Concerns over privacy and security risks in cloud computing are still widespread. Malcolm Crompton says a new code of practice for cloud service providers handling personal information could be a game changer.
The promise of cloud computing as information technology’s ‘next big thing’ has now translated into practice for many businesses and governments, but obstacles to more widespread adoption remain.
The maturing cloud market is facing a challenging horizon:
- Sectors with significant personal information holdings – including banking, insurance, health and government – are looking to adopt safe and secure cloud computing solutions for core business data and processes.
- The number of data privacy laws entering into force worldwide has been accelerating, particularly in the Asia-Pacific region.
- Other aspects of jurisdictional risk persist, ranging from law enforcement access, to data localisation, to copyright complexities and beyond.
- High profile incidents, from the Snowden revelations to a series of major data breaches serve to reinforce concerns about and undermine trust in ICT services.
Prospective government and business cloud customers have maturing needs for which one-size-fits-all solutions are increasingly inadequate. Not only can contractual terms be difficult to comprehend and negotiate – especially for SMEs – they often do not accommodate customers’ external data protection obligations. In the Australian context, these obligations include taking concrete steps to comply with the Australian Privacy Principles (APP 1.2) as well as ensuring that personal information is properly protected when disclosed to an offshore party (APP 8).
A major challenge for cloud service providers (CSPs) is overcoming the trust deficit and doing so without compromising the cost effectiveness of cloud through bespoke solutions. Concerns over the privacy and security risks of cloud computing have been a barrier to its adoption. Given the heightened importance of data as a key organisational asset, CSPs – many of whom operate in more than one region – are looking for ways to demonstrate good data management practice while transcending the patchwork of regulations arising in individual jurisdictions.
What is sorely needed is a way to cut through this muddle. We believe that emerging standards will be a game changer on these fronts.
Why standards matter
Standards are a vital aspect of modern society but often under-appreciated in the ICT sector. That sector is often beset with ‘standards’ but many of them are not widely adopted or respected.
This is the value of standards bodies such as the International Organization for Standardization (ISO). The ISO is an independent non-governmental entity comprising national standard bodies from 165 member countries and is responsible for developing influential standards on a range of topics.
ISO in collaboration with the International Electrotechnical Commission (IEC) has published a series of standards on information security known as the ISO/IEC 27000 family. The newest member of the family is ISO/IEC 27018, a code of practice for CSPs handling personal information in the public cloud published in July 2014. ISO/IEC 27018 is notable for several reasons:
- It is the first ISO information security standard to address cloud computing, specifically privacy in public cloud environments
- It is a truly international standard for the cloud (cf emerging sectoral and national standards)
- It will have credibility – its sibling ISO/IEC 27001 is a well-accepted ICT industry standard that is steadily becoming a benchmark for cloud vendors.
What is the ISO/IEC 27018 about?
The aim of ISO/IEC 27018 is to create a common set of privacy and security controls and guidelines that can be implemented by public CSPs (‘PII processor’) that process personal information (‘personally identifiable information,’ or ‘PII’) on behalf of a cloud customer (‘PII controller’) who determines the purposes and means for the processing. PII is defined broadly to mean identifying information, as well as any information that might be directly or indirectly linked to an individual (‘PII principal’). This is in line with the definition adopted by Australia and many other jurisdictions.
The standard directly references controls in the ISO/IEC 27002 code of practice for information security management where they are applicable to the processing of PII in the public cloud. It also introduces additional controls and associated guidance that specifically address the protection of PII in the public cloud.
Notable elements in the ISO/IEC 27018 standard include instructions for CSPs to:
- Support the cloud customer’s privacy obligations, including facilitating the exercise of PII principals’ rights to access, correction and deletion of their PII
- Process PII only in accordance with the instructions of the cloud customer
- Notify the cloud customer of law enforcement requests for disclosure of PII, where this is legally permissible
- When engaging sub-contractors, disclose to cloud customers general information such as their name, countries of operation and means by which they will meet or exceed the obligations of the CSP
- Promptly notify the cloud customer in the event of unauthorised access to PII or an event that results in the loss, disclosure or alteration of PII
- Demonstrate compliance with agreed-upon policies through independent auditing.
ISO/IEC 27018 also calls for public CSPs to adhere to a set of privacy principles outlined in the ISO/IEC 29100 privacy framework. Importantly, these principles align closely with the OECD and APEC privacy principles, which in turn are reflected in many data privacy laws today. By conforming to ISO/IEC 27018 and ISO/IEC 29100, CSPs are setting themselves up to better serve prospective cloud customers from around the world.
Benefits for cloud customers and CSPs
Shifting regulatory and business developments are pointing to the need for cloud contracts to address risks holistically – from the CSP and its sub-contractors, to the cloud customer and its end users. This is where ISO/IEC 27018 will serve the maturing cloud computing market well.
For cloud customers, ISO/IEC 27018 allows them to be assured that their CSP meets (and even exceeds) their external obligations with respect to privacy protection. It serves as a useful reference point that will promote confidence and trust for the increasing number of organisations seeking to apply cloud solutions to their personal information assets.
For CSPs, especially those with global operations, having a single set of verifiable and independently auditable controls for handling personal information in the public cloud is a much better prospect than catering to their cloud customers on an ad hoc basis, or indeed losing potential business opportunities due to lack of assurance.
Adopting the controls in the ISO/IEC 27018 standard will require CSPs to make responsible investments in their internal practices and policies. The rewards are sure to be great: they can expect to enjoy a competitive advantage, enhanced reputation, greater efficiencies, and reduced risk for all parties along the chain.