WeCyberYou! Unlocked Podcast
The WeCyberYou! Unlocked Podcast breaks down cyber security, online safety and digital risks into clear, practical conversations anyone can understand.
Each episode is designed for a specific audience, ensuring the advice is relevant, accessible and grounded in real-world scenarios - not technical jargon.
WeCyberYou! Unlocked Podcast
Cyber Security Frameworks Demystified Part 6 - ISO/IEC 27017
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
In this episode, we break down what ISO/IEC 27017 is, how it helps secure cloud environments and why it’s essential for organisations using cloud services.
Duration: 0:22:50
Visit https://www.wecyberyou.com for more cyber security education, resources and awareness content like this.
Thank you for listening.
WeCyberYou! Team
Like and follow us to be notified when a new episode is released on this channel.
Think for a second right now about all the enterprise data you rely on every single day. I mean, l we talk about the cloud constantly, right?
SPEAKER_00Aaron Powell Oh, all the time. It's a massive buzzword.
SPEAKER_01Aaron Powell Exactly. We throw the phrase around as if our data is just, you know, floating in some ethereal fluffy white vault up in the sky.
SPEAKER_00Aaron Powell Like magic.
SPEAKER_01Right, like magic. But the reality is um the cloud is really just someone else's computer.
SPEAKER_00Aaron Powell Yeah, that's the harsh truth.
SPEAKER_01Aaron Powell It is. It's this massive, highly complex, deeply interconnected physical infrastructure and securing it. That requires a completely different playbook than the old days of just, you know, locking a server rack in a basement.
SPEAKER_00Aaron Powell Oh, absolutely. The old rules just don't apply anymore.
SPEAKER_01You really do. And welcome. You're listening to the WeCyberU Unlocked podcast. We are thrilled you're here with us today.
SPEAKER_00It is great to be here.
SPEAKER_01Before we get into weeds, please take a second to follow the channel right now, wherever you are listening, and be sure to visit WeCyberU.com for more incredible content, resources, and deep dives exactly like the one we're doing today.
SPEAKER_00Yeah, there is a ton of great material on the site, but for today, I'm really excited to dissect the frameworks that actually govern this digital ecosystem we all operate in.
SPEAKER_01Me too. So today we are undertaking a deep dive into excerpts from the ESO 2070 017 standard.
SPEAKER_00A very important one.
SPEAKER_01Huge. Our mission here is to demystify what this international standard actually is. Uh, explore how it specifically protects our cloud environments, and really understand why it acts as a sort of shortcut to grasping global cybersecurity best practices.
SPEAKER_00Aaron Powell Right. Because for anyone managing risk or deploying architecture or honestly just trying to keep their company's name out of the breach headlines.
SPEAKER_01Which is everyone, hopefully.
SPEAKER_00Right. For all those people, this is required reading.
SPEAKER_01Absolutely. So let's establish the baseline right away. What exactly are we looking at with this specific standard?
SPEAKER_00Aaron Powell Well, the one-line definition from our sources today establishes that ISO 27017 is a global standard providing security guidelines specifically designed for protecting data and systems in cloud environments. It's essentially the definitive uh operational playbook for keeping cloud architecture safe.
SPEAKER_01Aaron Powell Okay, let's unpack this because if you've been in the cybersecurity space for any length of time, you already know we have a massive library of standards.
SPEAKER_00Uh-huh. An overwhelming amount.
SPEAKER_01Aaron Powell Right. So we need to understand why a cloud-specific standard is even necessary at all.
SPEAKER_00Aaron Powell Yeah, that's a fair question.
SPEAKER_01Aaron Powell Think about traditional on-premise cybersecurity. It's kind of like building a highly secure corporate headquarters on a private plot of land. You own the perimeter. Trevor Burrus, Jr.
SPEAKER_00You pour the concrete.
SPEAKER_01Exactly. You pour the concrete, you install the physical badge readers on the doors, you configure the internal network switches, and uh you even control the HVAC system, keeping the servers cool.
SPEAKER_00You govern the entire stack, top to bottom.
SPEAKER_01Right. Total control.
