Cloud customers are concerned about security - it remains a key reason why organizations hesitate to adopt cloud services despite the flexibility and scalability the cloud can offer. A key concern focuses around the ability of cloud service providers (CSPs) to treat customer data with sufficient care and attention.

The main elements of this are the worries that data could end up in the wrong hands and what control does a customer have over careless operators. But there are other concerns too: issues such as customer identity, segregation of assets on virtual servers and what happens to assets in the event of a CSP going out of business are also issues that play on potential cloud users' minds. The ISO 27001 series addresses some of these concerns but a new standard, ISO/IEC 27017 Information technology - Security techniques, goes further and offers more peace of mind for potential cloud customers. Typical cloud standards and technical standards that address the cloud provider controls and guidance aimed at the cloud service provider. What's unique and extremely helpful about ISO/IEC 27017 is that it provides both the CSP and cloud service customer with guidance and advice. In addition to ensuring services are safe, ISO/IEC 27017 also aims to educate customers on what they should want from their host in the cloud.

It's not only the separation of responsibilities that the standard helps define: ISO/IEC 27017 also goes into much more detail about the type of security controls that service providers should be implementing - helping reduce the barriers to cloud adoption. ISO/IEC 27017 offers a way for cloud service providers to indicate the level of controls that have been implemented. This means documented evidence - backed up by independent sources like certification to certain standards-show that appropriate policies have been implemented and, most importantly, what types of controls have been introduced. This information should be shared with the cloud customer before any contract is signed to help alleviate any potential issues in the future. In cases where independent audits aren't practical or would pose a greater risk to information security , the standard does provide an option for CSPs to self-assess. When this is the case, the CSP must tell customers that they have self-assessed.

There's also guidance about any cryptography being used. This applies to the customer and the provider as both have responsibilities in this area. The provider should tell the customer how it's using cryptography and help customers apply protection of their own. It should also consider special cases, such as health data, where they may be some additional regulatory guidelines. Customers should also be upfront about the type of cryptography that they're using - and they ought be using cryptography if the risk analysis suggests that it's needed. In fact, this is the sort of dispute, or misunderstanding that underpins the need for the standard. Not only should both parties assure each other that the network is being protected, they should also be able to assure each other that there's compatibility between the two systems. And, crucially, it should be determined whether these controls apply to data at rest, in transit or both, as this has caused misunderstandings before.