Security in Cloud Services

With the proliferation of SaaS and other cloud services, security issues are beginning to attract significant attention. Cloud services offer numerous advantages, such as no upfront investment, low startup costs, and accessibility via the Internet. At the same time, however, there are security risks.

In this article, we will provide an overview of the security measures cloud service providers should adopt and explain the different types of security certifications. Awatsu, CEO of Skygate Technologies, will also provide his comments on this topic, and the article will be summarized in line with the actual security situation.

Akinori Awatsu, CEO/Founder, Skygate Technologies, Inc.

Awatsu is a former communications and cyber officer in the Japan Ground Self-Defense Force.
Former Communications and Cyber Officer, Japan Ground Self-Defense Force (12BU Communications) / Security Engineer / Currently a member of Space Industry SWG, Cyber Security Research Group, Ministry of Economy, Trade and Industry

In charge of communications and cyber area in the Ministry of Defense and the Self-Defense Forces. Retired after serving in Ichigaya and Minister's direct control unit. Moved to a domestic cloud accounting software startup and worked as an engineer, security manager, FSA regulatory compliance, PdM, etc. until the company went public. Retired in 2020 and founded Skygate Technologies.

Security Risks of Cloud Services

Security often feels like a black box, especially when considering the risks from the perspective of business and product managers. For instance, the following security risks are commonly found in cloud services.

• Data leakage: Servers and storage are attacked from the outside, and users' personal or confidential information is leaked.
• Service outage: In the event of a system failure, services are suspended, resulting in business losses.
• Supply chain attack: an attack that allows a high-security target organization, which is inherently difficult to penetrate, to penetrate the target organization through a business partner or subsidiary with a relatively low level of security.

Specific Security Countermeasures

To mitigate these risks, cloud services must implement the following specific security measures.

Access Control.

When providing cloud services, it is important to properly control access to the infrastructure and applications that run the cloud services. Access control should be implemented at multiple levels to ensure that user data is not inadvertently leaked or unintentionally exposed to external parties. It is also not uncommon to provide users with features such as permissions and sharing ranges.

Network Security.

In cloud services, network security should also be enhanced. Specifically, firewalls and WAFs (Web Application Firewalls) are often used to block unauthorized access, and CDNs and other measures are often used to prevent DDoS attacks (a method of conducting attacks by inadvertently overloading a large number of accesses).

Data Security.

Security of user data is also important for cloud services. Specifically, data encryption and backups should be implemented. In addition, it is already widely accepted that privacy policies should be developed and clearly explained to users regarding data handling.

Periodic Review and Improvement of Security Measures

In cloud services, security measures should be reviewed and improved on a regular basis. Specifically, security reviews should be conducted, vulnerabilities should be diagnosed and remediated, and security policies should be formulated to keep up with the latest security technologies.

Once again, looking at the above specific efforts from the product manager's perspective, it is important to consider whether sufficient man-hours are spent on these items and whether security requirements are taken into account when designing specifications based on business requirements.

Until PMF (seed to pre-series A in startups), the emphasis is on developing functions to create intrinsic value for users rather than on security. However, for cloud services that are mainly B2B, if security is not designed with security in mind from the beginning or the development budget is not estimated, security will become a bottleneck even after deployment to the enterprise, which will directly lead to lost orders.

Awatsu comments.

Security measures for cloud services are generally taken in stages as the functions offered are expanded and as the user base matures and grows in scale. However, it is difficult to take care of all security measures, so priority is given to access control that directly leads to information leaks and DDoS measures that lead to service interruptions.
Especially in the case of startups, it is not uncommon for security-related issues to be left blank, as they often lack sufficient development resources. It is advisable to assume security requirements in advance according to the industry and scale of the customers to be served, and to update the development plan as needed while keeping an eye on the business side so that the lack of security measures and functions does not become an obstacle during business negotiations.

Security certifications that cloud services may comply with

It is common for cloud service providers to undergo security assessments by third-party organizations in order to increase confidence in their security. Let's take a look at security certifications for cloud service providers.

ISMS (ISO27001)

ISMS (Information Security Management System) is an abbreviation for Information Security Management System, a framework for establishing rules and procedures within an organization to achieve information security. assessment, planning and implementation of information security measures, monitoring and evaluation, and improvement.

ISMS is often based on ISO27001 (International Organization for Standardization). In Japan, the term ISMS generally refers to the ISMS Conformity Assessment System, which recognizes compliance with ISO27001, It is also referred to as ISMS certification. This standard is international and well-known in Japan, and many companies and organizations in Japan have obtained this certification, but in fact not many in the United States have obtained this certification.

For example, when an SMB company acquires the certification, it takes about 6 months to 1 year of preparation and about 1-1.5 million yen for consulting related to the preparation, plus about 300,000 yen in application fees. After acquisition, there is an annual maintenance fee of about 300,000 yen. Basically, the cost increases with the size of the company and the number of offices. If you have personnel within your company who are knowledgeable about security, you can cut costs significantly, especially consulting fees.

ISO 27017

ISO 27017 is a set of guidelines for information security provided by cloud service providers, and differs from a typical ISMS in that it addresses risks and security issues specific to cloud computing. It differs from a typical ISMS in that it includes recommendations for addressing risks and security challenges specific to cloud computing. For example, it includes risks associated with virtualization technologies and security challenges that may arise from multi-tenancy.

The standard provides standard procedures for cloud service providers to properly manage information security risks and ensure data protection, access control, system availability, and compliance with legal requirements. This allows cloud service providers to mitigate security-related concerns and provide peace of mind to their customers.

Like ISMS, certification is not difficult to obtain and the cost is comparable. However, cloud service providers may offshore development or provide customer success in the form of BPO to a separate company, which may incur additional costs.

ISMAP

ISMAP (Information Security Management Assessment Program) is a relatively new program that started around 2021 to assess whether cloud services meet the security requirements set by the Japanese government. It is a relatively new program that started around 2021. It is modeled after FedRAMP, an American system for risk management in the use of cloud services by the government.

This system is for the government, and it is necessary to obtain it when providing services to government agencies such as the Digital Agency. Unlike ISMS and ISO 27017, the criteria for certification are diverse, The cost is also high (approximately 5-10 million yen for the first year, and 10 million yen for the following years and thereafter). It will be difficult to withstand the cost and operation in the Series A and B phases, so it will have to be considered after that time.

SOC (Service Organization Control)

SOC is a report on internal control of service organizations developed by the American Institute of Certified Public Accountants (AICPA).SOC includes SOC1, SOC2, and SOC3, each with different evaluation items. All of these reports are issued by an auditing firm, and one of their features, for example, is that SOC1 and SOC2 can be addressed together.

In addition, the reports are issued by an auditing firm and have international validity. When providing cloud services to major financial institutions, not having a SOC is a direct cause of lost business. In the first year, a security evaluation is conducted at that point in time, and the cost is about 5-10 million yen. In addition, the preparation for acquisition often takes about one and a half years.

SOC1

SOC1, formerly known as SAS70 (Statement on Auditing Standards No. 70), is a report on the internal controls of a service-providing organization. The SOC1 report is used to evaluate internal controls related to business processes that affect a company's financial accounting. It is definitely required if the state has master data that affects sales and ARR.

In the specific usage, if a SaaS in the accounting area is acquired, when an enterprise user performs an audit, the SOC1 report will be substituted for the audit of the portion of the SaaS that is being used. Conversely, if the SaaS is not SOC1 certified, the enterprise user will be required to audit and evaluate the SaaS they are using on their own.

SOC2

SOC2 is an audit standard for evaluating the information security management system of cloud services. It focuses on evaluating the information security, availability, confidentiality, privacy, and processing integrity of the service provider organization. However, acquisition by cloud services such as Box and Salesforce, which acquire, manage, and use a wide range of sensitive information, can replace auditing from an information security perspective. Cloud services whose users include listed companies that handle highly sensitive information are encouraged to actively acquire this certification.

Basically, SOC2 costs the same as SOC1. However, since the scope of SOC2 (there are five trust principles, and you can specify whether to comply with only one or to be assessed against all of them) can be reduced or added, SOC2 is characterized by a wider range in terms of cost than SOC1.

SOC3

SOC3, like SOC2, is a report on the internal controls of a service-providing organization, but in a simplified format compared to SOC2. For cloud services that are primarily B2B, it is often not necessary to obtain a SOC3 report, as it is a standard for the general public.

P Mark (Privacy Mark)

Finally, P-Mark is a system for the proper management of personal information (PMS). It is as well known as ISMS in Japan, and it is said that about 20,000 companies in Japan have obtained this certification. It is particularly important for businesses that handle personal information, but it is not limited to information systems or cloud services. The cost of certification is about the same as that of ISMS.

Policies for Certification

First of all, as a product manager, you need to raise your awareness even before you can see the deployment to the enterprise, while focusing on functional development until PMF. Rather than proceeding with acquisition out of the blue, we recommend clarifying SLAs with users or substituting answers to checklists requested by users. As the number of orders increases, users will share security checklists more frequently, and it is recommended to consider acquisition of certification at a time when it becomes difficult to respond to individual requests.

In this case, the first thing to consider is ISMS for the company, followed by ISO 27017, which is specific to cloud services. This is because both can be obtained even by a small start-up due to preparation and cost, and the audit can be completed in a few days. Next, it is preferable to comply with an international SOC.

Nevertheless, since this is a system that requires significant costs for startups in terms of preparation and expenses, one option is to have 10-20% of the cost of the security measures covered in addition to the fee for the cloud service. Finally, acquiring the above certifications early on is not only a disadvantage, but also an option for smaller organizations, as the security audit fees are relatively inexpensive, so it is also an option to acquire the certification before the organization grows. In addition, both ISMS and ISO27017, for example, are maintained for three years once certification is obtained.

To summarize a bit, the preparation and cost of certification can be burdensome for startups and new businesses, so it is a good idea to first seek a way to get through with SLAs and answers to checklists required by users. After that, we recommend aiming to acquire ISO27017, SOC1 and SOC2 certification at a time when the number of users is increasing and individual responses are becoming more difficult.

Awatsu's comments

ISMS is the first content to consider, as it is often requested by customers and the widest range of responses that can be relatively handled just by being certified. Many government bids also have ISMS as a requirement. Nevertheless, the requirements and their impact differ depending on the service and industry sector, so it is important to research and make decisions based on what compliance and security measures the customer is looking for, especially when security-sensitive enterprise projects are envisioned. In the financial, healthcare, security, and other sectors In the financial, medical, and security sectors, there are separate guidelines based on their respective regulatory laws, and in the case of overseas expansion, compliance with GDPR, etc. is also necessary.

Summary

In this paper, we have explained the importance of security when providing cloud services, how to take countermeasures, and security certification. It is recommended that cloud service providers consider obtaining ISO27017, SOC, and SOC2, in that order, as desirable certifications to obtain when the number of users increases and individual measures become difficult.

As cloud services develop in the future, it is expected that there will be an increased awareness of security risks and the need to take security measures, including certification. Cloud service providers should proactively provide information on security measures, and users should take thorough measures to ensure their own security, so that they can use cloud services with greater peace of mind and look forward to further development.