SPEAKER_00Total control, which means total visibility. That is the traditional on-premise model.
SPEAKER_01Aaron Powell But moving to the cloud fundamentally shifts that environment. It's less like building a private corporate campus and, well, more like leasing a floor in a massive 90-story commercial high-rise.
SPEAKER_00That's a great way to put it.
SPEAKER_01Because you don't own the building. You don't own the lobby security desk. You share the elevator shafts and the central air conditioning with thousands of other corporate tenants.
SPEAKER_00Aaron Powell And some of those tenants might be actively targeted by threat actors.
SPEAKER_01Exactly. So the legacy rules of securing a private campus just do not cleanly map to securing a shared commercial high-rise. The governance boundaries just kind of fracture.
SPEAKER_00They absolutely do. And that is an excellent way to conceptualize the friction we're talking about. It explains exactly why ISO 27017 was drafted in the first place. Right. But we also have to understand that this standard didn't just emerge from a vacuum.
SPEAKER_01It didn't just pop up out of nowhere.
SPEAKER_00Aaron Powell No, not at all. It is deeply integrated into an existing established family of frameworks. Specifically, it builds directly upon two foundational pillars.
SPEAKER_01Okay, what are those?
SPEAKER_00First, there is ISO 270001, which lays out the architectural blueprint for an information security management system or an ISMS.
SPEAKER_01Aaron Powell Okay, so that's the big picture blueprint.
SPEAKER_00Right. And second, there's ISO 27000 or two, which provides the actual implementation guidance.
SPEAKER_01Aaron Powell Meaning the actual controls.
SPEAKER_00Exactly. The detailed list of general security control.
SPEAKER_01Right. So 27001 tells you that you need a comprehensive security program. And 27002 gives you the specific catalog of controls to actually make that program a reality. Spot on.
SPEAKER_00So if we connect this to the bigger picture, ISO 27017 acts as a highly specialized cloud overlay.
SPEAKER_01An overlay. I like that.
SPEAKER_00Yeah, it takes those foundational standards and basically just adds cloud-specific controls right on top of them.
SPEAKER_01Right, because the environment changed.
SPEAKER_00Exactly. It looks at the baseline rules and asks, okay, how do we adapt this control when the data is sitting in a multi-tenant, hyperscalar data center halfway across the globe rather than you know in a server room down the hall.
SPEAKER_01It translates established security wisdom for the complexities of distributed cloud computing?
SPEAKER_00Yes. It bridges that gap.
SPEAKER_01Aaron Powell Which brings up a really critical point about governance.
SPEAKER_00Yeah.
SPEAKER_01Because if the cloud introduces a completely different environment, the rules regarding who is responsible for that security must change as well.
SPEAKER_00Oh, drastically.
SPEAKER_01And this leads us to what is arguably the most paradigm-shifting concept in ISO 27017.
SPEAKER_00The shared responsibility model.
SPEAKER_01Yes. But okay, let me push back on this for a second, just to play devil's advocate. Go for it. If I'm the chief information security officer for a mid-sized enterprise, and we are migrating our infrastructure to a massive provider like AWS, Google Cloud, or Microsoft Azure.
SPEAKER_00The big player.
SPEAKER_01Right, the megacore, I am paying them a massive premium for their service.
SPEAKER_00Aaron Powell A very large bill every month.
SPEAKER_01Aaron Ross Powell Exactly. And they have thousands of top-tier security engineers and literally billions of dollars in infrastructure investment. So shouldn't they be handling the heavy lifting?
SPEAKER_00You would think so, right?
SPEAKER_01Yeah. Why am I, as the customer, still heavily involved in the security architecture, aren't I outsourcing that risk to them?
SPEAKER_00Aaron Ross Powell So that is the most dangerous fallacy a modern organization can fall into, and it is exactly what this standard seeks to dismantle.
SPEAKER_01Aaron Powell Really, the most dangerous.
SPEAKER_00Absolutely. Because you can outsource the infrastructure, sure, but you can never completely outsource the risk.
SPEAKER_01Wow.
