Information Security Forum: Risks from Moving to the Cloud are Significant But Easily Managed

April 23, 2013 - PRLog -- The risks of using cloud services for private data are significant, but easily managed, this according to the Information Security Forum (http://www.securityforum.org) (ISF), a global, independent information security body considered the world's leading authority on cyber security and information risk management. With cloud-based systems come inherent challenges and these are further complicated as data subject to privacy regulation inevitably moves into the cloud. Organizational pressure to take advantage of cloud-based systems should be matched by equal eagerness to understand and manage the risk.

“The decision to use cloud-based systems should be accompanied by an information risk assessment that’s been conducted specifically to deal with the complexities of  cloud systems, the data that will be stored in the cloud, associated privacy regulations and of course the needs of the business,” said Steve Durbin, Global Vice President, ISF.  “It should also be supported by business processes that ensure the necessary safeguards. Otherwise, the persistent pressure to adopt cloud services will increase the risk that an organization may fail to comply with privacy legislation, particularly when operating across multinational borders.”

The security arrangements offered by cloud providers, and the risks that need to be managed, should be assessed individually before a decision to accept or reject a particular cloud type and service combination is made. An organization should use the combination of cloud type and service as a basis for considering the information risk so it can be appropriately managed. There are many types of cloud-based services and options available to an organization and each combination of cloud type and service offers a different range of benefits and risks to the organization.

Every cloud-based system is a combination of a particular cloud service deployed on a specific cloud type. Each cloud service (IaaS, PaaS or SaaS) has different inherent risks, as does each cloud type (private, community or public). Each cloud service and each cloud type provides a different level of control to the purchasing organization, which in turn creates a different degree of inherent risk. There is therefore a different degree of inherent risk in each of the nine categories of cloud-based systems.

“Cloud-based systems are a standard part of the business landscape because they can be cheaper, quicker and easier to deploy than internal IT systems,” continued Durbin. “For business leaders, the promise of reduced costs from scalable IT services provided on-demand is extremely attractive – and has helped drive a rapid uptake of cloud-based systems. The attraction is especially acute during prolonged economic downturn as organizations look for opportunities to outsource non-core aspects of their business.”

The ISF’s latest report, Data Privacy in the Cloud, provides an overview of privacy as a concept, and explains personally identifiable information (PII), along with the demands typically placed on organizations by privacy regulations. The report also further enhances the ISF Privacy Framework to address cloud-based privacy issues, enabling organizations to develop the privacy safeguards and good practice guidelines specific to their organization – and determine the actions required to achieve privacy compliance when using cloud-based systems.

Data Privacy in the Cloud addresses many of the issues that arise when information subject to privacy regulations moves into the cloud, including:

·         Cloud risk is seen to be complicated

·         BYOC (bring your own cloud) enables people to bypass organizational safeguards; and they are often unaware of the risks associated with putting PII in the cloud

·         Locations of information are unclear, potentially triggering additional regulatory requirements or causing a breach of compliance

·         PII can mix with other organizations’ information

·         PII can continue to be held by cloud providers after contract termination

·         Cloud providers can use PII for their own purposes

·         PII requirements are not always well defined in the contract

·         Standard uses and policies for cloud services are not always defined in the organization’s security architecture

Data Privacy in the Cloud is available now for purchase from the ISF Store on ISF’s website www.securityforum.org as is a free Executive Summary.  

Information Security Forum (ISF)

Founded in 1989, the Information Security Forum (ISF) is an independent, not-for-profit association of leading organizations from around the world. It is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management and developing best practice methodologies, processes and solutions that meet the business needs of its Members.

ISF Members benefit from harnessing and sharing in-depth knowledge and practical experience drawn from within their organizations and developed through an extensive research and work program. The ISF provides a confidential forum and framework, which ensures that Members adopt leading-edge information security strategies and solutions. And by working together, Members avoid the major expenditure required to reach the same goals on their own.

Further information about ISF research and membership is available from www.securityforum.org