Setting The Standard for Clouds

In a blog a few weeks ago, I mentioned that here at Extreme we were undertaking additional efforts to certify ExtremeCloud IQ to new ISO standards. I’m pleased to inform you that, WE DID IT!

Indeed, ExtremeCloud IQ is the only cloud network management solution triple-threat, with ISO 27001, ISO 27017, and ISO 27701 certifications. Plus, we are now CSA STAR, and we’ve undertaken SOC 2 Type 1 and 2, which will be completed over the next 6 months!

What’s ISO?

ISO is the International Organization for Standards. They are based in Switzerland and create standards for just about everything you can imagine. From shoe sizes to wine glasses, they have an official international standard for everything.

Using certified assessment partners, these partners audit an organization to ensure processes and procedures meet or exceed a given ISO standard.

ISO 27001

ISO 27001 is the initial certification we’ve had for a few years. This standard implements an ISMS, or Information Security Management System. The key here is “system.” The ISMS is not a single policy, but rather, an entire set of policies, standards, and procedures that govern how we operate Cloud IQ, and we must follow them. From how we check the backgrounds on our employees, to the encryption we use to protect your data, we have volumes of written standards that are built around 114 separate ISO 27001 controls designed to protect your data. The ISO audit then looks at all 114 of those controls and we provide evidence that we have a process and procedure in place to meet the control standard, and we show evidence that we’re actually implementing that standard.

ISO 27017

ISO 27017 is not a certification, but a statement of compliance, as it does not implement its a system. ISO 27017 is effectively an extension of ISO 27001, and adds additional controls to the base of 114 used previously. These additional controls are specific to cloud operations, and cover issues like data export, deletion, customer-based disclosures of cloud information, and more. ISO 27017 is the standard for a SaaS operation.

ISO 27701

This is the big one. This is a net-new standard that we are very proud to have. You may have heard of ISO 27018 before, but ISO 27701 is new and is a complete ISO system, implementing what’s now known as PIMS, or Privacy Information Management System. This standard deals solely with issues that surround data privacy, protection, retention, and management. If you’re concerned about GDPR, CCPA, or any other PII and data protection issues, our ISO 27701 certification should ease your mind. This standard covers all aspects of ExtremeCloud IQ having your data, and how we manage and ensure complete privacy.

CSA STAR

The Cloud Security Alliance, or CSA, is a not-for-profit organization with the mission to promote the use of best practices for providing security assurance within cloud computing, and to provide education on the uses of cloud computing to help secure all other forms of computing. The CSA is made of member organizations whose purpose is to raise awareness and assist in helping to define secure cloud computing.

STAR, or the Security Trust Assurance and Risk program within CSA is a multi-tiered program designed to map a cloud solution to various standards and assess their compliance with security best practices.

The first stage of STAR is Level 1, which is where Cloud IQ is today. This level is attained by completing the CAIQ (Consensus Assessment Initiative Questionnaire) which is currently in version 3.1. This questionnaire is a simple yes/no format, assessing hundreds of separate elements about a cloud solution and offers an industry-accepted way to document what security controls exist in IaaS, PaaS, and SaaS services, providing security control transparency. The questions in the CAIQ are mapped to the CCM, or Cloud Controls Matrix, a meta-framework of cloud-specific security controls, mapped to leading standards, best practices and regulations.

Using our answers to the CAIQ, along with the CCM, anyone can see how Cloud IQ stacks up against all of the standards out there.

Statement of Applicability

Also new this year with our ISO program is a change to our statement of applicability. Our SoA has been revised to cover all three ISO certifications across all of the delivery vehicles we have for Cloud IQ! That’s right, whether or not you use public cloud, private managed instances, or the new ExtremeCloud Edge, our ISO standards cover you!

There you have it! The industry’s most comprehensively certified cloud network management solution, certified to international standards. You can view all of these standards, certifications and more by visiting https://www.extremenetworks.com/cloud-technology/cloud-security/

So, until next time, keep your head in the clouds….

Additional Resources

• ISO 27001: https://www.iso.org/standard/54534.html
• ISO 27017: https://www.iso.org/standard/43757.html
• ISO 27701: https://www.iso.org/standard/71670.html
• CSA: https://cloudsecurityalliance.org/
• CSA CCM: https://cloudsecurityalliance.org/research/cloud-controls-matrix/

ExtremeCloud IQ’s STAR Registration: https://cloudsecurityalliance.org/star/registry/extreme-networks