The myth: "My compute environment is hosted in AWS, therefore my data is secure...."
Service organization, cybersecurity related certifications and accreditations
As a cybersecurity professional, we are often involved with reviewing or providing different control standards and reports that attest the effectiveness of firm's information security practices.
Among many different standards and practices, two most common ones that involving a service organization with focuses on data protection controls are 1) SOC 2, and 2) ISO 27001.
Although both require a 3rd party, independent auditor to conduct the review of the controls, the SOC 2 is an attestation process whereas ISO 27001 is an accredited certification program. In other words, you can say that your data center is ISO 27001 certified but "not SOC 2 certified." While both standards are focused on information controls that involve people, process and technology, the SOC 2, type II (period of time) report typically is more in-depth and with insertions of auditor opinions.
A common misunderstanding with 3rd party risk assessment is that a hosted data center (i.e. AWS) can be ISO 27001 certified, but the service organization who uses the AWS as Infrastructure as Service (IaaS) can still lack of its internal controls therefore simply providing attestation that AWS is being ISO 27001 certified does not give the service organization an automatic pass on being "secure" with its own practice. AWS's "shared responsibility model" clearly draws a line on what are customer's responsibilities; in it, "customer data" is one of key areas that customer will be held responsible, not AWS.
In conclusion, as much as we are glad to see most of major public cloud providers have obtained many certifications and attestations by following different standards and practices, as trained cybersecurity professional, we need to understand that by simply accepting such accreditations on their face values, but not examining the controls end-to-end, is not sufficient from a holistic viewpoint on cyber risk.
Retired, but available for consultancy or short gigs. I am well documented and proven, and as a retiree, I’m very flexible in price.
7 年So many good thoughts expressed here, all very similar. I think we can all agree...In Cyber Security the Human IS the Weakest Link.
Hybrid Cloud | Presales, Solutions & Operations | Finops, AIOps, Automation, DevOps, Security & Resiliency | VMWare, AWS, Azure, GCP | Practice Director
7 年Hey mac, whats the update on banking industry.have they also started moving on aws....
Technical Director-SemiFab EPC / ATF Facilities
7 年A timely reminder that compute resource transparency is severely lacking. Ignorance is bliss indeed until your instance / container craps the bed through no fault of your own. Good post. Thanks, Henry!
Director Of Business Development at Leverage Information Technologies
7 年Lol
IT Solution Architect, IT Project Manager, IT Infrastructure, DevOps, Software development, Linux admin, Redmine,Javascript
7 年Customers are often victims of product marketing resulting from huge marketing investments by large corporations. And it's very hard to convince such people to switch to something else.