We have achieved two important cloud certifications ISO 27017 and ISO 27018

[gtranslate]

We have been preparing for the launch of WEDOS Cloud for a long time. Not only was there software development and extensive hardware testing, but we also looked at legal and security issues and how to incorporate all of this into the modern world.

Since we had already spent so much time on it, we thought it would be worthwhile to have some independent confirmation, so we started working on getting the ISO 27017 and ISO 27018 certifications, which we successfully obtained on 16.03.2021.

Data security is a business and political  priority

We live in the Czech Republic, which is part of the European Union, and there is a lot of pressure on the security and protection of personal data. Our goal is to offer you a service where you won’t have to worry about these issues today or in the years to come as data protection demands continue to rise.

For example, many of our competitors have taken a very lax approach to GDPR. We have been really intensively involved in the GDPR topic from the beginning and have consulted with authorities and lawyers. The result for the customer is, for example, a record of the processing contracts for each individual service, including all revisions that customers can download. Since its launch, the system and the texts have been modified to meet the requirements not only here but also abroad. This is one of the reasons why the documents for GDPR are only in Czech for now.

But GDPR is just the tip of the iceberg that has stirred up the topic of data protection and companies’ preparedness for various security and legal pitfalls. Many customers, before choosing us, check whether we comply with what the law requires us to do (for example, we publish all our documents on jutice.cz), look for real references or whether we are subject to various audits. So far we have successfully gone through everything and gained a lot of experience of what customers want. Even though sometimes we have to explain how such a “small” company with less than 50 employees can be a long-term leader on the Czech market.

GDPR was very much about company processes and procedures. From our side we did not have to change much, thanks to the strict conditions we set according to the international standards ISO 9001 (quality management system), ISO 14001 (environmental management system) and especially ISO 27001 (information security management system).

We have been holding and renewing ISO certifications since 2011 (or 2013 for ISO 27001), mainly because of our customers. They guarantee that what we write is not just empty words, but we really care about the quality and safety of our services. Everything is guaranteed by an independent audit, which takes place every year as a surveillance audit  and once every 3 years a more extensive recertification. That we have everything in order and are a healthy company has been proven by the demanding ICANN accreditation process.

For most customers this, together with real photos of our datacenters, offices and hardware, is enough. However, with WEDOS Cloud, we have repeatedly encountered the ISO 27017 requirement – Security Controls for Cloud Services.

ISO 27017 – Security controls for cloud services

ISO/IEC 27017 is a relatively new national standard that was adopted in December 2015. The full title is Code of practice for information security controls based on ISO/IEC 27002 for cloud services or Code of practice for information security controls derived from ISO/IEC 27002 for cloud services.

It therefore extends ISO 27002 and implements guidelines specifically related to cloud services and the customers of these services. ISO 27002 is intended for operators who take care of the facilities (hardware, software, support) for data processing.

We have chosen ISO 27001 because for the operation of services such as our shared web hosting NoLimit, WMS, mailservers or even the registration of contacts in the administration is ideal for us ISO 27001, because here we come into contact with customer data and we have to take care of their secure operation.

What ISO 27017 means in addition to ISO 27001

We had to incorporate specific procedures and responsible persons for:

  • Sharing roles and responsibilities in a cloud environment (Customer-Provider Relationship).
    • This section is mainly about contractual terms (legal relationships, GDPR), but it’s good to be clear about this
  • Ensure seamless and secure removal of all data from the cloud.
    • Clear rules must be established for deleting active data, backups and monitoring that they are actually deleted. We’ve already had that because of the GDRP in general. For the cloud, it’s more specific.
  • Proper and secure separation of customer services in a virtual environment
    • We also want to prepare the WEDOS Cloud service for the possibility of operating as a private cloud (on dedicated hardware).
  • Strengthening the security of the created virtual machines (VMs).
    • This part is mainly about analyzing potential threats, designing appropriate monitoring, or incorporating other security features above the cloud level into the whole process (DDoS protection, IPS/IDS protection, SYN filter, Geoblocking, etc.)
  • Ensuring administration.
    • The danger lies not only in the cloud service itself, but also in all the services that allow the customer to manage them conveniently.
  • Monitoring cloud services.
    • WEDOS Cloud is a very complex service consisting of many parts. Everything has to be monitored (monitoring, logs, monitoring that monitoring works) and evaluated (regularly and randomly).
    • Colleagues have access to the different sections according to their expertise, background and job description. It must be ensured that there is always someone available who can obtain the necessary information to solve the problem.
  • Providing security management for physical and virtual networks.
    • Again, this is mainly about monitoring and the people responsible.
    • We have a big advantage here because we have the physical network completely under our management. It’s in our private datacenters, no outsiders have access to it. Even the two optical routes DC1 <-> DC2 are ours (we dug them ourselves, stretched the protectors, blew them). We know everything about every meter.
    • Internal communication between VMs will not go through third-party hardware.

These are just a fraction of the things we need to incorporate into official procedures. Dozens of other processes flow from 27001 itself.

ISO 27018 – Protecting personal information  in public clouds

ISO/IEC 27018 is the first ever international standard focused on data protection in the cloud. It was created in 2014 as an extension of ISO 27001 and aims to help cloud service providers that process personal data to assess risks and put sufficient controls in place.  It is therefore intended mainly for operators of SaaS (Software as a Service) services.

ISO 27018 was created by combining several well-known and authoritative standards – HIPAA (covering personal health information), SSAE and ISAE (which are audited standards for  security management and the effectiveness of security controls set by the American Institute of Certified Public Accountants (AICPA) and the International Auditing and Assurance Standards Board of the International Federation of Accountants (IAASB)).

This standard has two versions, ISO/IEC 27018:2014 and ISO/IEC 27018:2019. We are certified to the newer ISO/IEC 27018:2019.

What ISO 27018 says about our services:

  • We provide greater security for personal data and information not only about you, but also your customers’ data on our cloud services. This is confirmed by an independent audit which is repeated every 3 years.
  • Most of the security requirements for SaaS services directly require or are based on the international standard ISO 27018. If you are going to discuss data security with your customers, just say that your provider is ISO 27018 and GDRP compliant.
  • ISO 27018 also means that we provide the maximum legal protection available to users.
  • ISO 27018 virtually guarantees that we will not use your personal data for advertising and marketing unless you give your explicit consent. At the same time, we may not share this data with any third party.
  • If there is any subcontractor who could gain even potential access to the data, we must always inform you and you have the opportunity to object or terminate the contract.

Conclusion

You can probably get an idea of what ISO certification actually entails. There is a set of processes that need to be in place, and at the same time there must be accountable persons for them. It can’t be that when something goes wrong, no one is to blame or knows what to do about it. That is absolutely unthinkable. There are always specific people who are responsible for a particular process and must make sure that everything works by taking measures to limit the risk of a problem (regular maintenance, monitoring, log checks, etc.) This is all checked very thoroughly by an independent auditor.

Although we claim that we do certifications mainly for our customers and so that we can sleep well, they also keep us on our toes. Before every audit, you feel nervous and fine-tune everything to perfection. In our industry, the most important thing is not to fall asleep and to move forward all the time and, in fact, sometimes when reviewing or improving company processes we come up with ideas that kick us forward.