AP - Fotolia
Microsoft recently adopted the ISO/IEC 27018 standard. What is it, and is it something we should look for in cloud services and products?
The ISO/IEC 27018 is a privacy standard designed to help protect personally identifiable information (PII).The standard addresses how public cloud providers -- acting as agents for customers -- process PII on behalf of customers. Formally, cloud providers are known as PII processors. Providers that adhere to the standard must follow established rules regarding how PII is used and shared.
For example, compliant cloud providers agree to process PII only in ways designated by customers. In addition, providers agree to transparency about where customer data is stored and how it is processed. Policies about data retention, transfer and deletion should also be readily available to customers.
As part of the effort to protect customer data, compliant cloud providers adhere to security controls to protect PII. These include restrictions on how PII data is transmitted over public networks, limitations on the use of mobile storage devices and procedures for data recovery.
The standard also includes practices with regards to disclosures. If a customer's data is shared with a government agency, the cloud provider will inform the customer of the release. However, note that there is an exception to this rule if the cloud provider is under a legal order to not disclose this information.
The adoption of ISO/IEC 27018 is part of the fabric of trust developing between cloud providers and their customers. Responsibilities and obligations are documented and disclosed; providers and customers will have the ability to know how PII will be treated. This does not guarantee, however, that cloud provider practices will meet the requirements of all organizations, but it is at least a common baseline.
If your organization is storing PII, it is advantageous to understand the scope of this standard and your cloud providers' level of adherence to it. If you manage data for citizens of the European Union or store data in EU countries, you may be subject to stricter privacy regulations than if you store similar data for U.S. citizens in U.S.-based data centers.
Ask the Expert:
Perplexed about cloud security? Send Dan Sullivan your questions today. (All questions are anonymous.)
Dig Deeper on Cloud Computing Frameworks and Standards
Related Q&A from Dan Sullivan
Docker's recent upgrade introduced support for hardware signing and in the future, automated security analysis on Docker images. Expert Dan Sullivan ... Continue Reading
Cisco's new project Contiv automates operational policies for containerized applications in the cloud. Expert Dan Sullivan explains the benefits of ... Continue Reading
Dropbox API abused by attackers posing as legitimate users in a huge spear phishing campaign. Expert Dan Sullivan explains how to mitigate the risks ... Continue Reading