SPEAKER_00And that's why ISO 20017 meticulously outlines the shared responsibility model. It acts as the core differentiator of this standard because it clearly delineates the dividing line of accountability. Aaron Powell Okay.
SPEAKER_01Break that dividing line down for us then. Where does the provider's job end and the customer's job begin?
SPEAKER_00Aaron Powell The standard defines it this way: the cloud provider is responsible for the security of the cloud.
SPEAKER_01Aaron Powell Security of the cloud, okay.
SPEAKER_00Trevor Burrus, right. This means they secure the underlying physical infrastructure. You know, the concrete data centers, the hardware servers, the hypervisors, and the foundational networking layers.
SPEAKER_01Aaron Powell So they keep the commercial high-rise standing.
SPEAKER_00Aaron Powell Exactly. They guard the lobby and maintain the elevator shafts. But the cloud customer the business leasing the space. Yes. The business. You are responsible for security in the cloud.
SPEAKER_01Aaron Powell In the cloud. I see the distinction.
SPEAKER_00Trevor Burrus It's a huge distinction. You are responsible for configuring your specific network rules, managing your identity and access policies, classifying your data, and patching your operating systems if you're using like an infrastructure as a service model.
SPEAKER_01Aaron Powell Okay, here's where it gets really interesting because embracing this requires a massive psychological shift for IT and business leaders alike.
SPEAKER_00Aaron Powell Massive. It changes everything about vendor management. Aaron Powell Right.
SPEAKER_01It moves the relationship from simple vendor procurement to a true operational partnership.
SPEAKER_00Absolutely.
SPEAKER_01Think about it. The provider can hand you the keys to an incredibly sophisticated, reinforced digital vault. The cryptography is flawless, the perimeter is impenetrable.
SPEAKER_00The best money can buy.
SPEAKER_01But if your internal team misconfigures the access policy and just leaves that vault door wide open to the public internet, that data is gone.
SPEAKER_00It's out the door.
SPEAKER_01And when the subsequent breach investigation happens, the provider isn't at fault.
SPEAKER_00Not at all.
SPEAKER_01They provided a functioning vault. The customer simply failed to spin the dial.
SPEAKER_00Exactly. And honestly, ISO 27017 essentially serves as the ultimate service level agreement for security.
SPEAKER_01How so?
SPEAKER_00Well, before standards like this became widely adopted, incident response was often just a nightmare of finger pointing.
SPEAKER_01Oh, I can imagine. It's your fault. No, it's yours.
SPEAKER_00Exactly. The customer would blame the platform, the platform would blame the customer's configuration, and the true root cause would just get lost in the noise. Right. But by explicitly defining the shared responsibility model, the standard ensures that both parties know their distinct operational boundaries long before a crisis ever occurs.
SPEAKER_01It sets the ground rules. So establishing that boundary is clearly crucial for governance. But you know, a documented boundary doesn't actually stop a threat actor.
SPEAKER_00No, a piece of paper won't stop a hacker.
SPEAKER_01Right. It just tells the auditors who is to blame after the fact. So we need to explore how this standard dictates the actual mechanics of our security architecture.
SPEAKER_00Let's get into the mechanics.
SPEAKER_01The sources break this down into three highly specific technical areas. Let's start with access control. Since we don't have a physical front door to put a badge reader on anymore, how does Tuna 7017 handle access?
SPEAKER_00Well, when the physical perimeter dissolves, identity basically becomes the new perimeter.
SPEAKER_01Identity is the new perimeter. That's a great phrase.
SPEAKER_00It really is. The standard mandates rigorous access controls to ensure only authorized users and systems can interact with cloud resources. And in a cloud context, access control is not just about a user typing in a password. It's about managing this incredibly complex web of service accounts, API keys, and machine-to-machine communications.
SPEAKER_01Right. It is infinitely more complex than a username and a password. It's really about enforcing zero trust principles.
SPEAKER_00Aaron Powell Exactly. Zero trust is the goal.
SPEAKER_01We're talking about conditional access policies that actually look at the context of the request. Like are you logging in from a known corporate IP address?
SPEAKER_00Aaron Ross Powell Or is your device actually compliant with our mobile device management policies.
