New guidance from official regulators should be music to the ears of anyone involved in compliance. Clarification, reference points and approved examples make the business of compliance that much more straightforward and are generally welcomed by compliance experts. In that spirit, it was with the best intentions – to clear the pathway to cloud adoption for financial services companies – that the European Banking Authority issued the guidance with which the financial sector must comply by 1 July this year.

Still, compliance experts on both sides of the cloud service provider (CSP)/customer divide might be forgiven for scratching their heads when it comes to interpreting the new directions in a real-world scenario. 

The EBA has opted for a principles-based, technology neutral approach to the guidance. In some ways this makes sense – technology is evolving at an astonishing rate and being too prescriptive could risk limiting the ability to make the most of the next exciting innovation. However, I feel that financial services companies require some more prescriptive standards, certifications and best-practice examples to provide greater clarity and help them unlock the benefits of cloud computing. As a cloud compliance specialist, here is my take on some of the key elements of the EBA guidance and how financial companies and CSPs will need to work together to comply with its principles.  

Third party oversight offers verifiable, auditable trust

The guidance requires that financial organisations seek full understanding of the risks associated with their cloud outsourcing operations and the level of data and system security that CSPs will deliver. Therefore, the initial priority for a financial organisation is to establish that its cloud service provider – or prospective provider – has identified and is operating their risk, security and personal information management systems to a standard that will satisfy the guidance. This is not a small hurdle: the guidance does not specify which of the available standards is acceptable so there is a degree of subjectivity involved in deciding what constitutes a sufficiently rigorous approach. This will likely lead to a longer due diligence and discovery phase. Organisations should look for CSPs that are ISO 27001-certified for information security management as a minimum, but for cloud-specific aspects of security, the Cloud Security Alliance (CSA) Star certification programme provides auditable ongoing assurance that the provider is meeting and sustaining the highest standards.

When it comes to personal information security the forthcoming EU General Data Protection Regulation (GDPR) has prompted some CSPs who are leading the market in cloud compliance to certify to BS 10012:2017, which ensures they are operating best practice systems for data protection under the GDPR and should meet the level of assurance required by the guidance.

Third party oversight and validation from certifications such as CSA Star and BS10012:2017 plus transparency into the policies and processes of the cloud provider allow financial institutions deep insight into the operations and procedures of their cloud partners. The key mantra here should be verifiable trust and transparency.

It’s important to note, also, that standards continue to evolve alongside the environment they relate to and CSPs have to work continuously to achieve ongoing certification. Including references to industry standards in the EBA’s guidelines like the ones I’ve mentioned above will provide useful signposts towards the route that financial organisations should take to achieve compliance.

Best practice SLA and monitoring relationships

The ability to continuously monitor the security and risk of cloud service provision is a key axiom of the guidance and will be critical to the success and compliance of the cloud outsourcing relationship. To achieve this it’s vital that the CSP and the financial organisation’s risk and monitoring programmes are aligned. If you have to decipher and translate risk and monitoring programmes between entities, confusion and disconnects will arise. Again, standards offer a solution: if both entities are aligned to ISO 27001 there is a common approach on which to build an effective monitoring strategy.

A best-practice service level agreement and monitoring relationship should be instigated at executive level within both organisations, reflecting its importance to both parties. A strong and transparent working partnership between the risk and compliance teams on both sides should underpin the regular cycle of audit, reporting and assurance. Look for a cloud service provider that provides visibility into your cloud resources and the associated security settings and compliance postures as well as a straight-forward means of getting the reporting you need for auditing purposes.

