We look at how certifications and audits boost confidence in cloud security
Cloud has reached a tipping point, with more businesses now confident about putting their information online. Even executives who used to be hesitant about going 'on-demand' are beginning to believe in the strengths of the cloud.
As many as 64.9% of IT leaders think the cloud is as secure or more secure than traditional on-premise software, according to the Cloud Security Alliance. The main providers play a key role in boosting confidence, helping to reassure IT and business leaders that sensitive data is safe and secure online.
Suppliers are taking crucial steps to beef up their security and help deliver compliance the business can rely on. The key here is independent certifications and third party audits from a variety of accredited organisations.
Take ISO/IEC 27001, the first international code of practice for cloud privacy, which defines how providers must continually improve their information security management systems. The standard includes best practice around documentation, availability and access control.
Its sister certification, ISO/IEC 27018, is an additional standard based on EU data-protection laws. It gives guidance to providers that process personally identifiable information. The certification gives peace of mind to CIOs by assessing risks and implementing state-of-the-art controls at the provider level.
Of course, IT leaders remain responsible for processes within their own organisations. Having said this, independent certification can be used in a firm's own compliance assessment, proving to internal executives and external auditors that a move to the cloud is low risk.
Certification is, in short, a clear sign that the IT industry sees cloud security as the key to continued growth. Microsoft was the first firm to become ISO/IEC 27018-compliant. Other providers have taken similar steps, helping CIOs to recognise which external suppliers can really be seen as trusted partners.
Further assurance comes in the form of audits. The American Institute of Certified Public Accountants has implemented a two-step framework, SOC 1 and SOC 2, which evaluates the design of a provider's controls. Azure and Office 365 for example are in scope for SOC 1 and SOC 2.
External third-party audits by experts such as Deloitte and the British Standards Institution provide additional reassurance. Developments at a regional level represent a further layer of support. For instance, the EU Model Clauses cover data transfer and Australia CCSL (IRAP) refers to government validation.
The nascent cloud market continues to develop promisingly - and that progress is directly related to the certification and auditing processes of the IT industry.