Teaming up against a common enemy
Our increased awareness around compliance and the need for privacy is as high as ever. This development contradicts the cyber security approach to “monitor it all” in order to prevent as many breaches as possible.
Generally, the optimal way to prevent data breaches is to understand why and where it is happening. As most executives know, data breaches are a high cost in terms of revenue and invaluable data, image, and reputation are on the line. For 83% of companies, it is no longer a question of whether a data breach will happen but when it will happen (IBM report: Cost of a data breach 2022).
Stolen or compromised credentials are some of the most common causes of data breaches and are often somewhat difficult to trace back; in 2022, it took an average of 327 days to identify a data breach from compromised credentials leading to an average increased cost of 150.000 USD more than the average cost of a data breach (IBM report: Cost of a data breach 2022). Compromised credentials can quickly be an enormous concern as any traceability of who has accessed the compromised personal data is nearly impossible. With the increasing focus on privacy, customers’ and staff’s personal data is often the endgame for malicious actors to access. As a result, compliance and cyber protection have a common interest and enemy.
Information security controls for cloud services
The vast majority of public and private enterprises across Europe have an urgent need to ensure compliance with the ISO/IEC 27000 frame. Furthermore, companies that utilize, vendor or offer cloud services which are used to store, use or process Personal Identifiable Information (PII) are equally accountable for ensuring that this is done adhering to the set regulation and legislation that are applied within the country and primary operating industry the company reside as an enterprise.
To store, use or process PII data in a compliant manner, the go-to principles are stated within ISO/IEC 27017/27018 standards. The standards ISO/IEC 27017 and ISO/IEC 27018 provide additional cloud-specific implementation guidance based on ISO/IEC 27002 and additional controls to address cloud-specific information security threats, PII handling and risk considerations. ISO 27017 provides controls and implementation guidance intended for public cloud service customers and public cloud service providers, whereas ISO/IEC 27018 provides controls intended for public cloud service providers who also act as public cloud PII processors.
The set regulation and legislation that are applied within the country and primary operating industry your enterprise resides in requires you to consider the implications of data processing and how the processed data is protected – at rest as well as in processing. Whilst keeping this in mind, the data ownership and processing are kept in control to the appropriate level.
Achieving cloud security while protecting PII and GDPR compliance
Trifork ensures our customers’ existing setup is in accordance with the principles required in the legislation and adheres to the demands their end customers set for them. We ensure that both the information security management system (ISMS) supports set framework utilization and insight into the implementation of controls either is in place (Frameworks include ISO/IEC 27017 and ISO/IEC 27018, on top of your existing ISMS based on ISO/IEC 27001/27002).
The end state of the applied efforts is that your enterprise will achieve compliance with set regulations and the best practices within security and compliance around data in the cloud and GDPR. This will prevent costly fines and avoid unnecessary processes in relation to PII data in the cloud.
“Staying compliant while still protecting your company’s business-critical data is vital to adhere to the current standards set by most customers. It is, therefore of crucial
Business Unit Leader, Trifork Cyber Protection, Anders Fleinert, says:
importance that companies consider how they are at the forefront of using the latest security standards.”