Can I Trust “The Cloud”? ISO 27001 and Commonsense
As the Director of a UK-based ISO Consulting company, dealing with among other standards, ISO 27001, I have more than a passing interest in IT security. Furthermore, I’ve worked on a number of government projects where security has been of the highest order.
The Cloud worries me.
So, What is The Cloud ?
The Cloud is a name for a concept that sounds good– you trust your little amount of data to a great big network of computers maintained by some of the biggest companies in the world. They have back ups and copies, and surely they can look after it much better than you.
Can I Live Without It?
My company data resides in three key places, the hard drive of my laptop, and two copies on my backup device. A fourth copy of my accounts is submitted quarterly to my accountant.
Not only do I know where my data is, I know who has access to it. I can connect it to the internet, but I also have controls in place to make sure that connection only works one way, and I can turn it off when I wish. Physically I know who has access to my office. Is the same true for the cloud ?
And is it worth it?
But Cloud storage is so cheap! I wonder why that is ? So, after you’ve passed all your data into the hands of some big Cloud service for safe keeping, and they have the only copy, they won’t be at all tempted to keep increasing the costs for accessing it will they ? And if you stop paying they’ll give it back to you in the same format it was received, and you’ll still have the resources and hardware to be able to access it won’t you ? And, of course, they have ISO 27001, providing an approved and regularly-audited framework for IT security. Don’t they…?
“But it’s Well-Protected”
And it won’t get hacked by anybody will it ? A Japanese electronics giant who lost X million user accounts complete with bank details. And an American software giant did the same thing with a couple of million customer accounts. ISO 27001,anyone?
Great Ideas versus Simple Diligence
We’re supposed to be in the “information age” where information is THE valuable asset, and people want to put it in the cloud, a nebulous collection of server farms owned by foreign powers and spread around the world……sounds like a great idea.
ISO 27001 is about measuring the risks to an organisations data and information, then developing appropriate controls to keep it safe. Those controls can be simple, and sometimes more difficult, but I would argue that home developed controls which you understand and have developed yourself are many times better than trusting to a faceless service delivered from an unknown location by people you’ve never met.
Written by Colin Brown of ISO Consultants