SPEAKER_01Yes. Or are you requesting access at 3.0 AM on a Sunday from a totally new country? Trevor Burrus Right.
SPEAKER_00All those context clues.
SPEAKER_01Trevor Burrus, and ISO 27017 dictates that these multi-layered identity validations are in place because when your infrastructure is exposed to the global internet, robust authentication is literally your only real shield.
SPEAKER_00Spot on. And once you have authenticated that user and granted them access to the environment, we immediately run into the next major mechanical challenge outlined in the standard, which is data protection. According to our sources, cloud data protection relies on three primary pillars secure storage, secure transfer, and secure deletion.
SPEAKER_01Okay, storage, transfer, and deletion.
SPEAKER_00Right. Storage involves encryption at rest. Transfer involves robust transport layer security, so data cannot be intercepted over the network while it's moving. It really is. It's completely different from the old days.
SPEAKER_01Right. Because in an old school on-premise data center, if you had a server full of highly sensitive classified customer data that you needed to decommission, you could literally pull the hard drive out of the rack and run it through an industrial shredder.
SPEAKER_00Just physically destroy the media.
SPEAKER_01Exactly. You physically destroyed the disk. But you cannot do that in a shared hyperscaler data center.
SPEAKER_00You certainly cannot. They won't let you into the building with a shredder. Right. That physical hard drive you are storing your data on is part of a massive storage area network. It might be located in a server farm in Frankfurt or Tokyo. And because it's a multi-tenant environment, your data is sitting on the exact same physical platter as data from a dozen other companies.
SPEAKER_01That is wild to think about. So if I am a customer and I decide to terminate my contract with my cloud provider, or I simply need to permanently purge a database to comply with the data privacy regulation, how do I actually know the data is gone?
SPEAKER_00That is the big question.
SPEAKER_01Because if I just hit delete and the provider just removes the file pointer so I can't see it anymore, the raw ciphertext is still physically sitting on that shared disk, right?
SPEAKER_00It is absolutely still sitting there.
SPEAKER_01So what happens when the next tenant rents that sector of the disk? How does 27017 prevent them from reconstructing my digital ghost?
SPEAKER_00This is exactly why the standard places such heavy emphasis on data deletion protocols. You cannot rely on traditional methods like overwriting the data multiple times. Why not? Because in a virtualized storage environment, you don't even control where the data is physically written in the first place. Exactly. Instead, the standard points toward mechanisms like cryptographic erasure.
SPEAKER_01Okay, explain how that works because I know it is an incredibly elegant solution.
SPEAKER_00It really is. It relies entirely on encryption. When you store the data, you encrypt it with a unique, highly complex key.
SPEAKER_01Okay. Step one, encrypt it.
SPEAKER_00Right. So the data on the shared physical disk is essentially mathematically scrambled gibberish. Got it. When it comes time to permanently delete that data, you don't actually try to hunt down every single zero and one across the massive shared storage array to overwrite them.
SPEAKER_01Because you couldn't find them even if you tried.
SPEAKER_00Exactly. Instead, you simply destroy the encryption key.
SPEAKER_01Oh wow. Yeah. So even though the raw data might still physically exist on the hard drive until the provider eventually overwrites it through normal operations, it is rendered permanently, mathematically unreadable to anyone forever.
SPEAKER_00Exactly. Without the key, it's just permanent noise. It completely neutralizes the risk of data remnants in a multi-tenant environment.
SPEAKER_01That's amazing.
SPEAKER_00It's a perfect example of how ISO 207017 takes a traditional security requirement.
SPEAKER_01Like destroying old data.
SPEAKER_00Right, and adapts the mechanism for the reality of the cloud.
SPEAKER_01That is brilliant. Okay, let's look at the third area under the mechanics of safety. We just covered virtual machine security. Wait, no, data protection. Let's move to virtual machine security. We have mathematically destroyed our deleted data, but what about the active data? The stuff sitting in memory while our applications are actively running.
SPEAKER_00This brings us to the architecture of the compute layer itself. ISO 27017 mandates the rigorous protection of cloud-based systems and virtual environments. Right. See, when you provision a server in the cloud, you are rarely renting dedicated physical hardware.
