Security. CSP Your choice of services for CSP will depend, in particular, on your level of acceptable risk and the security measures that will be taken to eliminate this risk. You need to determine whether the security measures offered by this provider cover the risks to your business or whether you or the CSP need to integrate other controls.
Your CSP security assessment should follow a formal and consistent approach to address all key issues: – Security Management – Confidentiality – Regulatory Compliance – Legal Aspects – Multi-User Services – Incident Management –
Termination of management. Control. Security. Security management is important both for a company that is considering the introduction of cloud services, and for its provider. Key: effective management and reduction of information security risks. Both entities need a common, documented and well-defined management structure for the proper protection of information throughout the service life cycle.
Without such a structure, companies and their CSPs will not be aware of the security requirements necessary to reduce the risks associated with the infrastructure, applications, and data used in the cloud. Therefore, it is important to answer at least the following questions: – Who should protect the confidential or confidential data stored in the cloud? – How will security be ensured throughout the supply chain, including access to confidential or confidential information to third parties? – Does the company turn to cloud services for quick and cheap implementation of new solutions, but without involving its IT department or security group, which bypasses its own security measures to generate unknown risks? Confidentiality. Often stored in the cloud, confidential and personal information is usually an attacker.
Cloud computing service. However, managing their protection in the cloud is more difficult than with standard on-site IT systems. There are two main problems for enterprises: Loss of control over their information. Dependence on your CSP. When storing sensitive data in the cloud, companies must install additional controls. ensure their protection. The minimum controls that need to be implemented are: Requirements and location of data sovereignty – Data encryption – Two-factor authentication – Privileged identity card controls. Conformity. Accessibility of information, implemented security measures … given the many unknowns in the cloud equation, the adoption of this type of service sometimes complicates the compliance of ISO, PCI DSS, etc.
To ensure cloud adoption, organizations must document the conformity of their cloud service management tools. They should also be able to prove the implementation of continuous risk management in support of these controls. Legal Considerations Given the nature of the cloud, some laws, regulations, and other binding laws may restrict or even prohibit the migration of certain types of information and business functions to the cloud. Therefore, companies should take the time to consider the legal consequences of their adoption. It is clear that they must call a lawyer to determine all their legal obligations.
Indeed, taking into account the legislative requirements for information security that are imposed on them, companies that implement cloud services, failing to fulfill their obligations in the upstream direction, face various problems.
For example: – The location of company data by its PSC may have legal consequences, as some data protection provisions, for example, govern cross-border data transmission. – Some companies do not know what data protection laws apply to their information in the cloud. – Data management and ownership issues: who owns the data in the cloud? Can CSP use this data for its own purposes or resell it? What will be the consequences of a CSP bankruptcy?
Some national laws give the state the right to access all data stored on its territory. Beware of poorly defined Cloud Service Agreements and Service Level Agreements (SLAs) that do not mention the security standards that CSP must implement, company audit rights, and liability for data breaches.