ISMS for Cloud Service Providers

Rahul Jayachandran
By Rahul Jayachandran

July 18, 2016

There’s a key extra dimension in information security when you are a cloud service provider. Not only must you look after your own data, but you have to protect the data of your customers too. As logically separate customers share the same physical resources, you have the tricky responsibility of letting each one operate freely, yet without negative security impacts on the others.

Enterprises and users in general often take the cloud to be a natural extension of their individual computing environments. However, they do not always realize that traditional information boundaries disappear at the same time and that the nature of security precautions must change as a consequence.

Changes in Cloud Security Perimeters

Because the security perimeter is no longer where they think it is, they are also at greater risk from hackers and cyber criminals. Confidential information of many kinds – customer information, personally identifiable information (PII), medical information, credit card information, bank account information, and more – can open up huge possibilities for illicit profit or damage, in the wrong hands.

Enter the information security management system (ISMS), to assess information security risk and put appropriate counter-measures in place. The right ISMS for a cloud service provider (CSP) must let it guarantee the solidity of the three pillars of information security: confidentiality, integrity, and availability. In addition, while the security must offer adequate protection of data, it must not unduly interfere with operations and productivity.

However, the extra dimension represented by CSP customers’ data means an ISMS must go further still. It has to help the CSP meet the challenges of:

  • Possible CSP insider attack on confidential customer data
  • Lack of proper data isolation between multiple customers
  • Attacks on virtualization layers and software
  • Inadequate compliance with data privacy regulations.

The Need for Good Management as well as Technology

Good management is as important as robust technology. In particular, the establishment and continual updating of an ISMS by a cloud service provider offers an assurance for its customers that CSP security is being managed systematically.

A CSP that reviews information security and analyzes risk in order to enhance policies, procedures, and contingency planning can look good to its customers. It can also inspire them to similar behavior for their role in their own security. Organizations already functioning with strict information security policies are also more likely to consider using a cloud provider that can prove it has a high quality ISMS.

The architecture and functionality of Paladion’s ISMS solution provides a solid platform for CSPs to minimize risk through consistent policies, processes, and systems. Key design features include:

  • Clear thinking and continuing evaluation of the information security needs
  • Update mechanisms to keep up with changes in infrastructure technology
  • Continual security evaluation as requirements change.
  • Avoidance of any information security changes in one place negatively affecting another.

By using a strong ISMS, a CSP may give some of its customers a better overall security posture than the one they had all by themselves. Nevertheless, there is a line to be drawn between the responsibilities of the cloud service provider and those of the customer. For instance, a cloud provider may offer assurances that a customer’s application will run as designed. However, the provider is not responsible for the design itself of the customer’s application.

Achieving Information Security Certification to International Standards

Paladion’s methodology to ensure security in the cloud environment is also based on relevant international standards and best practices. Via Paladion’s services, a cloud service provider can achieve certification against the ISO 27001:2013 standard, leading to automatic compliance with other international standards such as ISO 27017 and ISO 27018.

Operationally, the strengths of Paladion’s approach include a single, collaborative web-based ISMS, a ready-to-use security and threats knowledge repository, comprehensive automation and customization possibilities, real time monitoring, and end-to-end audit management.
As a step-by-step approach, cloud service providers (and their customers) can follow Paladion’s ISMS implementation guide. The following steps lead a CSP towards successful ISO 27001 certification:

  1. Assess the current state of information security
  2. Establish the scope for the ISMS, and separate CSP and customer responsibilities
  3. Define the human resource security requirements
  4. Document all the cloud information assets
  5. Define a risk management framework
  6. Identify high risks, required mitigation, and applicable compliance needs
  7. Insert or update policies and procedures into the ISMS framework
  8. Educate staff and users on good security practices, and pitfalls to avoid
  9. Implement security best practices in the cloud infrastructure
  10. Implement PII protection in the cloud infrastructure
  11. Conduct a pre-certification audit
  12. Undergo external certification
  13. Use Paladion’s assistance with documents and evidence for the certification

Next Steps for a Cloud Service Provider ISMS

A CSP with the right information security management system can meet all the challenges above. Paladion’s ISMS solution offers a robust, affordable, high-quality, standards-based platform to help both CSPs and their customers simplify and optimize their information security.
Download the full Paladion ISMS E-Guide for further information on how you, as a cloud service provider, can enhance your information security, bring your customer’s more value, and achieve compliance.

Tags: blog