for longer than is necessary to deliver business processes.
365, Dropbox, Apple iCloud, etc.). A cloud environment that can be accessible by authorized users.
¦ Internal cloud: A cloud environment that is managed or owned by an organization on dedicated and usually on-premises servers that can provide high-level control over cloud services and infrastructure. This can be an appropriate model for highly sensitive data.
¦ Community model: A cloud computing environment that is shared or managed by a specific community of users from organizations that have shared concerns. This normally involves several related organizations on dedicated and on-premises servers of their choice and location.
Hybrid cloud or virtual private cloud model: This model, comprised of both private and public clouds, allows for certain components to be hosted by an external party while others remain within the organization’s control.
Cloud computing services are application and infrastructure resources that users access via
the Internet. These services, contractually provided by various companies such as Microsoft (Azure), Amazon (AWS), Apple, Google, etc, enable customers to leverage powerful computing resources that would otherwise be beyond their means to purchase and support.
Cloud services provide services, platforms, and infrastructure to support a wide range of business activities.
These services support, among other things, communication; collaboration; project management; scheduling; data analysis, processing, sharing, and storage. Cloud computing services are generally easy for people and organizations to use, they are accessible over the Internet through a variety of platforms (workstations, laptops, tablets, and smartphones), and they are usually able to accommodate spikes in demand much ¦ more readily and efficiently than in-house computing services.
Cloud Computing Deployment Models
There are four primary cloud computing deployment models.
¦ External cloud: External cloud is defined as an off-premises infrastructure made available over the Internet which combines the resources of a broad network of users into one or more shared servers (e.g., Microsoft Office
Cloud Computing Services
The followings are the major Cloud Computing Services:
use the provider’s applications running on cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., Dropbox, iLearn, and MS O365).
¦ Platform-as-a-Service (PaaS) – Capability to deploy onto the cloud infrastructure customer-created or acquired applications created using programming languages and tools supported by the provider (e.g., Amazon Cloud Service, Microsoft Azure).
¦ Infrastructure-as-a-Service (IaaS) – Capability to provision processing, storage, networks, and other fundamental computing resources, offering the customer the ability to deploy and run arbitrary software, which can include operating systems and applications. IaaS puts these IT operations into the hands of a third party (e.g., Amazon Cloud Service, Microsoft Azure).
Risk Associated with Cloud Computing
Despite its advantages, Organizations must be very cautious about self-provisioning a cloud service to process, share, store, or otherwise manage organizational data. Self-provisioned cloud services may present significant data management risks or are subject to changes in risk with or without notice. Virtually all cloud services require individual users to accept click-through agreements. These agreements do not always allow users to negotiate or clarify terms and conditions, often provide vague descriptions of services and safeguards, and often change without notice.
Some of the risks associated with using cloud services include:
¦ Unclear, and potentially poor access control or general security provisions.
¦ Sudden loss of service without notification.
¦ Sudden loss of data without notification
¦ Data stored, processed, or shared on cloud service is often mined for resale to third parties that may compromise people’s privacy
¦ The exclusive intellectual rights to the data stored, processed, or shared on cloud service may become compromised.