Pay attention to the cloud compliance of your provider!

What do you look for when choosing a cloud provider? Probably IT security, data security and compliance. After all, legal regulations, relevant standards and individual specifications must be adhered to. You also need to be able to verify all of this. Corresponding certifications are an important indicator here, but be careful: the differences lie in the details - as is so often the case.

If the above criteria meet your expectations, then you are right on trend: in January 2023, market researchers from techconsult surveyed 200 cloud officers in companies with at least 50 employees across Germany on the topic of cloud compliance. The survey revealed that 60.5% of respondents consider compliance and security to be extremely important when selecting a cloud provider. For companies with 500 or more employees, the figure is as high as 74.6 percent. In addition, more than half of all respondents attach importance to data remaining in the EU.

What is cloud compliance?

Cloud compliance ensures that legal, regulatory and company-specific requirements and guidelines are implemented and adhered to in the cloud. It includes aspects such as data protection, the proper storage of data, information security and the availability of infrastructures, solutions and services from the cloud. In addition, the topics of sustainability and social commitment are increasingly coming into focus.

Numerous laws, regulations and standards contain compliance requirements for cloud computing. For example, the storage and processing of personal data in the EU is governed by the General Data Protection Regulation (GDPR). Companies must also comply with the Supply Chain Security Act (SCSA) as well as the IT Security Act, the Telecommunications Act and the Telemedia Act, to name just the most important ones.

Cloud compliance when using external services

Compliance in cloud computing usually affects several players. With traditional in-house operation of IT environments, you have full control over the processed data and the systems or networks used. You are responsible for the entire IT infrastructure yourself, including IT compliance. However, as soon as you use the services of a cloud computing platform from an external provider or work with a managed service provider, your control options and sometimes also your responsibilities change.

For example, the data is transmitted via external networks and processed and stored in the cloud provider's data centers. Under certain circumstances, it may end up abroad and in other political zones of influence. This sometimes results in complex constellations that make it difficult to trace the data flows and the service providers involved. This contradicts, for example, the strict requirements of the European General Data Protection Regulation (GDPR) when handling personal data.

Since the Schrems II ruling of the European Court of Justice in 2020, the USA, for example, has been considered an unsafe third country within the meaning of the GDPR. This also includes other countries that cannot guarantee an adequate level of protection for personal data. This means that your company's personal data may not be stored or processed there without major effort. It is therefore important to check the data center locations and the company headquarters of the future cloud provider. If possible, these should be located within the EU. International corporate interdependencies can also lead to inadmissible data flows to such regions.

This alone shows that you need transparent information from the cloud operator in order to meet compliance requirements. They must take responsibility for their infrastructure, i.e. for the locations, hardware, network and facilities on which the cloud services run.

To this end, the cloud provider should ensure and be able to prove that its systems meet basic cloud compliance requirements. It is your responsibility as a cloud customer to check to what extent the provider complies with the industry or company-specific guidelines that apply to your company. To find out whether a provider meets your cloud compliance guidelines, it is advisable to draw up a corresponding list of questions. Below you will find some key questions on the subject of cloud compliance.

You should ask these questions about cloud compliance

• Who stores and processes the data and where?
• Are there corporate links to unsafe countries and regions?
• Are other service providers involved in the provision of services?
• Which networks transmit the data?
• Where and how is the data encrypted?
• Who has access to the data and with what rights?
• Which compliance standards does the cloud provider support?
• Which certificates can it provide from which certification authority?
• Which services do the certificates cover?
• Are the certificates up to date?
• How can the provider's cloud compliance be monitored?
• Does compliance reporting exist?
• Is compliance contractually secured?
• Can individual compliance requirements and SLAs be contractually defined?
• What are the regulations after the contract ends?

Certificates: the first cloud compliance check

For an initial check of a cloud provider, it is worth taking a look at their certifications. There are basically two variants: Certificates from third-party providers that analyze the services of cloud providers according to their own guidelines. These include, for example, the German Federal Office for Information Security (BSI) with its guidelines for IT baseline protection. In addition, standards-based certificates, such as the ISO/IEC 27001 series of standards for information security management, have also become established.

With these standards-based certificates, you should always make sure that they have been issued by an accredited body. In this case, the national accreditation body assesses, checks and monitors their technical competence. Not all certificates for standards groups come from such bodies. You also need appropriate certifications along the entire supply chain: from the cloud infrastructure provider to cloud service providers to the providers of any software-as-a-service (SaaS) running on it. Often you will only find the logos of the standards on the providers' websites, in which case you will need to ask the provider for the issuing body. Sometimes PDFs of the certificates are also published, from which you can find the issuing body.

The most important certifications for cloud providers

ISO/IEC 27001: general information security

The most widely used series of standards for cloud providers is ISO/IEC 27001/2: IT security procedures, information security management systems, requirements and guidelines for information security measures. It not only relates to cloud computing, but also generally regulates information security in IT environments. Among other things, this certification requires the establishment of an information security management system (ISMS). In addition, the steps involved in information processing must be fully documented. The BSI´s C5 criteria catalog for cloud computing is also based on this standard.

ISO/IEC 27017: Information security of cloud services

The international standard ISO/IEC 27017 obliges providers of cloud services to secure them with cloud-specific IT security measures. It is an extension of ISO/IEC 27001 and supplements the recommendations of ISO/IEC 27002 with an IT security guideline for cloud computing. This contains corresponding security measures and cloud-specific control mechanisms. With the certification, cloud service providers provide proof of secure transmissions.

