While cloud computing is emerging, transparency, confidentiality and control are key concerns of potential cloud clients.
The cloud business is developed in a way that cloud clients often lack the necessary information on how the information moved to the cloud is safeguarded and processed, and what happens in case they want to move to another provider or their provider terminates its operation or changes terms of its policies?
Following the urge from the European Commission, the national data protection authorities and information commissioners responsible for developing standards to facilitate protection of personal data--the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC)--developed the new standard ISO/IEC 27018: the "Standard on Information Technology--Security techniques--Code of Practice for Protection of Personally Identifiable Information (PII) in Public Clouds Acting as PII Processors.” Guidance from the ISO focuses on the standard's intended purpose, main elements and potential impact. The analysis has a European perspective; the European legislation--current and forthcoming--form the basis of the analysis. Also, the need for the new standard and its relation to other standards for cloud computing or protection of personal information are examined.
The ISO/IEC 27018 provides guidance for cloud service providers that process personally identifiable information (PII) and offers a set of controls which the cloud service providers need to implement in order to address the specific risks. The standard aims to address the specific risks of public cloud computing, help build confidence in public cloud computing providers and give guidance on what the cloud providers need to achieve in terms of contractual and regulatory obligations.
It aims to help cloud providers comply with their contractual obligations and includes standards on being transparent; notifying consumers on law enforcement requests for data, and disclosing the use of subcontractors to the consumer, among other requirements.
Seen as a building block for compliance with the national and trans-national legislation, the standard contains elements from the Data Protection Directive 95/46/EC, such as principles for the quality of processing. It also embraces the principle of accountability.
The new standard is auditable, and the cloud provider can be certified for compliance with the standard by third-party independent certification bodies.
However, two of the main challenges the standard has to overcome for the European market and jurisdiction are the differentiation in terminology from the European legal framework and its limited scope, covering only the cloud service providers acting as cloud processors.
Potential positive impacts in terms of protection of personal data are identified in the field of encouraging the industry to adopt measures in order to comply with the personal data legislation and taking a step forward in creating conditions of transparency between the cloud providers and the cloud clients.
The acceptance of the standard and the ability to live up to the expectations of its developers still remains to be seen in practice.
If you want to comment on this post, you need to login.