“The complexity of compliance in a cloud environment necessarily increases the number of potential failure points when compared with traditional IT solutions. There is a greater need for transparency and control as systems become more diffuse and stakeholders more varied, which can be a daunting prospect for those considering the move to cloud services,” explains Bycroft. Through this paper, he aims to cut through the noise and give recommendations for the smooth implementation of core governance standards including ISO 27001, PCI-DSS and the Government information security Business Impact Level 3.
The paper makes clear the need for a strong relationship between an organisation and its CSP. Bycroft continues: “The process of compliance should very much be a collaborative one; by outsourcing some or all of your systems you can lose direct access, so being able to trust your provider to understand and comply with governance standards is imperative.
“A move to cloud services requires an organisation to truly realise how risks to their business will increase or evolve over time, in order to identify weaknesses and employ the necessary processes to maintain watertight security. A good service provider will help you to do this; a bad (or badly managed) provider could end up being a weak link in the chain.”
Peter Groucutt, Managing Director at Databarracks agrees, stating: “Compliance isn’t something new. These problems and processes have always existed but in the past, organisations have had to deal with them alone. With cloud services, the CSP takes some of that onus from the customer, and the responsibility is shared. Obviously, the ultimate responsibility remains with the business to undertake internal risk assessments and identify the controls and SLAs and technical requirements, but we as a provider need to take an equally active role in the process.
“Some governance standards are very prescriptive –if the service provider has the correct accreditations you can tick the box and your governance is satisfied. Others, like ISO27001 for information security for example, require in-depth identification of the individual risks and what processes are in place to mitigate them. This is where the definition of service and division of responsibilities between the two parties becomes crucial. IT departments need to be aware of the questions they should be asking their CSP, in terms of data retention and deletion policies for example, and the service provider needs to understand and be able to satisfy those requirements.”
Bycroft concludes: “Essentially, every business has its own specific governance standards it needs to comply with. These processes can be difficult and time consuming, requiring continued review. Actually, working with a knowledgeable and experienced CSP can alleviate a lot of the stress involved by transferring certain responsibilities from the business to the service provider, so long as responsibilities are clearly and concisely defined.”