In response to the rapid development of global technologies such as cloud computing and storage, along with the concurrent amendments to regulatory frameworks by authorities to adjust the procedural standards for cloud adoption, institutions in the banking, securities, and insurance sectors are experiencing a wave of cloud migration. Given TDCC’s unique role and social responsibility in the financial industry, the company must continue to innovate and strengthen the resilience of its services. As such, TDCC cannot remain apart from the move toward the cloud. However, in the process of cloud adoption, it is essential not only to meet public expectations, regulatory policies, and legal requirements but also to address issues such as information security, privacy protection, and business continuity. Only by doing so can TDCC effectively establish internal rules and procedures, formulate a cloud migration plan, and adequately test cloud services’ confidentiality, integrity, and availability.

Before selecting an appropriate international standard to adopt, it is necessary to clarify the definition of cloud computing and understand the cloud computing used or provided by the enterprise as a service. It is also essential to identify the role of the enterprise—whether it functions as a Cloud Service Provider (CSP) or a Cloud Service Customer (CSC). This is a key concept in the process of introducing international standards, as it further defines the respective responsibilities and obligations of each role. Cloud computing comprises five essential characteristics (broad network access, structure with rapid elasticity, measurable service, on-demand self-service, and a shared pool of virtualized resources); three service models (Software as a Service, Platform as a Service, and Infrastructure as a Service); and four deployment models (public cloud, private cloud, hybrid cloud, and community cloud). For details, please refer to the content published by the National Institute of Standards and Technology.

This article focuses on the adoption of international certification standards for information security management in cloud service. It gives highlights on explaining the concepts of global standards and how enterprises adopt the regulatory content of ISO/IEC 27017 for information security in cloud service, ISO/IEC 27018 for personal data protection in cloud services, or the security certification framework issued by the Cloud Security Alliance. These standards can be used to establish appropriate cloud security management policies and enhance risk control over cloud services.

Information Technology - Security Techniques for Cloud Services (ISO/IEC 27017:2015)

It’s code of practice for information security controls based on ISO/IEC 27002 with ISO/IEC 27001 series of standards (Information Security Management System). It provides cloud-based guidance on 37 of the controls and adds 7cloud-specific control items, totaling 44, to establish operational standards for information security in cloud services. This standard applies to all industries and various types of cloud services. From the perspectives of Cloud Service Provider and Cloud Service Customer it evaluates whether each role fulfills its information security responsibilities and implements appropriate control measures. It is worth noting that some control items are extensions to ISO 27001, therefore, although the names of these control items may be the same, the interpretation differs depending on the perspective. For example, for capacity management controls: In ISO 27001, this refers to the need for system usage to be monitored and capacity to be adjusted in a timely manner. Server performance must be monitored. When certain indicators exceed defined thresholds, alerts must be generated and follow-up actions taken to ensure that current and anticipated capacity requirements are met. In ISO/IEC 27017, the control measures implemented are distinguished by role. A Cloud Service Customer must confirm that the capacity agreed upon by the Cloud Service Provider meets the requirements needed and should monitor the cloud services’ usage to ensure performance. A Cloud Service Provider must monitor the overall capacity of resources provided to CSCs based on a resource pool model to prevent disruptions or security incidents caused by capacity shortages.

Conclusion

This article provides an overview of the background of cloud service adoption and the overview of ISO/IEC 27017 for cloud service information security management. The next section will introduce ISO/IEC 27018 for personal data protection in public cloud services and the Security, Trust, and Assurance Registry (CSA STAR) promoted by the Cloud Security Alliance and will summarize the key points of these standards.