Pay attention to the cloud compliance of your provider!

What do you look for when choosing a cloud provider? Probably IT security, data security and compliance. After all, legal regulations, relevant standards and individual specifications must be adhered to. You also need to be able to verify all of this. Corresponding certifications are an important indicator here, but beware: the differences lie in the details - as is so often the case.

If the criteria mentioned meet your expectations, then you are right on trend: in January 2023, market researchers from techconsult surveyed 200 cloud representatives in companies with at least 50 employees across Germany on the topic of cloud compliance. The survey revealed that 60.5 per cent of respondents consider compliance and security to be extremely important when selecting a cloud provider. For companies with 500 or more employees, the figure was as high as 74.6 per cent. In addition, more than half of all respondents attach importance to data remaining in the EU.

What is cloud compliance?

Cloud compliance ensures that legal, regulatory and company-specific requirements and guidelines are implemented and adhered to in the cloud. It includes aspects such as data protection, the proper storage of data, information security and the availability of infrastructures, solutions and services from the cloud. In addition, the topics of sustainability and social commitment are increasingly taking centre stage.

Numerous laws, regulations and standards contain compliance requirements for cloud computing. For example, the storage and processing of personal data in the EU is governed by the General Data Protection Regulation (GDPR). Companies must also comply with the Supply Chain Security Obligations Act (LkSG) and the IT Security Act, the Telecommunications Act and the Telemedia Act, to name just the most important ones.

Cloud compliance when using external services

Compliance in cloud computing usually involves several players. With traditional in-house operation of IT environments, you have full control over the processed data and the systems or networks used. You are responsible for the entire IT infrastructure yourself, including IT compliance. However, as soon as you use the services of a cloud computing platform from an external provider or work with a managed service provider, your control options and sometimes also your responsibilities change.

For example, the data is transmitted via external networks and processed and stored in the cloud provider's data centres. Under certain circumstances, it may end up abroad and in other political zones of influence. This sometimes results in complex constellations that make it difficult to trace the data flows and the service providers involved. This contradicts, for example, the strict requirements of the European General Data Protection Regulation (GDPR) when handling personal data.

Since the Schrems II judgement of the European Court of Justice in 2020, the USA, for example, has been considered an unsafe third country within the meaning of the GDPR. This also includes other countries that cannot guarantee an adequate level of protection for personal data. This means that your company's personal data may not be stored or processed there without major effort. It is therefore important to check the data centre locations and the company headquarters of the future cloud provider. If possible, these should be located within the EU. International corporate links can also lead to unauthorised data flows to such regions.

This alone shows that you need transparent information from the cloud operator in order to meet compliance requirements. They must take responsibility for their infrastructure, i.e. for the locations, hardware, network and facilities on which the cloud services run.

To do this, the cloud provider should ensure and be able to prove that their systems fulfil basic cloud compliance requirements. It is your responsibility as a cloud customer to check the extent to which the provider complies with the industry or company-specific guidelines that apply to your company. To find out whether a provider fulfils your cloud compliance guidelines, it is advisable to draw up a corresponding catalogue of questions. Below you will find some key questions on the topic of cloud compliance.

You should ask these questions about cloud compliance

• Who stores and processes the data and where?
• Are there corporate links to unsafe countries and regions?
• Are other service providers involved in the provision of services?
• Which networks transmit the data?
• Where and how is the data encrypted?
• Who has access to the data and with what rights?
• Which compliance standards does the cloud provider support?
• Which certificates can it provide and from which certification body?
• Which services do the certificates cover?
• Are the certificates up to date?
• How can the provider's cloud compliance be monitored?
• Is compliance reporting in place?
• Is compliance contractually secured?
• Can individual compliance requirements and SLAs be defined in the contract?
• What are the regulations after the contract ends?

Certificates: the first cloud compliance check

For an initial review of a cloud provider, it is worth taking a look at their certifications. There are basically two variants: Third-party certificates that analyse the services of cloud providers according to their own guidelines. These include, for example, the German Federal Office for Information Security (BSI) with its guidelines for IT baseline protection. In addition, standards-based certificates in particular have become established, such as for the ISO/IEC 27001 series of standards for information security management.

In principle, you should make sure that these standards-based certificates have also been issued by an accredited body. In this case, the national accreditation body assesses, checks and monitors their technical competence. Not all certificates for standardisation groups come from such bodies. You also need corresponding certifications along the entire supply chain: from the cloud infrastructure provider to cloud service providers to the providers of any software-as-a-service (SaaS) running on it. You will often only find the logos of the standards on the providers' websites, in which case you will need to ask the provider for the issuing body. Sometimes PDFs of the certificates are also published, from which you can find the issuing body.

The most important certifications for cloud providers

ISO/IEC 27001: General information security

The most widely used series of standards for cloud providers is ISO/IEC 27001/2: IT security procedures, information security management systems, requirements and guidance for information security measures. It not only relates to cloud computing, but also generally regulates information security in IT environments. Among other things, this certification requires the establishment of an information security management system (ISMS). In addition, the steps involved in information processing must be fully documented. The BSI's criteria catalogue C5 for cloud computing is also based on this standard.