ISO/IEC 27018: Data protection in the cloud

ISO/IEC 27018 certification is an extension of ISO/IEC 27001 tailored to cloud services and includes aspects of data protection in cloud computing. Here too, the focus is on setting up an ISMS. However, the processes, procedures and measures are adapted to the data protection requirements of cloud computing. For example, it is no longer considered positive if the administrator can view and track as many processes as possible, as is the case in ISO/IEC 27001/27002. However, this does not yet fully meet the requirements of the GDPR.

ISO/IEC 27701: including a data protection management system in future

The new extension of ISO/IEC 27001 provides the classic information security management system with an additional data protection management system. This data protection management system is not the same as GDPR certification in accordance with Article 42 of the GDPR. However, it does provide the opportunity to prove that personal data is handled in compliance with the GDPR. As certification in accordance with Article 42 GDPR has only been possible since 2022, the network of accredited bodies is still being established. For this reason, only a few providers can currently provide this certification.

SOC 2 Type II report in accordance with ISAE 3402: Internal control system for outsourced accounting-related processes

In addition to the ISO/IEC 27001 series of standards, some cloud providers have themselves audited by an independent auditing company in accordance with ISAE 3402 (ISAE: International Standards for Assurance Engagements). A service organization control report (e.g. SOC 2 Type II) in accordance with the AICPA Trust Services Criteria confirms that the provider has an efficient internal control system with regard to the business processes and IT services outsourced to it. The audit report documents the scope and appropriateness of the internal controls based on normative requirements and corresponding control parameters for security, availability, integrity and data protection.

ISO 9001: Quality management

You should also take a close look at the provider's general processes. ISO 9001 certification, for example, guarantees that they have a tested and monitored quality management system. This ensures that they continuously optimize their processes in order to improve company performance and meet customer requirements in the best possible way.

ISO 22301: Business continuity management

A business continuity management system (BCMS) in accordance with ISO 22301 aims to ensure the continued existence of the company in crisis and emergency situations, even in the event of major damage. It ensures that important processes are protected and the impact on critical business functions is minimized. After unexpected interruptions, business processes should be able to return to normal operation as quickly as possible. ISO 22301 defines requirements for the planning, structured design, implementation, monitoring and improvement of a BCMS.

How to comply with the GDPR in the cloud

Although ISO/IEC 27701 is suitable for checking compliance with the GDPR, it is not explicitly designed for this purpose. For this reason, efforts have been underway for several years to establish standardized data protection certifications across Europe. These should be explicitly geared towards the GDPR. Some companies have already developed certifications for this purpose, e.g. EuroPriSe GmbH with the “European Privacy Seal”. The Trusted Cloud competence network also wants to implement AUDITOR EU-wide data protection certification of cloud services by accredited bodies with its AUDITOR project, which is funded by the Federal Ministry for Economic Affairs and Energy. According to the association, the new certification procedure is currently in the approval process at the German accreditation body, so it is still a long way off.

But in the meantime, how do you recognize cloud providers that offer you a GDPR-compliant solution? It starts with checking the locations and group links. In addition, there should be at least one ISO/IEC 27018 certification and an alternative data protection audit such as Check 28. This shows whether a provider has data protection expertise.

Further guidance for choosing a cloud platform

In addition to certificates, you can also use self-disclosures from cloud providers when making your selection. For example, the Cloud Security Alliance (CSA) has developed the Consensus Assessments Initiative Questionnaire (CAIQ), a questionnaire with almost 280 questions to assess the compliance of cloud providers based on best practices. Numerous providers have already answered this questionnaire and made it available on the CSA-Platform.

How to find a secure cloud provider

Once you have found a potential provider for you, take a close look at the certificates advertised.If available and relevant to you, request the provider's SOC 2 Type II report. Check the scope, i.e. the extent of the certifications. Often only individual products, locations or processes are certified.

You should also be familiar with and have an overview of the principle of (shared responsibility): With all securitized certificates, it is clear that a provider can only be responsible for its own services as well as its own infrastructure and cloud platform. If, for example, a local cloud provider accesses one of the major public cloud platforms (AWS, Google Cloud Platform, Microsoft Azure), both the local provider and the major providers should have installed appropriate security and business continuity measures.You as the customer, on the other hand, are in most cases responsible for secure web applications, for your data processed in the cloud and for authorization management.It is also your responsibility whether or not disaster recovery or high availability solutions should be integrated into business continuity management.

Last but not least, it should be mentioned that providers who have all or most of the aforementioned certificates often achieve a higher level of security due to their focus and experience than you can guarantee on your own. In many cases, they even offer additional bookable cyber security services such as penetration testing, security consulting or a cyber defense center.

Security is important, but by no means everything

As the techconsult survey shows, information security and data protection play a central role when selecting a cloud provider.However, the performance and stability of the cloud is just as important for 60 percent of respondents. 49.5% of them see a good price-performance ratio as a decisive criterion.In addition, 40.5 percent attach great importance to the provider's innovative strength and around 30 percent of those surveyed consider commitment to sustainability and social engagement to be a must when selecting a cloud provider. The latter two criteria are increasingly becoming the focus of companies and are broadening the compliance perspective that was previously limited to security issues in many places.

Would you like to find out more about IT compliance and information security? Write to us: ch-info@claranet.com