SPEAKER_01You're just renting a slice.
SPEAKER_00Exactly. You are renting a virtual machine, which is just a software emulation of a computer running on top of a hypervisor.
SPEAKER_01And a single massive physical server owned by a cloud provider might be running a hypervisor that hosts 50 different virtual machines simultaneously.
SPEAKER_00Easily.
SPEAKER_01Which means you could theoretically have a highly regulated financial institution's virtual machine running on the exact same physical silicon processor as, say, a random startup's experimental testing environment.
SPEAKER_00It happens all the time. And that proximity creates a massive theoretical attack vector.
SPEAKER_01I can see why.
SPEAKER_00If a threat actor compromises the startup's testing environment, could they execute a hypervisor breakout attack? Could they manipulate the shared physical hardware to literally peek across the boundary and read the memory space of the financial institution's virtual machine?
SPEAKER_01Oh man, that is the nightmare scenario.
SPEAKER_00It is the ultimate cloud nightmare.
SPEAKER_01And that is why ISO 27017 dictates strict logical isolation controls. It mandates that providers architect their hypervisors with impenetrable logical walls between tenants, ensuring that compute resources, memory allocation, and network interfaces are cryptographically and logically segregated.
SPEAKER_00Right. It ensures that the commercial high-rise has firewalls.
SPEAKER_01Literally and figuratively.
SPEAKER_00Yes. Between all the lease departments, it creates a trust boundary that allows multi-tenancy to exist safely in the first place.
SPEAKER_01But you know, having all of these controls, the access policies, the cryptographic erasure, the logical VM isolation, that's only half the battle.
SPEAKER_00It's true. Architecture is just the proactive part.
SPEAKER_01Right. Architecture is proactive. But how do we maintain reactive visibility? How do we prove that these invisible walls are actually holding up under active pressure? Because assuming everything is working perfectly is not a valid security strategy.
SPEAKER_00Aaron Powell No, hope is not a strategy. Which brings us to the final critical component highlighted in our sources: monitoring and logging.
SPEAKER_01Aaron Powell The Watchful Eye.
SPEAKER_00Exactly. This standard mandates the continuous automated tracking of all telemetry and activity within the cloud environment.
SPEAKER_01So it is essentially wiring the entire digital high-rise with highly sophisticated security cameras, monitoring every API call, every network flow, and every configuration change in real time.
SPEAKER_00Aaron Powell That's a great analogy. But what's fascinating here is logging actually serves a dual purpose. Yes, obviously, it feeds your security operations center so they can detect anomalous behavior and stop an act of breach. We know that.
SPEAKER_01Right. Catching the bad guys.
SPEAKER_00But more importantly, for the standard, it establishes an immutable historical baseline of truth. Remember the shared responsibility model we unpacked earlier.
SPEAKER_01Oh, right. Who is to blame when things go wrong?
SPEAKER_00Exactly. Logging is how you prove that the model is functioning. It creates an undeniable audit trail. If a catastrophic misconfiguration occurs, the logs will objectively show whether the provider pushed a flawed update to the underlying infrastructure, or if an administrator on the customer's side accidentally altered a firewall rule at midnight.
SPEAKER_01It just removes all ambiguity.
SPEAKER_00100%. It's all there in black and white.
SPEAKER_01Okay, let's synthesize everything we have discussed by walking through a practical scenario. The source material actually provides a simple example that perfectly illustrates how all these pieces interlock.
SPEAKER_00I love this example.
SPEAKER_01Yeah. So imagine a mid-sized enterprise that decides to migrate its corporate data archive to a major cloud storage provider.
SPEAKER_00A completely standard migration that happens thousands of times a day.
SPEAKER_01Exactly. Now, if both the enterprise and the cloud provider are operating in strict adherence to ISO 27017, we see a layered defense immediately take shape.
SPEAKER_00Right.
SPEAKER_01First, the data is encrypted at rest and in transit, securing the payload itself.
SPEAKER_00Check.
SPEAKER_01Second, access to that storage bucket is governed by strict, context-aware IAM policies.
SPEAKER_00Only the right people get in.
