{"id":13789,"date":"2015-04-22T15:33:02","date_gmt":"2015-04-22T15:33:02","guid":{"rendered":"http:\/\/www.businesscloudnews.com\/?p=223062"},"modified":"2015-04-22T15:33:02","modified_gmt":"2015-04-22T15:33:02","slug":"iso-27018-and-protecting-personal-information-in-the-cloud-a-first-year-scorecard","status":"publish","type":"post","link":"https:\/\/icloud.pe\/blog\/iso-27018-and-protecting-personal-information-in-the-cloud-a-first-year-scorecard\/","title":{"rendered":"ISO 27018 and protecting personal information in the cloud: a first year scorecard"},"content":{"rendered":"<div id=\"attachment_156162\" class=\"wp-caption alignright\" style=\"width: 320px\"><a href=\"http:\/\/www.businesscloudnews.com\/wp-content\/blogs.dir\/122\/files\/2013\/09\/Data-protection.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-156162 \" alt=\"ISO 27018 has been around for a year - but is it effective?\" src=\"http:\/\/www.businesscloudnews.com\/wp-content\/blogs.dir\/122\/files\/2013\/09\/Data-protection.jpg\" width=\"310\" height=\"232\" \/><\/a><\/p>\n<p class=\"wp-caption-text\">ISO 27018 has been around for a year &#8211; but is it effective?<\/p>\n<\/div>\n<p>A year after it was published, \u00a0\u2013 the first international standard focusing on the protection of personal data in the public cloud \u2013 continues, unobtrusively and out of the spotlight, to move centre stage as the battle for cloud pre-eminence heats up.<\/p>\n<p>At the highest level, this is a competitive field for those with the longest investment horizons and the deepest pockets \u2013 think million square foot data centres with 100,000+ servers using enough energy to power a city.\u00a0 According to research firm Synergy, the cloud infrastructure services market &#8211; Infrastructure as a Service (Iaas), Platform as a Services (PaaS) and private and hybrid cloud \u2013 was worth $16bn in 2014, up 50 per cent on 2013, and is predicted to grow 30 per cent to over $21bn in 2015. Synergy estimated that the four largest players accounted for 50 per cent of this market, with Amazon at 28 per cent, Microsoft at 11 per cent, IBM at 7 per cent and Google at 5 per cent.\u00a0 Of these, Microsoft\u2019s 2014 revenues almost doubled over 2013, whilst Amazon\u2019s and IBM\u2019s were each up by around half.<\/p>\n<p>Significantly, the proportion of computing sourced from the cloud compared to on-premise is set to rise steeply: enterprise applications in the cloud accounted for one fifth of the total in 2014 and this is predicted to increase to one third by 2018.<\/p>\n<p>This growth represents a huge increase year on year in the amount of personal data (PII or personally identifiable information) going into the cloud and the number of cloud customers contracting for the various and growing types of cloud services on offer. but as the cloud continues to grow at these startling rates, the biggest inhibitor to cloud services growth \u2013 trust about security of personal data in the cloud \u2013 continues to hog the headlines.<\/p>\n<p>Under data protection law, the Cloud Service Customer (CSC) retains responsibility for ensuring that its PII processing complies with the applicable rules.\u00a0 In the language of the EU Data Protection Directive, the CSC is the data controller.\u00a0 In the language of ISO 27018, the CSC is either a PII principal (processing her own data) or a PII controller (processing other PII principals\u2019 data).<\/p>\n<p>Where a CSC contracts with a Cloud Service Provider (CSP), Article 17 the EU Data Protection Directive sets out how the relationship is to be governed. The CSC must have a written agreement with the CSP; must select a CSP providing \u2018sufficient guarantees\u2019 over the technical security measures and organizational measures governing PII in the Cloud service concerned; must ensure compliance with those measures; and must ensure that the CSP acts only on the CSC\u2019s instructions.<\/p>\n<p>As the pace of migration to the cloud quickens, the world of data protection law continues both to be fragmented \u2013 100 countries have their own laws \u2013 and to move at a pace driven by the need to mediate all competing interests rather than the pace of market developments.<\/p>\n<p>In this world of burgeoning cloud uptake, ISO 27018 is proving effective at bridging the gap between the dizzying pace of Cloud market development and the slow and uncertain rate of legislative change by providing CSCs with a workable degree of assurance in meeting their data protection law responsibilities.\u00a0 Almost a year on from publication of the standard, Microsoft has become the first major CSP (in February 2015) to achieve ISO 27018 certification for its Microsoft Azure (IaaS\/PaaS), Office 365 (PaaS\/Saas) and Dynamics CRM Online (SaaS) services (verified by BSI, the British Standards Institution) and its Microsoft Intune SaaS services (verified by Bureau Veritas).<\/p>\n<p>In the context of privacy and cloud services, ISO 27018 builds on other information security standards within the IS 27000 family. This layered, interlocking approach is proving supple enough in practice to deal with the increasingly wide array of cloud services. For example, it is not tied to any particular kind of cloud service and, as Microsoft\u2019s certifications show, applies to IaaS (Azure), PaaS (Azure and Office 365) and SaaS (Office 365 and Intune). If, as shown in the graphic below, you consider computing services as a stack of layered elements ranging from networking (at the bottom of the stack) up through equipment and software to data (at the top), and that each of these elements can be carried out on premise or from the cloud (from left to right), then ISO 27018 is flexible enough to cater for all situations across the continuum.