Cloud Storage: The Most Important Certificates and Standards
IT services are often difficult to assess. Who can say with certainty whether a provider really meets all security requirements? Well, test centers can. They issue proof of compliance with defined standards. We present the most important cloud certificates.
Table of Contents
- General Information About Certification
- Who Needs a Cloud Certificate?
- What Cloud Certificates Are Available?
- The ISO/IEC 2700 Family
- Cloud Security Alliance Star Verification
- EuroCloud SaaS Star Audit
- ISAE 3402 and SSAE 16 as Replacements for SAS 70
- Cloud Computing Compliance Criteria Catalogue (C5) in Germany
- In Progress: The EUCS – Cloud Services Scheme
- Information Security in the Automotive Industry: TISAX
- FINRA, SOX, FIPS - Compliance and Data Protection for the US Financial Industry
- Our Recommendation: Observe Certificates and Additionally Encrypt Yourself
General Information About Certification
As a rule, this is how the certification process works: A company first carries out an internal audit with the aid of predefined questionnaires, to obtain an overview. Once the internal measures have been identified, the actual audit is carried out by a certification authority. The experts from the certification authority then prepare an audit report and issue the certificate. Depending on the type of certificate, it is then valid for a certain period. The validity of some certificates is linked to conditions, such as an annual surveillance audit.
Who Needs a Cloud Certificate?
Cloud certificates are generally acquired by cloud service providers. With a certificate, these providers show their customers that certain requirements, relevant for secure operation, are met. Depending on the certificate, the focus lies on different topics. Basically, it is always a matter of ensuring that the stored data is secure or that the processing of information functions reliably.
In addition to cloud providers, companies that use the cloud for their sensitive company data are also certified. They can (or must) have their cloud infrastructure certified.
As a rule, cloud providers make their certificates available online so that customers can check them at any time. In our article you will find the relevant links and learn which cloud certificates are relevant for your company and your industry.
What Cloud Certificates Are Available?
The ISO/IEC 2700 Family
The most important standard for digital security is the ISO 27000 series. It is defined by the International Organization for Standardization and represents the international standard.
ISO certificates are awarded by government-accredited auditors. Usually, the company (or organization) first performs a self-assessment. Together with the auditor, this assessment is reviewed and the critical points are identified. How long a certificate is then valid varies. ISO 27001, for example, is valid for three years, provided an annual review takes place.
Note: The International Organization for Standardization (ISO) is based in Switzerland. It has been developing international standards in nearly all fields since 1947. In its self-description, ISO describes the core of their work: "ISO standards are internationally agreed by experts. Think of them as a formula that describes the best way of doing something."
ISO/IEC 27001 is the leading international standard for information management systems, and thus the most important cyber security certification. It defines requirements for the Information Security Management System (ISMS). This standard is very general and addresses the planning, implementation, monitoring and improvement of information security.
- Suitable for: Private and public companies, non-profit organizations
- Application area: Defense against attacks; prevention of disruptions
ISO/IEC 27002, 27003, 27004, 27005
The details for implementing ISO 27001 are described in the following standards:
- ISO 27002: Recommendations for meeting the requirements from a technical perspective
- ISO 27003: Recommendations for meeting the requirements from an organizational perspective
- ISO 27004: Analysis of the implementation of the Information Security Management System (ISMS)
- ISO 27005: Risk analysis
ISO/IEC 27011 and ITU X.1051 for the Telecommunications Industry
ISO/ IEC 27011 serves as a guide for information security management for telecommunications companies. The standard is also known as ITU X.1051. It is based on ISO 27002 and supplements this standard with specific aspects of telecommunications.
The additional requirements are necessary because the risks within the telecommunications sector are higher compared to other industries. For example, large numbers of accounts are managed particularly frequently and authentication data is nearly constantly transmitted, which increases the probability of being hacked. Another special feature of telecommunications is that many different systems are interlinked. As a consequence, even small disruptions often have an impact on all those systems. This, on the one hand, causes high costs, and on the other hand, can lead to a PR disaster.