Chain outsourcing: Overcoming the financial sector’s Achilles heel

Outsourcing of any kind has historically been a major challenge and strictly regulated in the financial sector. In recognition of the flexible and collaborative nature of cloud service providers, the new guidance sets out the terms and processes under which chain outsourcing – a cloud provider outsourcing an element of its provision to a third party – is acceptable. As with most aspects of the guidance, strong emphasis is placed on ongoing risk management and transparency between the CSP and financial organisation. CSPs must agree to notify the financial institution should they subcontract an element of their service to another provider and must ensure that the subcontracted company meets the same standards set out in the original agreement between the CSP and its customer. Consent from the financial institution is not required, however, as this is deemed impractical. It is the responsibility of the financial organisation to determine whether the third party outsourced arrangement now constitutes unacceptable risk.

Throughout all aspects of the EBA guidelines it is abundantly clear that the relationship between financial organisations and their CSPs needs to be extremely close and transparent, and conducted at a senior level. Verifiable trust through certification is the linchpin of the whole relationship and the partnership will be dysfunctional (and potentially inviable) without this cornerstone in place.

In future guidance, I would like to see the EBA put more definition around the exact standards and best practices it expects to see in financial sector cloud outsourcing projects, but in their absence I hope that financial companies will discover that CSPs themselves can offer the consultative expertise needed to help them unlock the many benefits of the cloud.       

(c)iStock.com/hh5800

More and more organisations are looking to move to cloud to benefit from scalability, cost reduction and the ability to launch new service offerings fast.

The dynamic nature of cloud however necessitates security and compliance controls that frankly can be daunting. Issues around mobility and multi-tenancy, identity and access management, data protection and incident response and assessment all need to be addressed. And with multiple modes – SaaS, PaaS, IaaS, public, private, hybrid – creating added complexity in how security and compliance is carried out and by whom, this can lead IT leaders to think twice about leveraging cloud. 

Organisations already in the processes of implementing ISO 27001 to audit and report on the state of controls within their environment will know the immense amount of work required.  However, while addressing compliance in the cloud is undoubtedly tough, it doesn’t have to be an obstacle.

What is ISO 27001 and why is it important?

ISO 27001 is a widely adopted global security standard and framework that sets out requirements and best practices for a comprehensive approach to managing company and customer information. Proving IT security practices is an important element of achieving ISO 27001.  The business benefits of ISO 27001 certification are many. ISO 27001 is an effective way to reduce the risk of your organisation suffering a data breach, satisfies audit requirements and establishes trust both internally and externally that security controls are properly managed, providing customers with greater confidence in doing business with you.  

What does it take to implement ISO 27001 successfully?

As companies race to combat security threats and address evolving compliance requirements they often struggle to implement and demonstrate the consistent security management that is core to ISO 27001. ISO 27001 is not for the feint of heart and does require significant organisational commitment.

Here are six key recommendations to help you achieve successful accreditation and maintain compliance in the cloud with ISO ISO27001:

• Engage with senior management from the outset and work with your leaders to drive standards. Buy-in is essential – and it’s not just directors and VPs – CFOs, CEOs and business owners all need to be on board.  Clear communication from the top is key as the whole organisation will need to align to make the initiative a success.
• Review the standards that need to be put in place – think beyond process. Many organisations will attempt to put policies and procedures in place without realising that cultural changes need to happen to make those policies and procedures stick. Without the proper alignment it can be difficult to make the changes needed to achieve on-going compliance.
• Perform a gap analysis to understand any deficiencies. Conduct an honest assessment of where you are today and where the organisation needs to get to.
• Aggressively work to educate your employees. Put a plan in place and communicate with staff that ISO is a full organisation activity and is in everyone’s job description going forward.  It’s not a one off.
• Always be cognitive of risk. The organisation needs to objectively evaluate all levels of risk as you go through the process, including the risk that you generate yourself. A successful outcome is dependent on this and may well change the way you operate and structure your services.
• Document, document, document. As you go through you’ll find that there are many pieces that need to be secured be that patching, remediation of events or incident controls. If you don’t leave a record it becomes difficult to prove the path you took to compliance. Your customers will also want to know what you’ve been doing and how you’ve been doing it.

