Cloud Computing

Compliance as an enabler for the use of secure cloud services

Trust and transparency are a strategic success factor

Cloud computing is an integral part of any modern IT infrastructure. It offers numerous advantages such as high flexibility and less complexity, but comes with some challenges, as well. These challenges arise from the Cloud Computing paradigm. First, Cloud Computing as an IT model implies that the Cloud provider instead of the cloud user operates certain layers of the IT stack (e.g., the physical servers or the network and the virtualisation layer). Second, in most cases it is necessary for the Cloud user to transfer data to the Cloud provider for storage and processing.

Video

Trust and transparency are a strategic success factor

1:48
More tools
  • Closed captions
  • Transcript
  • Full screen
  • Share
  • Closed captions

Playback of this video is not currently available

Transcript

Cloud users remain responsible for information security

Regardless, Cloud users remain responsible for the proper operation of the outsourced parts of their IT. Since for Cloud users auditing Cloud providers is rarely practical, they need to rely on other measures to fulfil their responsibility for the operation of the outsourced part of their IT as well as the security of the data being transferred.

Audit reports are an essential building block, especially because they are issued by reliable and independent third parties. Auditors issue corresponding reports, also known as Third Party Assurance reports, which provide a better understanding of the Cloud provider’s operations and the effectiveness of the implemented safeguards.

Trust and transparency are the baseline and an important success factor for the sustainable usage of Cloud Computing – for users and provider likewise.

PwC offers customised services for Cloud providers and Cloud users

For Cloud providers

We have extensive experience with Cloud compliance projects and have a strong focus in the compliance schemes of BSI C5, SOC 1 (ISAE 3402), SOC 2 (AICPA TSC), and SOC 3. Additionally, we conduct projects regarding ISO/IEC 2700x, ISO 9001, ISO/IEC 20000, and ISO 22301 for large, international cloud providers as well as smaller and medium-sized Cloud providers. In doing so, we often combine audit projects to keep the effort and the impact on the Cloud provider’s daily business as low as possible.

While projects for larger Cloud providers tend to focus multi-dimensional, integrated compliance programs, we evenly support smaller and mid-sized providers with determining the suitable compliance scheme and assessing the readiness of their control system (e.g., with regards to BSI C5) as well as setting up the corresponding consulting or audit project.

Focus: Data Protection for Cloud Service Providers

Until now, it has been particularly difficult for Cloud Providers to obtain certification from independent bodies that their individual Cloud Services meet the data protection requirements in accordance with the General Data Protection Regulation (GDPR). This is where the research project "AUDITOR" (European Cloud Service Data Protection Certification) comes in. The goal is the conceptual design, sample implementation and testing of a sustainably applicable EU-wide data protection certification of Cloud Services in accordance with Art. 42 GDPR, which carries out data processing within the scope of Art. 28 GDPR.

Find out more

For Cloud users

When planning to use Cloud services, it is essential to thoroughly steer the selection as well as the operation processes and to understand the compliance-related aspects of the Cloud service. Among other things, this creates the challenge of aligning and adapting IT-related control and monitoring systems to cover changes in the IT risk profile. These changes are specific and depend on the Cloud user’s individual situation such as the type of service and the deployment scenario.

With our extensive experience in IT-related control systems and Cloud-specific risks, we can help Cloud users to select appropriate Cloud providers, plan and conduct audits at Cloud providers, as well as review and update existing Cloud governance processes. Furthermore, we support with Risk Management and Compliance.

Trust and transparency are essential for the successful and compliant use of Cloud services. As a result, reports such as SOC 2 and BSI C5 are important and reliable sources of information that users should include in their procurement and governance processes.

Markus Vehlow,Partner, Risk Assurance Solutions PwC Germany

Contact us

Markus Vehlow

Markus Vehlow

Partner, Risk Assurance Solutions, PwC Germany

Tel: +49 160 7139416

Follow us