SPEAKER_01Third, the shared responsibility boundary is formally documented. So the enterprise manages the keys and access rules while the provider secures the physical data center in Virginia or Ireland.
SPEAKER_00A clear division of labor.
SPEAKER_01And finally, every single interaction with that data generates an immutable log entry that is continuously monitored for deviations.
SPEAKER_00It just transforms a potentially chaotic, outsourced risk into a tightly governed, highly visible ecosystem.
SPEAKER_01It really does. So what does this all mean for you, the listener? I mean, why should a developer, a risk officer, or a systems architect dedicate time to understand the nuances of an ISO standard?
SPEAKER_00Well, the sources outline the strategic benefits very clearly. Implementing ISO 27017 drastically reduces your attack surface in the cloud by closing the architectural gaps that threat actors actively scan for.
SPEAKER_01It covers the blind spots.
SPEAKER_00Yes. And it protects highly sensitive data from exposure, which is absolutely critical for avoiding massive regulatory fines under frameworks like GDPR or CCPA.
SPEAKER_01Well, absolutely, the compliance side is huge.
SPEAKER_00But beyond just defense, it is actually a business enabler. It builds profound trust.
SPEAKER_01I think people overlook that part.
SPEAKER_00They do. But if you are a B2B service provider and you can demonstrate alignment with ISO 27017, you are proving to your enterprise clients that you manage their data with the highest degree of operational maturity.
SPEAKER_01It is the difference between just claiming you are secure and proving you operate on a globally vetted framework.
SPEAKER_00Exactly. It's proof.
SPEAKER_01Okay, let's take a breath and recap the journey we just took through this digital landscape.
SPEAKER_00It was a deep one.
SPEAKER_01It was. We started by contextualizing ISO 27017, not as a standalone document, but as a critical cloud overlay built on the bedrock of ISO 27001 and 2702. Right.
SPEAKER_00The foundation.
SPEAKER_01And we talked about the complexities of leasing space in a shared commercial architecture.
SPEAKER_00We then explored the fundamental operational shift required by the shared responsibility model. And we really emphasized that while you can outsource your infrastructure, you retain the ultimate accountability for how you configure your environment within that infrastructure.
SPEAKER_01You can't outsource risk. From there, we dove into the mechanics of safety. We examine how identity has become the new perimeter for access control, uh, the elegant cryptography behind securely deleting data on a shared storage array.
SPEAKER_00Crypto erasure.
SPEAKER_01Yes, and the absolute necessity of strict logical isolation to protect virtual machines from cross-tenant contamination.
SPEAKER_00Keeping the apartments separated.
SPEAKER_01Exactly. And we tied it all together with the critical role of continuous monitoring and logging to provide that undeniable audit trail.
SPEAKER_00It is a comprehensive blueprint that brings desperately needed order and accountability to cloud computing.
SPEAKER_01It truly is. As we begin to wrap up today's session, I want to remind you one more time to head over to WeSiberi.com. We have a massive library of resources, articles, and previous deep dives waiting for you. And please make sure you follow the channel right now so you never miss a future discussion.
SPEAKER_00You know, this whole topic raises an important question.
SPEAKER_01What's that?
SPEAKER_00As our infrastructure, both on a corporate level and a deeply personal level, becomes inextricably tied to multi tenant cloud environments, we really have to rethink our default posture. Well, think about it. A massive international standard like ISO 27017 has to be meticulously drafted just to define the operational boundaries and responsibilities for multi-billion dollar corporations. How should we, as everyday individuals, be evaluating our own digital boundaries? Oh wow. Right. When you sync your personal life to a provider's ecosystem, where does your responsibility for your own security architecture begin? It is certainly something to evaluate the next time you authorize an application or spin up a new service.
SPEAKER_01That is an incredible thought to leave on. You really are the ultimate custodian of your own data footprint. Thank you so much for joining us to unpack the complexities of cloud governance today.
SPEAKER_00It has been an absolute privilege.
SPEAKER_01Thank you for tuning in to the WeCyber U Unlock podcast. Stay curious, stay secure, and we will catch you on the next deep dive.