What is the new ISO 27017 standard and why should cloud customers and cloud services providers care?
ISO 27017 is a relatively new publication from the International Organization for Standardization (ISO) dealing specifically with cloud computing.
ISO 27017 works alongside with several other ISO standards. These include:
- ISO 27001: guidelines for managing an overall information security management system
- ISO 27002: a list of specific security controls an organisation could use
- ISO 27017: general security guidelines for operating in the cloud
- ISO 27018: guidelines specifically addressing how to protect personal data in the cloud
In practical terms, ISO 27017 builds on ISO 27002: it gives extra detail for some of the security controls and adds some new controls, both to increase relevance to the cloud computing sector.
The guidance in ISO 27017 is designed for both providers and customers of cloud services. It notes that the way cloud computing works means its possible to have a supply chain in which the same organisation can be both a cloud service customer and a cloud service providers.
ISO 27017 was developed to reflect what it lists as “significant changes in how computing resources are technically designed, operated and governed.” It also notes that it’s not just a matter of cloud service providers maintaining security. Instead, customers will need to assess the provider’s security controls and it’s possible the customer may then have to adjust its own activities to meet its security requirements.
ISO 27017 has a similar structure to ISO 27002, namely a checklist format of possible security controls. Individual organisations may need to decide which of these controls are relevant to their situation, which may depend on their status as cloud service provider, customer or both. Some controls apply in the same way to providers and customers while others have separate entries.
The most significant cloud-specific guidance that ISO 27017 adds to ISO 27002 addresses backups. It says that:
- cloud service customers should specify what backup capability they require from the provider, verify that the offered service meets their need, and make their own arrangements if the service isn’t sufficient; while
- cloud service providers should provide “secure and segregated access to backups” and also provide a specification of the backup capabilities.
Some of the suggested points to address in the specification include
- Scope and schedule of backups
- Backup methods
- Data formats
- Retention periods
- Integrity of backup data
- Restoration procedure and timescale
- Physical location of backups
The most significant new control in ISO 27017 regards segregation in virtual computing environments. The key principle is that the customer’s virtual environment be protected from unauthorised access, including by other customers. This requires “appropriate logical segregation” of data and resources as well as taking into account the risks of allowing customers to run their own software.