Is the cloud secure? Can cloud services be trusted to look after and protect vital business information? Most people would probably assume the answer to both these questions would be yes. However, a new cloud adoption and risk report from cloud company, Skyhigh Networks, has found that such presumptions can be dangerous. The company found that many European businesses are vulnerable to cloud security risks. Skyhigh Networks discovered that only 1 per cent of the cloud services in use offer enterprise-grade security and store organisations’ data in Europe’s jurisdictional boundaries. The other 99 per cent of cloud services store data in countries which don’t have enterprise-grade security capabilities or where data privacy laws are less stringent.
Why is this information so important? Well, it’s important because of the sheer scale of current cloud adoption and usage. According to company’s ‘European cloud adoption and risk report’ European enterprises currently use an average of 588 cloud services, yet only 9 per cent of the cloud services provide enterprise-grade security capabilities. The other 91 per cent of cloud services pose security risks. What’s more, the risk is even higher when it comes to data privacy and data residency, as a staggering 99 per cent of cloud services store data in countries like the U.S, Russia and China – countries where data privacy laws are far less stringently enforced.
But, just how significant is the problem? Well, according to the study 25 of the top 30 cloud services in the collaboration ‘Content sharing and File-sharing’ categories were based in countries outside Europe. In terms of data privacy, the report found that as much as 72 per cent of cloud services used in Europe store data in the U.S. The security problem is compounded because the use of these unregulated and unmonitored cloud services also has legal and compliance implications for a number of European organisations. The report also found that only 5 per cent of cloud services in Europe are ISO 27001 certified posing additional security compliance issues for many organisations unaware that their employees are using uncertified services.
The report concludes that a major reason for the current security and compliance risks of cloud services is the uncontrolled proliferation of shadow IT; that is, hardware or software used in an enterprise that is neither supported nor approved by the organisation’s central IT department. According to the report much of the cloud adoption in European organisations occurs without the knowledge or approval of either Chief Information Officers or Chief Information Security Officers. This inevitably leads to the widespread adoption of Shadow IT with its consequent risks. Skyhigh Networks argues that because of the ease with which employees can now consume cloud applications, little consideration is given to security and risk management implications or the impact on wider business policies.
Why is ISO 27001 certification so important?
ISO/IEC 27001 formally specifies a management system that is intended to bring information security under explicit management control. The business benefits from ISO 27001 certification are considerable: not only do the standards help ensure that a business’ security risks are managed cost-effectively, but the adherence to the recognised standards sends a valuable and important message to customers and business partners. It clearly sends out the message that the business cares deeply about information security management and does things the right way. ISO 27001 is invaluable for monitoring, reviewing, maintaining and improving a company’s information security management system and will unquestionably give partner organisations and customers greater confidence in the way they interact with you.
The Krypsys approach to ISO 27001 compliance
Our approach in the majority of ISO 27001 engagements with clients is to firstly carry out a Gap Analysis of the organisation against the clauses and controls of the standard. This provides us with a clear picture of the areas where companies already conform to the standard, the areas where there are some controls in place but there is room for improvement and the areas where controls are missing and need to be implemented. For some organisations this will be the extent of the assistance required. However, following the Gap Analysis and debrief, it may be necessary to provide additional assistance by way of advice, guidance and project management for the implementation of suitable controls in order to qualify for the documentation that will be required to meet the standard, in preparation for any external certification.
If you need help with security reviews, security compliance, penetration testing or web security solutions from Check Point, Barracuda Networks, Alien Vault and Netwrix, please contact Krypsys on 0845 474 3031 or [email protected].