Their dilemma is quite understandable - these standards were written before cloud computing was such a big issue, and there is no particular focus on cloud computing in any of them.
To make things worse, the outages of cloud computing providers cause serious problems to other Internet-based businesses, as was the recent case with Amazon Web Services (for more info on AWS and ISO 27001 read Does ISO 27001 mean that information is 100% secure?).
Therefore, their point is: since we cannot control information in cloud computing, the security of information in such cases is only a dead letter.
I would disagree on that. The point is - cloud computing is nothing else but outsourcing (of your information archiving and/or processing).
And you already do outsource other activities which could endanger the security of your information - your software is usually developed externally, you may have external suppliers which maintain your hardware and software assets (sometimes with remote access to your network), most probably you do have some kind of external maintenance staff on-site (if nothing else for the infrastructure), almost certainly you do have consultants and/or auditors on-site (who do know the vulnerabilities of your company) and you probably do have cleaning staff outsourced (and they do have access to most of the facilities when no one else is present).
Therefore, I would say that although cloud computing is a new technological opportunity, the main issue of outsourcing remains as before - how much can you trust your outsourcing partner?
This is where you need to apply your common sense, or to put it in the wording of ISO 27001 and BS 25999-2 - you need to apply risk assessment to find out what the potential risks are, and then you need to choose your partner wisely and apply necessary security controls to mitigate those risks.
In its control A.6.2.1 ISO 27001 requires to identify "... risks to the organization's information and information processing facilities from business processes involving external parties", and A.6.2.3 requires to address security issues in agreements that "... shall cover all relevant security requirements"; there also various other controls specifying information backup (A.10.5.1), access control (A.11), classification (A.7.2.1) etc. In clause 4.1.1 BS 25999-2 requires to "...identify all dependencies relevant to the critical activities, including suppliers and outsource partners", in clause 4.1.2 "...understand the threats and vulnerabilities ... including those provided by suppliers and outsource partners", and in clause 4.2 "...determine how it will recover each critical activity ... including products and services provided by suppliers and outsourcing partners".
So what can you do to decrease the risk of cloud computing? Here are a few very basic tips:
- Do a thorough check on the potential provider - not only its performance record, but also the background of its management, have they implemented the information security and business continuity policies and procedures, financial stability, legal risks etc.
- Write very specific security clauses in your agreement with the provider, where the biggest emphasis will be on issues that have raised the highest concerns during risk assessment.
- Keep a backup copy of your information locally - although a cloud computing provider will (probably) do regular backup, it is always a good idea to have direct control of your information. (e.g. banking regulators in some countries have imposed regulations to local banks to keep the backup copy inside the country specifically because of this risk.)
- Develop your strategy on how to return the information processing/archiving back to your company (re-insourcing) in case of problems with your cloud computing provider - you should know exactly which steps are needed, as well as which resources.
- An exit strategy might also be to have an alternative cloud computing provider standing by, ready to jump in if your existing partner performs badly.
- Perform regular checks of your provider to find out whether they are complying with the security clauses in the agreement.
Of course, most of the things mentioned here will seem impossible for a smaller company. But in such a case, would you really give them your important information without having any guarantees? Sometimes you are better off with no cloud computing - this is something your management needs to decide: they have to weigh out the balance between the cost & convenience and the risks.
Manage your risks
I'm not trying to say here that the risks of cloud computing are the same as other outsourcing risks, because they are not - cloud computing usually brings higher risks. I'm also not trying to say that ISO 27001 and BS 25999-2 (soon to become ISO 22301) do not have to be more specific about cloud computing, because they do. I also think that the legislation will have to address this issue very quickly.
What I'm trying to say here is that although the risks related to cloud computing are high, it doesn't mean they cannot be mitigated. Therefore, use your common sense when choosing your cloud computing provider - if you don't trust your provider fully, then don't entrust them with your sensitive information.
Cross posted from ISO 27001 & BS 25999 blog