More than a third of organizations suffered a serious cloud security incident in 2021. According to a survey of 300 cloud professionals covered by BetaNews, 36% of those respondents said that their organizations had suffered a severe cloud security data leak or breach in the past 12 months. Looking forward, eight in 10 survey participants said they were worried that they were vulnerable to a data breach related to a cloud misconfiguration. Slightly fewer (64%) said that the problem will remain the same or worsen over the next year.

To avoid falling victim to one of these types of incidents, organizations need to take a strategic approach to their cloud security. They can do so using ISO/IEC 27017. Let’s explore how below.

What Is ISO/IEC 27017?

Developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), ISO/IEC 27017 lays out guidelines that support cloud service customers and cloud service providers (CSPS) in their implementation of information security controls. Some of those guidelines pertain to cloud service customers; some of them pertain to CSPs. Even then, the applicability of those guidelines vary depending on the results of their risk assessments and the specific nature of their security requirements.

By design, ISO 27017 complements the guidelines of ISO/IEC 27001/207702 with a focus on major control areas including asset management and return, access control, physical security, and compliance, per Continuum GRC. The International Standard does go on to suggest seven new controls, however. Advisera identifies these security measures as follows:

  • 6.3.1: Shared roles and responsibilities within a cloud computing environment
  • 8.1.5: Removal of cloud service customer assets
  • 9.5.1: Segregation in virtual computing environments
  • 9.5.2: Virtual machine hardening
  • 12.1.5: Administrator’s operational security
  • 12.4.5: Monitoring of cloud services
  • (Read more...)