How to ensure your cloud service provider supports ISO compliance

When working with third party cloud providers it’s your responsibility to ensure that all parties involved are compliant.  Don’t just take a certificate at face value, you must validate an organisation’s claims when reviewing their ISO certifications, otherwise you are putting your organisation at risk.

Questions to ask include: What does the certification actually cover in terms of services and geo-locations? Is the certification for the entire company or only a segment of their operation? Who issued the certification and do they have an online database for validation? Is the issuer accredited to issue an ISO certification? Is the vendor willing to show you the auditor report behind the certification?

With the right people, processes and technology in place, IT leaders can actually leverage cloud service providers to help achieve ISO 27001 compliance – even more easily than they could achieve it with on-premise infrastructure. IT needs to ensure their cloud service provider has the security capability in place as well as the compliance reporting capabilities and, even more importantly, the willingness to help them maintain ISO compliance for their cloud workloads.

In conclusion, organisations should care a great deal about ISO compliance in the cloud and ensure their partners and providers care as well. ISO compliance in the cloud doesn’t have to be a nightmare, but you do need to approach the process with the level of rigour that the standard demands. 

(c)iStock.com/styleTTT

The start of a new year is always a good time for many businesses to get their IT strategies in place. However, there has been one issue in the past couple of months that may potentially cause a lot of complications in IT departments across the US and EU; the implications for cloud compliance of the recent nullification of the EU Safe Harbour Ruling. Safe Harbour, used by over 4,000 firms to move EU data to the US for the past 15 years, was declared invalid by the European Court of Justice (ECJ) back in October 2015.

Companies on both sides of the Atlantic have been left questioning what impact this will have on IT procedures. This ruling has implications for those organisations that transfer customer data across borders, which is increasingly done via a public cloud.

There are many questions that have been left unanswered for many businesses, as IT and compliance leaders alike are grappling with how to ensure compliance when transferring customer data between the EU and the US. 

A rather old framework of regulations, the Safe Harbour Ruling was established in 2000 as a bridge for US and EU firms to share personal data. This was prompted by the EU’s move in 1998 to solidify and unify member states’ personal data regulations; and for many years – 15 to be exact – this worked fairly well. As long as both sides of the Atlantic had proper and audited controls in place, personal data moved rather freely.

However, 2015 saw challenges to the framework emerge in the EU courts that resulted in the Safe Harbour provisions being nullified and in turn forcing many companies to evaluate their data controls and geographical location of that data. So, what does this mean? Unfortunately, this means a lot on both sides of the pond. If your business has been operating in a multinational fashion, shifting data might have been very trite in the past – it is no longer so.

It is imperative that you begin reviewing your privacy policies and statements as well as HR activities and determine whether you should have EU and US versions. Additionally, data collection requirements are now vastly different. EU regulations require an informed opt-in whereas in the US the process usually works with an informed opt-out. This is a significant change for many companies that sell, market and do business internationally, which can be onerous and time consuming for companies not used to operating in that fashion. If you are working from the EU side, now is the time to start looking at local cloud service provider options, since US datacentres may be violating EU laws and regulations.

Does all of this mean the end of transfers of personal data? No, business still needs to be done! Methods and options are available – Model Contract Clauses as well as Binding Corporate Rules can be used to make a transition. However, there can be a substantial overhead cost to mid-sized and smaller organisations. Additionally, both the US and EU governments are working to address the issues with the Safe Harbour framework, but legislation takes time and will most likely lag behind some enforcement activities that will occur after the January deadline.

Data sovereignty is ever-changing and new rules are being implemented constantly, and while these rulings will immediately affect US companies doing business in Europe, in the coming months this type of ruling will spread through other countries quickly. In the end, this is a disruptor but not a destroyer for business. If you make sure your business is staying on top of the regulations, you’ll not get caught out when new laws come into play in the near future.

One final note; as with all international laws and frameworks, it is highly recommended that you engage a subject matter expert for more detailed options and plans – or your cloud provider’s Compliance and IT Security teams. That way you can be assured that you understand all the implications before you determine your strategy.