ISO 27799 for Medical Care in Hospitals
Another industry-specific security standard exists for hospitals. In Germany, it is based on the ISO 27001 standard and the industry-specific requirements of ISO 27799, which are primarily in the area of confidentiality, availability and integrity of patient data.
The specific threats in the healthcare system are:
- Physical harm to systems is more likely in hospitals than in other areas, since many people have (more or less) free access to hospital building: Employees, patients, visitors.
- Sensitive data in (electronic) patient records require a particularly high level of protection.
ISO/IEC 27701 Data Protection and the GDPR
Since August 2019, ISO 27701 adds data protection criteria to ISO 27002. The goal of this standard is to increase the protection of privacy and the secure the handling of personal data. Companies can use this standard to demonstrate compliance with data protection regulations worldwide. In other words, ISO 27701 makes the GDPR certifiable and thus brings security to all organizations that fall within the scope of the European regulation.
The main contents of ISO 27701:
- Extension of the guidelines to include aspects of data protection
- Appointment of a person responsible for the “Privacy Information Management System” (PIMS)
- Data protection training for employees
- Logging of accesses and changes
- Encryption of personal data that fall into special categories (health data, for example)
- Consideration of the “Privacy by Design” principle
- Review of security incidents for data protection violations
ISO/IEC 27017 Cloud-Security
The requirements of ISO/IEC 27017 are specifically tailored to cloud service providers. For each area of the superordinate ISO/IEC 27001 standard, possible special features of cloud security are explicitly set out.
A major focus is on the relationship between the cloud user and the cloud provider. For example, it deals with what can be expected from one's cloud provider and what information the provider must issue.
ISO/IEC 27017 ensures standardization of the relationship between customers and cloud providers through an analysis grid and the targeted exchange of information, thus facilitating the business relationship.
Cloud providers should seek ISO 27017 certification. Anyone using cloud services should check whether the provider of choice has a valid certificate.
Cloud Security Alliance Star Verification
The Cloud Security Alliance is a non-profit organization. Its goal is to promote the security of cloud technologies, cloud environments and cloud services. To this end, it provides white papers, guidelines and tools. However, the most important tool is the CSA Security, Trust & Assurance Registry (CSA STAR) program. It certifies compliance with the guidelines established by the CSA and is closely aligned with the ISO 27001 standard.
The CSA STAR supports organizations and companies in selecting the appropriate cloud provider.
The program consists of three levels:
- Third party audits
- Continuous monitoring
The self-certifications and audits of each listed member can be viewed publicly on the CSA website. They are intended to promote transparency within the industry and to provide customers with the most comprehensive possible basis for decision-making when choosing a suitable cloud provider.
The requirements for cloud providers, as well as a list of all companies that have submitted documentation, can be found on the Cloud Security Alliance website.
EuroCloud SaaS Star Audit
EuroCloud Europe is a non-profit organization whose members are mainly European cloud providers. Software-as-a-Service (SaaS) providers can be certified according to the “Euro Cloud SaaS Star Audit” standard. Star Audit is a program that aims to make European standards globally verifiable. The goal: to promote the growth of cloud-based services and innovations worldwide. The transparent certification process, which is intended to strengthen trust in cloud services and enable a comprehensible evaluation of cloud services, helps to achieve this.
The Euro Cloud SaaS Star Audit comprises a long list of security compliance questions that the cloud provider must answer. A maximum of five stars can be earned in the process. The number of stars in the seal then shows how trustworthy a cloud provider is.
StarAudit says it is also committed to promoting trust in the cloud industry beyond awarding certificates. For example, they also run awareness programs and promote knowledge transfer. They also seek to advance interoperability and harmonize the regulatory framework. Another focus of StarAudit is knowledge transfer to IT, legal and procurement professionals. Those who wish to develop professionally in this area will find accreditation procedures and training opportunities.
ISAE 3402 and SSAE 16 as Replacements for SAS 70
The SAS 70 standard was the most important audit report on control systems of service companies for two decades. It was issued by the American Institute of Certified Public Consultants. Although a U.S. institution, SAS 70 was recognized worldwide and was also used outside of the United States.
Nevertheless, the International Auditing and Assurance Standards Board (IAASB) has established an international standard for this area of business: ISAE 3402. As part of an alignment process of U.S. standards with IAASB standards, the AICPA issued a new Statement on Standards for Attestation Engagements to replace SAS 70: SSAE 16, which largely mirrored the provisions of ISAE 3402. Due to concerns about the clarity, length, and complexity of its standards, SSAE 16 became SSAE No. 18 as part of a clarification and recoding effort in April 2016.
ISAE 3402 (Worldwide)
Since 2011, ISAE 3402 has been testing the control mechanisms within companies that offer their services to other companies – which is clearly the case with cloud providers. With the test certificate and the associated test report, the service companies confirm to their customers that a control system has been established and is functioning with regard to the outsourced business processes. ISAE 3402 is therefore also referred to as the outsourcing standard.
ISAE 3402 breaks down as follows:
- Type 1 covers the suitability and design of controls, the control design, and the implementation of the internal control system.
- Type 2 extends Type 1 to include the effectiveness of the control system in a predefined period of time.
A major advantage of the audit in accordance with ISAE 3402 is the cost savings in the annual audit by the auditor. The standardization of the verification requirement eliminates the need for individual audits by certified service providers, which saves money.
You can download the English-language manual on ISAE 3402 here. For familiarization, we recommend the Wikipedia article.
SSAE 18 (USA)
While ISAE 3402 is applied worldwide, SSAE No. 18 is the standard for companies based in the USA. Due to their similarity in content, the ISAE 3402 and SSAE 18 standards are often covered in one audit and one report.
Cloud Computing Compliance Criteria Catalogue (C5) in Germany
C5 is the cloud test certificate of the Federal Office for Information Security. The catalogue of requirements is met by the cloud service provider and then checked in accordance with auditor standard ISAE 3402 or IDW PS 951. This then certifies that the cloud provider complies with the requirements of the catalogue and that the statements on transparency are correct.
In Progress: The EUCS – Cloud Services Scheme
The European Union Agency for Cyber Security (ENISA) was founded in 2004 and is based in Greece. At the end of 2020, ENISA published a draft for its own cloud certification system for cloud services, the EUCS - Cloud Services Scheme. The proposal is based on Regulation (EU) 2019/881 and describes the basics for the certification of cloud-based products and services.
The stated goal is to align cloud service security with EU regulations, international standards and industry best practices with existing certifications in EU member states.
Information Security in the Automotive Industry: TISAX
In 2017, the German automotive industry defined TISAX (Trusted Information Security Assessment Exchange), a certification process for data protection in the automotive industry and its suppliers. TISAX is based on the DAV ISA and serves as an industry-wide security standard and uniform audit basis.
FINRA, SOX, FIPS - Compliance and Data Protection for the US Financial Industry
FINRA is the acronym for the Financial Regulatory Authority. This is an independent licensing authority that has its responsibilities delegated by the Security and Exchange Commission (SEC), the U.S. Securities and Exchange Commission. FINRA's responsibilities include the supervision of individuals and firms that trade securities on U.S. exchanges. All firms not already regulated by another self-regulatory organization must become FINRA members.
Our Recommendation: Observe Certificates and Additionally Encrypt Yourself
As in any business relationship, it is advisable to gather all relevant information about your cloud provider. Certificates and standardizations help to achieve this goal. Companies should additionally aim to maintaining a high degree of autonomy. Protecting sensitive data additionally with end-to-end encryption before uploading it to the cloud is therefore essential if you want to retain full control over corporate data.
Encrypted information can always be viewed by the party holding the key. If the encryption is performed by the cloud provider, the keys to decrypt it are also held by the cloud provider - and could fall into the wrong hands or be seized by authorities (see CLOUD Act). With zero-knowledge encryption like Boxcryptor offers, you get the highest possible protection for your data in the cloud.