Are You Sure That Your Services Secure and Private in the Cloud?

A cloud service is a complex eco-system that consists of many layers and technologies. Cloud services are a shared responsibility between the cloud provider and the customer. Because of this cloud services can be very complex. For example; Software-as-a-Service (SaaS) applications that are consumed by an end-user are generally based on a service providers' PaaS solution, which often run on another providers' IaaS solution. A good illustration is the Comoyo Capture Application, which is hosted on DropBox, which in turn is running on top of Amazon Web Services. From a security point of view this means that a cloud customer sometimes unknowingly, must rely on many different parties for the provision of what may appear to be a straightforward service. This means that there may be multiple points of failures, an increased security risk and from a privacy perspective, data may be held or hosted in an unknown environment or location. This then creates further difficulties in verifying that internal security policies, the law and the legislation are being adhered to.

For example, data export out of the EU needs a lawful mechanism to be compliant with the GDPR. These mechanisms are generally contractual in nature and if you do not know where your data is hosted, who is hosting it and have no contract in place with the party hosting the data, you are at risk of fines under the GDPR.

To complicate things even further, it is very rare that cloud contracts include anything related to the provider's responsibility in case of data loss and there are very few security and privacy guarantees, except basic guarantees. Many providers place the risks firmly with the customer and although the provider has responsibilities too, they seek to reduce liability and offer reduced or limited indemnities.

Excis are experts in the cloud. We understand the complexities of cloud ecosystems and shared responsibility services. As a part of our audit services we can provide cloud contract, privacy and security reviews to ensure that the services you get meet regulatory requirements as well as your specific needs. We can help you to reduce risks and to reduce any vulnerabilities that may affect your organisation from a cloud provider or their downstream provider if they are hosted elsewhere. We also help our clients to secure their cloud and monitor for continued security and privacy compliance, thus ensuring continued risk management going forwards.


How Excis can Help

Excis are cloud privacy and security experts and have many years of expertise working with both cloud providers and cloud consumers. We can provide cloud contract, privacy, security, audit and reviews to ensure that the cloud services you seek or obtain meet regulatory requirements as well as your business specific needs. We can help you to reduce risks and to reduce any exposure that may affect your organisation from a cloud provider or supplier contract.

 

Excis are currently one of the only organisations in the EU who are specialists in cloud privacy and auditing. We are one of the very few companies that have certified audit leads who can audit cloud security, privacy and legal terms, obtaining our customers CSA PLA CoC certification for GDPR compliance. We are registered partners with the Cloud Security Alliance and as a result, are at the leading edge of cloud technology, security, privacy and compliance.   This means that we can assess cloud platforms against the GDPR as well as other privacy legislation for compliance and can quickly identify gaps so your risks can be managed and mitigated.


The Benefits Realised

  • Ensure that your contacts and cloud service are GDPR / privacy / applicable law compliant,
  • Be able to minimise and mitigate the risk of your critical data being leaked from your cloud environment,
  • Get full control of your user data and access in the cloud,
  • Enhance privacy by identifying gaps in any contract or cloud privacy offering, highlighting key privacy requirements and ways to manage them cost effectively and efficiently,
  • Provide insights for your overall information security and privacy posture to your suppliers, customers and any regulator,
  • Comply with recognised industry privacy and security measures, enhancing your reputation and protecting your legal position,
  • Improve your reliability and availability of systems and data and be able to deal with any privacy related matters such as subject access requests or international data transfer.

 

The Excis Approach

Excis are cloud privacy and security experts and have many years of expertise working with both cloud providers and cloud consumers. We are currently one of the only organisations in the EU who are specialists in cloud privacy and are one of the few organisations that have certified audit leads who can audit cloud security, privacy and legal terms, obtaining our customers security and privacy compliance. We are registered partners with the Cloud Security Alliance and as a result, are at the leading edge of cloud technology, security and compliance.  This means that we can assess cloud platforms against the latest security and privacy standards and recommendations, future proofing wherever possible. We can also audit against the GDPR as well as other privacy legislation for compliance and can quickly identify gaps so your risks can be managed and mitigated.

 

The Excis Approach starts with an initial assessment that is based upon your needs. For example, you may be a regular cloud user but would like an assessment of both the privacy and security of one or more suppliers. You may be new to the cloud and need to assess adoption risks, migration, contract discovery and implementation of privacy and security. We also provide regular compliance audits and assessments to assure ongoing privacy and security solutions. We work with both providers and users of cloud services so can help in assuring products as well as capabilities. Our assessments also extend beyond the cloud to records management, service and support and capabilities.

This means that our approach is both supplier and service orientated, and it covers the full data lifecycle. The benefits of this approach are that it assures full compliance with everything that touches the cloud services you use or provide.

When you engage with Excis we will explain our processes and approach. Typically, we can determine your needs and guide you through your journey starting with an initial risk assessment. We will identify key issues, provide expert advice and recommendations to address any issues that you may face and will agree any implementation needs, deliverables or outcomes. We aim to be efficient and to bring you the maximum benefits with the least impact to your business.

We use several tools and techniques based upon best industry practice. This includes assessments against frameworks and standards as well as underlying controls. Examples include:

  • ISO 27001 Information Security Standard
  • ISO 27018 Code of Practice for Protection of PII in Public Clouds
  • Center for Internet Security Controls (CIS)
  • National Institute of Standards and Technology (NIST)
  • Cloud Security Alliance guidelines such as the CCM, CAIQ and Privacy PLA
  • National Cyber Security Centre (NCSC)

 

Please email: contact@excis.co.uk or call +44 (0) 1622 926 312 for more information.

YOU MAY ALSO BE INTERESTED IN: