Where security meets privacy
On 25th of May 2018 some New Zealand companies are required to comply with the new European General Data Protection Regulation (GDPR). Does GDPR apply to your business and if so are you ready? Read more...
Become familiar with our types of security ratings. Any organisation or (potential) customer of such an organisation can ask for an external assessment. Read more...
Security and privacy are the biggest concerns for organizations that consider moving to the cloud. Our ratings provide transparency in a market that is dominated by complexity and obscurity. Read more...
ISO, PCI, GDPR, SSAE, Cobit, NIST and many more.It is a jungle of standards and frameworks.My providers comply with some standards, but am I secure? Read more...
Addressing security and privacy in projects is a must according to GDPR and can be a real challenge in agile projects. How to bring them together? Read more...
Spoiler alert - we will be soon on Kickstarter! For all those companies who care about your data security... and all those who don't. It's time to start being honest.
In 2018 we have been working with multiple organisations on internal ratings, however none of them decided to publish their results. This clearly shows the challenges in the perception of security both within the assessed organization and from the customer perspective. In 2019 we will be working closely with our partners on bulding the market and creating awareness of the importance of security ratings.
On 25th of May 2018 the General Data Protection Regulation (GDPR) will be enforced. The GDPR is a regulation in EU law (EU 2016/679) on data protection and privacy for all individuals within the European Union. This means that if you are controlling or processing data of EU individuals you are likely required to comply with GDPR. In that case you might have to adjust your business processes, adopt new technologies and appoint a qualified data protection officer among others. Privacy data means all information that can lead directly or indirectly to the identification of a person, like a name, phone number, bank account, email address, cookies, IP address, location data and photos. Failing to prepare for compliance means preparing to fail and can lead to high fines up to €20 million or 4% of your annual global turnover. IISRI offers specialized GDPR services to help New Zealand companies on this journey.
Since intellectual property (IP) is one of the main business drivers of Fujitsu group they have dedicated a whole capability on IP: IP teams, IP governance, IP framework, IP strategy, IP annual reports and participates in global and regional IP standardization efforts. What makes Fujitsu Cloud outstanding is that while they encourage all employees to acquire, maintain and use intellectual property rights, they also direct them to respect those of other companies." It is also clear that Fujitsu Cloud considers cloud security very important. Not only have they published "The White Book of Cloud Security", they have also defined their own cloud security standard, ie. "Fujitsu Cloud Data Security Standard (FJC DSS)"
Tencent Cloud, also referred to as QCloud, is a major market player in China with also presence in Singapore, Canada and USA . QCloud is one of the few cloud providers that does take Intellectual property rights of tenants seriously. That is not surprising if you consider that Tencent Group has a separate business dedicated to IPR related business activities. But besides that Tencent Cloud offers their tenants also a Security Certification service. Tenants can gain with that recognition of their security posture and to provide as such their customers with security assurance.
That privacy of tenants in the East Asian region is not always the same as on the European or US continent we knew, but that even major players like Alibaba Cloud struggle to meet some common privacy principles. While privacy is a challenge Alibaba Cloud offers innovative security services, like Ali Green Network to help protecting intellectual property rights, and security insurance to cover costs in case of security breaches.
While UCloud is expanding their business outside China territories and providing cloud services already in the United States and Germany, ensuring the same level of security of their services abroad seems to be a bit of challenge. We noticed that some of the services they offer in the Chinese market appear not be available for US based customers. UCloud state that "all their datacentre" comply with the law of the People of the Republic of China. If that includes datacenters abroad, this would be in conflict with the local regulations of the abroad locations. UCloud have also been certified against the national Information Security Protection standard of China, but there is no indication that their oversees datacentres are in scope of this certificate. But even if it does, the question is whether this Chinese standard has any appreciation in the US or in the European Union.
Due to Amazon S3 Service Disruption in the Northern Virginia (US-EAST-1) region we have downgraded our rating. This outage shows that AWS still have a few challenges around their fault tolerant design of some of their components of their infrastructure. Given that it took around four hours to recover indicates that also their recovery capability can be improved. The original AWS notice is available here
Acer eDC has their Datacentre in Taiwan and claim to be earthquake resistant. IISRI® takes the challenge and investigates. Taiwan has an aggressive environment with earthquakes, floods and typhoons. The data centre has been built to resist earthquakes of up to 7 Richter magnitude according to Acer eDC. Is that enough? There have been 19 earthquakes in Taiwan with a magnitude of 7 Richter or higher since 1900.Based on this historical data, the likelihood of a next earthquake in the next ten years to be higher than 7 Richter and thus the likelihood of damage to the Acer eDC data centre is substantial.
The best assurance IISRI® could find on privacy is that QingCloud states that they “promise” to keep tenant’s data confidential and not to disclose tenant’s data to third parties. It is possible that in China a promise has a different meaning and provides more assurance than in Western countries, but we would not bet our privacy on it. There are also other statements made by QingCloud that indicate that they may not respect tenants rights. It seems that QingCloud has other priorities than ensuring privacy and intellectual property rights of tenants information.
Amazon Web Services, nominated by many as the king of Cloud, have consistently outperformed their competitors. While they were placed most favourably in Gartner’s magic quadrant, the king was not so royal when it came to security in the past years. This has now changed and AWS is now also catching up with security aiming at being also on the top with security. They have demonstrated that security is a top priority to them by complying with numerous local and international security standards, ensuring resiliency, understanding and promoting security architectures and ensuring security of tenant data. Not only are they ensuring securing of their own infrastructure AWS is also more and more offering security services to their tenants.
Azure recent improvements are considered a great leap forward in the security of their cloud services. In the last months Azure has for example removed RC4 as a weak cipher, is certified to meet the EU –US Privacy Shield requirements, added Information Protection Azure, enabled integration with external Hardware Security Modules (HSM) and even supports the Lamp stack. Azure also sets the bar high by providing good transparency around security and by doing so Azure shows confidence in their security posture. While there are some minor flaws Azure tops the list of IISRI's cloud security ratings.