How to ensure the security of cloud services?

Originally published in ficolo.com in 2021.

The use of cloud services has increased rapidly and it might be good for many organizations to stop and consider how they have implemented data security in their systems. When many new services are deployed consecutively in short period of time, the security can easily become an afterthought. Processes have to change as cloud services require different solutions compared to more traditional application security. It also requires more up-to-date specialist know-how.

It is easy to think that all responsibility of data security would be left on the shoulders of the service providers – unfortunately this is not the case as most of the responsibility is still on the user of the service. When the services are procured, the user has to consider what kind of data is moved into the cloud and how critical the data is. The same risks that affect other services also have to be considered with the cloud services. Additionally, there are differences in data security between different cloud models.

Criteria for Assessing the Information Security of Cloud Services

Criteria for Assessing the Information Security of Cloud Services (PiTuKri) is a guidance document published by Traficom’s Cyber Security Centre for assessing the security of cloud services. It defines the different types of data and provides recommendations on the solutions required for data with different security classifications. Different types of information present different risks and require different levels of protection.

From a security perspective, the level of assurance that can be obtained about the ability and reliability of the service provider is crucial. In situations where the service is provided by more than one organization, the risks should be assessed for all organizations involved in the provision of the service.

However, the purpose of the criteria is not to rank the different cloud services but to advise organizations on which service is sufficiently secure for each purpose. When dealing with confidential data, particular attention must be paid to the security of the cloud service.

Different Cloud Service Models

Cloud computing can be implemented in several different ways. A private cloud typically allows for a higher level of security than other cloud service delivery models. It allows reliable separation from other computing environments, user organizations and external actors.  In comparing private cloud to public cloud services, the criteria states: “In the public cloud, data is subject to a wider attack surface than in the private cloud, including through other users of the service or external actors.” A hybrid cloud, which combines a private and a public cloud, can also be used as an implementation model. In this case, the private cloud running in the private cloud is complemented by services purchased from the public cloud.

Using PiTuKri provides companies with an important tool for evaluating their own cloud services and choosing which implementation model best suits their needs. Other frameworks and existing certificates can be used to assess compliance.

Certificates and services

Ficolo offers customers both fully dedicated and shared capacity, produced in Finland, and we offer public capacity from the public cloud. By taking control of these with the Cloud Management Platform product, the customer can manage all the services in the different zones through a single console. Our services are available from all our data centers – The Air in Helsinki, The Rock in Pori and The Deck in Tampere.

Our cloud security service portfolio is designed to support cloud services and ensure service availability. The portfolio consists of comprehensive monitoring and maintenance services, network security services, backup and Anti-DDoS services and other methods to ensure the continuity and security of your cloud services. Our services help you to have a comprehensive, flexible, and manageable cloud solution that adapts to your security requirements and the capacity you use.

All our sites are audited by Kiwa Inspecta and we have been awarded both ISO 27001 (Information Security Management System) and ISO 22301 (Business Continuity Management System) certifications covering our entire business – our The Rock data center is also audited to meet Katakri IV level. Operational development is a key part of Ficolo’s approach, and we are actively working to improve our services and obtain new certifications.

We are happy to help if your company is considering cloud computing or if you need assistance in assessing the security of your cloud  services. Contact us if you’d like to discuss about your cloud security needs.