NCSC-FI: several factors affect the information security of organisations' cloud services
The use of cloud services has become more common due to their user-friendliness, availability, scalability and cost-effectiveness. However, cloud services entail different kinds of information security-related factors which organisations should take into account.
The overall security of a cloud service consists of information security practices of both the service provider and the customer, as well as of the information security of the application that is transferred to the cloud.
"Organisations' own information security practices must be in order also when using cloud services. Only the service provider's safe technical implementation enables the implementation of a safe cloud service, but does not guarantee it", says Tomi Kinnari from the National Cyber Security Centre Finland (NCSC-FI) at FICORA.
Several cloud service providers use geographical decentralisation in order to ensure that the service functions and to divide resources. "With regard to this, it should be taken into account that the legislation in different countries handles for example the protection of personal data and electronic communications in different ways. The general rule is that the responsibilities laid down in the legislation cannot be outsourced to the cloud service provider", continues Kinnari.
One should pay attention to the information security issues of the cloud service provider already when choosing a cloud service provider. "For example, the encryption between server centres and the encryption between the customer and the server is critically important because the organisation's data is processed via internet. Also, the technical and physical security of the service provider must be ensured, either by ensuring it yourself or by means of an audit carried out by a third party", remarks Kinnari.
Information security issues should also be taken into account in the service agreement made with the cloud service provider. When drawing up an agreement, one should remember at least the following:
- the ownership of the data and related rights;
- the geographical location of the data;
- the information security requirements taking into account the life cycle of the data, the processing of personal data, and the backup copying;
- the procedures for exceptional events, such as service interruptions;
- the Service Level Agreement; and
- the legislation applied in the agreement and the legal venue in the event of disputes.
The purpose of the NCSC-FI's report on the information security of cloud services is to provide help for companies and other organisations when assessing the security of cloud services and choosing a service provider.
Security of cloud services report [pdf, 480 KB] (in Finnish)
Tomi Kinnari, Information Security Adviser, NCSC-FI at FICORA, tel. +358 295 390 533
Eija Alavesa, Legal Counsel, NCSC-FI at FICORA, tel. +358 295 390 507