The team of security experts from acens Part of Telefónica Tech wanted to share their recommendations so that SMEs avoid putting their data protection at risk, when hiring cloud services.
As explained by Pedro Vignau, head of the Legal Department at acens: “The client, as the person responsible for the treatment, needs from the providers an exercise of transparency regarding the services they offer. For this reason, prior to contracting, providers must inform the client about what, who, how and where the data processing for the provision of the service is carried out.. With this information, the client must be able to carry out the corresponding risk assessment and establish the appropriate controls according to the result, relying on the supplier. to establish the necessary security measures. For this reason, from acens they recommend that when evaluating a cloud service provider, clients take into account the following key aspects:
- What kind of data will I host in the provider’s cloud? The type of data determines the associated risk and the controls to implement for its correct management. Likewise, the client’s own activity must be analyzed to weigh the relevance of these data.
- Who will process my data besides the provider? It must be assessed whether there is subcontracting in the provision of the service and therefore there are other processors.
- From where will the data be processed? The treatment of data from outside the European Economic Area is considered an international transfer, and the guarantees applicable to the treatment must be reviewed.
- What security measures does the service provider offer? Once the risk of the treatment has been established, the client must evaluate if the measures that the provider applies to the service are sufficient or if they must apply different or complementary ones, determining how the data should be treated on their part. Security certifications such as ISO 27001 guarantee the client that the provider complies with adequate security standards.
For Fernando Serrano, head of Corporate Security at acens: “It should be taken into account, before using cloud services, that all providers are governed by a co-responsibility scheme in terms of information security. In such a way that, in general and depending on the type of service contracted, the provider must ensure the security measures used to protect the infrastructures where the cloud is located (physical security, electricity supply, air conditioning, communications, hypervisor protection, etc. .) and customers must be responsible for the security measures of what they store or display there, because they are responsible for that information, whether or not they are systems managed by the provider”.
This scheme changes depending on the type of service contracted, since in Software as a Service (SaaS) type services, most of the responsibility in terms of security measures falls on the providers, but at the other extreme where the provider only provides the infrastructure for customers to deploy their systems (IaaS), the customer’s responsibility on security measures to be implemented increases.