<\/p>\n<div id=\"attachment_223072\" class=\"wp-caption aligncenter\" style=\"width: 620px\"><a href=\"http:\/\/www.businesscloudnews.com\/wp-content\/blogs.dir\/122\/files\/2015\/04\/Cloud-licenses.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-223072\" alt=\"Software as a Licence to Software as a Service: the Cloud Continuum \" src=\"http:\/\/www.businesscloudnews.com\/wp-content\/blogs.dir\/122\/files\/2015\/04\/Cloud-licenses-1024x528.jpg\" width=\"610\" height=\"314\" \/><\/a><\/p>\n<p class=\"wp-caption-text\">Software as a Licence to Software as a Service: the cloud continuum<\/p>\n<\/div>\n<p>Indeed, the standard specifically states at Paragraph 5.1.1:<\/p>\n<p>\u201cContractual agreements should clearly allocate responsibilities between the public cloud PII processor [i.e. the CSP], its sub-contractors and the cloud service customer, taking into account the type of cloud service in question (e.g. a service of an IaaS, PaaS or SaaS category of the cloud computing reference architecture).\u00a0 For example, the allocation of responsibility for application layer controls may differ depending on whether the public cloud PII processor is providing a SaaS service or rather is providing a PaaS or IaaS service upon which the cloud service customer can build or layer its own applications.\u201d<\/p>\n<p>Equally, CSPs will generally not know whether their CSCs are sending PII to the cloud and, even if they do, they are unlikely to know whether or not particular data is PII. Here, another strength of ISO 27018 is that it applies regardless of whether particular data is, or is not, PII: certification simply assures the CSC that the service the CSP is providing is suitable for processing PII in relation to the performance by the CSP of its PII legal obligations.<\/p>\n<p>Perhaps the biggest practical boon to the CSC however is the contractual certainty that ISO 27018 certification provides. \u00a0As more work migrates to the cloud, particularly in the enterprise space, the IT procurement functions of large customers will be following structured processes in order to meet the requirements of their business and, in certain cases, their regulators. In their requests for information, proposals and quotations from prospective CSPs, CSCs now have a range of interlocking standards including ISO 27018 to choose from in their statements of requirements for a particular Cloud procurement.\u00a0 As well as short-circuiting the need for CSCs to spend time in writing up detailed specifications of their own requirements, verified compliance with these standards for the first time provides meaningful assurance and protection from risk around most aspects of cloud service provision. Organisations running competitive tenders can benchmark bidding CSPs against each other on their responses to these requirements, and then include as binding commitments the obligations to meet the requirements of the standards concerned in the contract when it is let.<\/p>\n<p>In the cloud contract lifecycle, the flexibility provided by ISO 27018 certification, along with the contract and the CSP\u2019s policy statements, goes beyond this to provide the CSC with a framework to discuss with the CSP on an ongoing basis the cloud PII measures taken and their adequacy.<\/p>\n<p>In its first year, it is emerging that complying, and being seen to comply, with ISO 27018 is providing genuine assurance for CSCs in managing their data protection legal obligations.\u00a0 This reassurance operates across the continuum of cloud services and through the procurement and contract lifecycle, regardless of whether or not any particular data is PII.\u00a0 In customarily unobtrusive style, ISO 27018 is likely to go on being a \u2018win\u2019 for the standards world, cloud providers and their customers, and data protection regulators and policy makers around the world.<\/p>\n<p><em><strong>\u00a0<\/strong><\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A year after it was published, ISO 27018 &ndash; the first international standard focusing on the protection of personal data in the public cloud &ndash; continues, unobtrusively and out of the spotlight, to move centre stage as the battle for cloud pre-eminence heats up.<\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2125,2378,2379,1976,1297,2175,2380,762],"tags":[],"class_list":["post-13789","post","type-post","status-publish","format-standard","hentry","category-data-protection","category-iso","category-iso-27018","category-news-analysis","category-opinion","category-policy-and-regulation","category-richard-kemp","category-standards"],"_links":{"self":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/13789","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/comments?post=13789"}],"version-history":[{"count":2,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/13789\/revisions"}],"predecessor-version":[{"id":13798,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/13789\/revisions\/13798"}],"wp:attachment":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/media?parent=13789"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/categories?post=13789"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/tags?post=13789"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}