Cluod bezbednost ISO standardi Srbija INTERCERT

Cloud (computing) security

Cloud Computing/Service is the process of accessing databases, software, and resources over the internet, bypassing the limitations of local hardware. It offers flexibility to organizations by shifting part or most of the infrastructure management to third-party hosting providers.

Despite the importance of cloud services, there is a lack of trust in the security of providers and their clients, with confusion about whose responsibility it is to protect the data going to the server.

The role of the service provider (CSP) is to mitigate the risk of information security breaches, while the responsibility of the service user (CSC) is to implement information security controls and processes within the organization.

ISO 27017 is a standard that clarifies the roles of both service providers and users and provides guidelines on information security aspects in cloud computing. It recommends and helps with implementing cloud-specific information security controls, complementing the guidelines in ISO/IEC 27002:2013 and other ISO 27000 standards. It applies to organizations that provide services in the cloud computing framework and have an established ISMS (Information Security Management System).

ISO 27017 offers guidance on applying 37 information security controls from Annex A of ISO 27001, along with seven new cloud-related controls, which address:

  • Defining responsibilities between service providers and service users
  • Removal/return of assets when the contract is terminated
  • Protection and separation of the customer’s virtual environment
  • Virtual machine configuration
  • Administrative operations and procedures related to the environment
  • Monitoring of user activities
  • Aligning virtual and network environments

Benefits of ISO 27017 for service providers:

  • Builds trust in your business – provides greater assurance to clients and stakeholders that data and information are secure
  • Competitive advantage – demonstrates strong data protection controls
  • Protects your brand reputation – reduces the risk of negative publicity from regulatory violations
  • Protects against fines – ensures compliance with regulations to minimize the risk of penalties
  • Helps business development – provides consistent guidelines across different countries, making it easier to operate globally and become a preferred supplier

Benefits for service users:

  • Provides practical guidance on what to expect from service providers
  • Describes the roles and responsibilities of the user
  • Contributes to understanding shared responsibility
  • Helps protect the organization

Most service providers follow best security practices and take active steps to protect the integrity of their servers. However, organizations must consider their own solutions when securing data and applications in the cloud and align them with the standard. Without actively improving security, organizations face significant management risks.

Cloud security should be a key topic of discussion, regardless of the size of your business. Cloud infrastructure according to ISO 27017 supports nearly every aspect of modern computing across all industries. Whether your organization operates in a public, private, or hybrid environment, security solutions and best practices are essential for ensuring business continuity.