- Trump taps Sriram Krishnan for AI advisor role amid strategic shift in tech policy
- 5 network automation startups to watch
- 4 Security Controls Keeping Up with the Evolution of IT Environments
- ICO Warns of Festive Mobile Phone Privacy Snafu
- La colaboración entre Seguridad y FinOps puede generar beneficios ocultos en la nube
What Is ISO/IEC 27017 – Code of practice for information security controls?
More than a third of organizations suffered a serious cloud security incident in 2021. According to a survey of 300 cloud professionals covered by BetaNews, 36% of those respondents said that their organizations had suffered a severe cloud security data leak or breach in the past 12 months. Looking forward, eight in 10 survey participants said they were worried that they were vulnerable to a data breach related to a cloud misconfiguration. Slightly fewer (64%) said that the problem will remain the same or worsen over the next year.
To avoid falling victim to one of these types of incidents, organizations need to take a strategic approach to their cloud security. They can do so using ISO/IEC 27017. Let’s explore how below.
What Is ISO/IEC 27017?
Developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), ISO/IEC 27017 lays out guidelines that support cloud service customers and cloud service providers (CSPS) in their implementation of information security controls. Some of those guidelines pertain to cloud service customers; some of them pertain to CSPs. Even then, the applicability of those guidelines vary depending on the results of their risk assessments and the specific nature of their security requirements.
By design, ISO 27017 complements the guidelines of ISO/IEC 27001/207702 with a focus on major control areas including asset management and return, access control, physical security, and compliance, per Continuum GRC. The International Standard does go on to suggest seven new controls, however. Advisera identifies these security measures as follows:
- 6.3.1: Shared roles and responsibilities within a cloud computing environment
- 8.1.5: Removal of cloud service customer assets
- 9.5.1: Segregation in virtual computing environments
- 9.5.2: Virtual machine hardening
- 12.1.5: Administrator’s operational security
- 12.4.5: Monitoring of cloud services
- 13.1.4: Alignment of security management for virtual and physical networks
Why ISO/IEC 27017 Compliance Is Important…
Cloud service customers can reap several benefits by complying with ISO/IEC 27017. First, Renad Al Majd points out that they can grow their levels of customer confidence by demonstrating their interest in protecting their cloud-based systems and assets. Customers might be more inclined to do business with an organization if they know that they’re working to safeguard their data.
Cloud service providers can grow their reputations beyond the eyes of customers, as well. By adhering to ISO 27017, organizations can lay out a long-term investment strategy for growing their commitment to cloud security. Potential investors can then look to those organizations as responsible partners with which they can do business going forward.
Finally, organizations can use ISO/IEC 27017 to secure their reputation and business interests. By complying with the International Standard through the lens of a broader security program, they can reduce the risk of regulatory fines and penalties associated with other compliance programs such as the European Union’s General Data Protection Regulation (GDPR). Doing this will help them to avoid falling to a breach and suffering damage to their brand in the process.
…And Why Organizations Might Need Help Along the Way
Organizations might need help fulfilling the guidelines specified by ISO/IEC 27017, however. In the survey covered BetaNews, at least 20% of cloud professionals said that alert fatigue, false positives, and human error was hindering their cloud security efforts. More than a third (36%) of professionals said that they were struggling to hire and retain cloud security experts, while about the same proportion said that they were facing problems training their cloud teams on security.
These skills gap challenges aren’t unique to cloud security, either. In a 2020 survey, for instance, 83% of security professionals told Tripwire that they felt more overworked at the start of 2020 than they did in the beginning of 2019. Approximately the same percentage indicated that their teams were understaffed and that it had become more difficult for their organizations to hire trained talent over the past few years.
That’s Where Tripwire Can Help
Fortunately, organizations don’t need to work towards ISO/IEC 27017 compliance on their own. They can work with Tripwire to ensure their security in the cloud. Indeed, Tripwire’s file integrity monitoring (FIM), security configuration management (SCM), and vulnerability management (VM) capabilities apply to organizations’ assets where they’re on premises or in the cloud. Tripwire’s configuration management tool provides additional security coverage, helping customers to manage the configurations of their third-party Software-as-a-Service (SaaS) applications such as Salesforce and Zoom so that they can protect them against attacks—all while automating policy management for overworked security and compliance teams.