ISO/IEC 27017: Information security of cloud services

The international standard ISO/IEC 27017 obliges providers of cloud services to secure them with cloud-specific IT security measures. It is an extension of ISO/IEC 27001 and supplements the recommendations of ISO/IEC 27002 with an IT security guideline for cloud computing. This contains corresponding security measures and cloud-specific control mechanisms. With the certification, cloud service providers provide proof of secure transmissions.

ISO/IEC 27018: Data protection in the cloud

Certification in accordance with ISO/IEC 27018 is an extension of ISO/IEC 27001 tailored to cloud services and includes aspects of data protection in cloud computing. Here too, the focus is on establishing an ISMS. However, the processes, procedures and measures are adapted to the data protection requirements of cloud computing. For example, it is no longer considered positive if the administrator can view and understand as many processes as possible, as is the case in ISO/IEC 27001/27002. However, this does not yet fully fulfil the requirements of the GDPR.

ISO/IEC 27701: including a data protection management system in future

The new extension to ISO/IEC 27001 adds a data protection management system to the traditional information security management system. This data protection management system is not the same as GDPR certification in accordance with Article 42 of the GDPR. However, it does provide the opportunity to prove that personal data is handled in compliance with the GDPR. As certification in accordance with Article 42 of the GDPR has only been possible since 2022, the network of correspondingly accredited bodies is still being established. For this reason, only a few providers can currently provide this certification.

SOC 2 Type II report in accordance with ISAE 3402: Internal control system for outsourced accounting-related processes

In addition to the ISO/IEC 27001 series of standards, some cloud providers have themselves audited by an independent auditing company in accordance with ISAE 3402 (ISAE: International Standards for Assurance Engagements). A service organisation control report (e.g. SOC 2 Type II) in accordance with the AICPA Trust Services Criteria confirms that the provider has an efficient internal control system with regard to the business processes and IT services outsourced to it that are relevant to accounting. The audit report documents the scope and appropriateness of the internal controls based on normative specifications and corresponding control parameters for security, availability, integrity and data protection.

ISO 9001: Quality management

In addition, you should also scrutinise the provider's general processes. ISO 9001 certification, for example, guarantees that the provider has a tested and monitored quality management system. This ensures that they continuously optimise their processes in order to improve company performance and meet customer requirements in the best possible way.

ISO 22301: Business continuity management

A business continuity management system (BCMS) in accordance with ISO 22301 aims to ensure the continued existence of the company in crisis and emergency situations, even in the event of major damage. It ensures that important processes are protected and the impact on critical business functions is minimised. After unexpected interruptions, business processes should be able to return to normal operation as quickly as possible. ISO 22301 defines requirements for the planning, structured design, implementation, monitoring and improvement of a BCMS.

How to achieve GDPR compliance in the cloud

Although ISO/IEC 27701 is suitable for checking compliance with the GDPR, it is not explicitly designed for this purpose. For this reason, efforts have been underway for several years to establish standardised data protection certifications across Europe. These should be explicitly geared towards the GDPR. Some companies have already developed certifications for this purpose, e.g. EuroPriSe GmbH with the "European Privacy Seal".

In the meantime, how do you recognise cloud providers that offer you a GDPR-compliant solution? It starts with checking the locations and group links. In addition, there should be at least one certification in accordance with ISO/IEC 27018 and an alternative data protection audit such as Check 28. This will tell you whether a provider has data protection expertise.

Further guidance for choosing a cloud platform

In addition to certificates, you can also use information provided by the cloud providers themselves when making your choice. For example, the Cloud Security Alliance (CSA) has developed the Consensus Assessments Initiative Questionnaire (CAIQ), a questionnaire with almost 280 questions to assess the compliance of cloud providers based on best practices. Numerous providers have already answered these questions and made them available on the CSA platform.

How to find a secure cloud provider

Once you have found a potential provider for you, take a close look at the certificates advertised. If available and relevant to you, request the provider's SOC 2 Type II report. Check the scope, i.e. the extent of the certifications. Often, only individual products, locations or processes are certified.

In addition, you should be familiar with and have an overview of the principle of shared responsibility: With all securitised certificates, it is clear that a provider can only be responsible for its own services as well as its own infrastructure and cloud platform. If, for example, a local cloud provider accesses one of the major public cloud platforms (AWS, Google Cloud Platform, Microsoft Azure), both the local provider and the major providers should have installed appropriate security and business continuity measures. You as the customer, on the other hand, are in most cases responsible for secure web applications, for your data processed in the cloud and for authorisation management. It is also your responsibility whether or not disaster recovery or high-availability solutions should be integrated into business continuity management.

Last but not least, it should be mentioned that providers who have all or most of the aforementioned certificates often achieve a higher level of security than you can guarantee on your own thanks to their focus and experience. In many cases, they even offer additional bookable cyber security services such as penetration testing, security consulting or a cyber defence centre.

Security is important, but by no means everything

As the techconsult survey shows, information security and data protection play a central role when selecting a cloud provider. However, the performance and stability of the cloud is just as important for 60 per cent of respondents. 49.5 per cent of them see a good price-performance ratio as a decisive criterion. In addition, 40.5 per cent attach great importance to the provider's innovative strength and around 30 per cent of those surveyed consider commitment in terms of sustainability and social commitment to be a must when selecting a cloud provider. The latter two criteria are increasingly becoming the focus of companies and are broadening the compliance perspective that was previously limited to security issues in many places.

Would you like to find out more about IT compliance and information security? Write to us: ch-info@claranet.com