United States: Both Sides Now: Cloud Security And Privacy Enter The Modern Era With ISO 27018

I've looked at clouds from both sides now
From up and down, and still somehow
It's cloud illusions I recall
I really don't know clouds at all

 Joni Mitchell, "Both Sides Now"

Until recently, many cloud users felt like Joni Mitchell in her classic song, "Both Sides Now." No matter how you looked at clouds, you never really understood them, how they worked, or what happened inside them. Cloud storage and data processing were often (and with some justification) viewed as something of a digital Wild West, with few rules or standards for data protection, not much transparency and lots of risk for the unwary cloud user. Even so, many businesses were willing to endure some of these risks in order to secure the multifarious benefits offered by cloud data storage and processing.  However, that view of cloud services in changing, and a new ISO standard is going to advance that change.

ISO 27018: A Universal Standard for a Maturing Business

A clear sign that cloud storage and processing have entered a more mature phase is the fact that there are now international standards for how cloud data is to be secured and protected (and, equally important, how it is notto be used). In particular, we now have the clear principles incorporated in ISO 27018, the first international standard for privacy in the cloud.

Earlier this year, on July 30 2014, the International Organization for Standardization (ISO) adopted ISO 27018 as a voluntary international standard governing the processing of personal information by public Cloud Service Providers (CSP). Even though this standard is voluntary, it is widely expected to become the benchmark for CSPs going forward.

As the first and only international privacy standard for the cloud, ISO 27018 incorporates controls for personally identifiable information (PII). More importantly, demonstrated adherence to ISO 27018 allows a CSP to show that its cloud privacy policies and practices are consistent with the industry's best practices.

ISO 27018 is applicable to all types and sizes of organizations

This includes public and private companies, government entities, and not-for-profit organizations, which provide information processing services as PII processors via cloud computing under contract to other organizations.

ISO 27018 Provides Specific Guidelines for the Protection of PI

The new ISO 27018 impacts the broad swath of cloud activities, including the following:

" ISO 27018 specifies guidelines for the protection of PII. These protections are based on ISO 27002, taking into consideration the regulatory requirements that might be applicable within the context of the information security risk environment(s) of a provider of public cloud services.

" ISO 27018 establishes commonly accepted control objectives, controls and guidelines. This includes guidelines for implementing measures to protect public cloud computing in accordance with the privacy principles in ISO 29100.

In still more concrete terms, ISO 27018 means CSPs will not use customer data for their own independent purposes (such as advertising and marketing) without the customer's express consent, and not tie the agreement to use the services to the CSP's use of personal data for advertising and marketing. Also, ISO 27018 articulates clear and transparent parameters for the return, transfer and secure disposal of personal information. In addition, ISO 27018 requires CSPs to disclose the identities of any sub-processor they engage to help with data processing before customers enter into a contract. And if any of the CSP changes subprocessors, the CSP is required to inform customers promptly to give them an opportunity to object or terminate their agreement.

 What Should Cloud Users Do Now?

As a cloud user, what should you do next to take full advantage of ISO 27018 for your business? Going forward, you should of course look to work with CSPs that are verified as ISO 27018 compliant. In order to be so certified, a CSP must go through a rigorous process, under the auspices of an accredited and independent certification body. And to remain compliant, a CSP must subject itself to regular third-party reviews of its adherence to ISO 27018.

Second, cloud users should ask their current CSPs if they are now (or are planning to be) ISO 27018 compliant.

Third, you should review your company's existing CSP agreements, to see what they say about compliance with existing cloud standards, including ISO 27018. If they do not incorporate ISO 27108, consider amendments to add ISO 27018 compliance.

By integrating ISO 27018 compliant CSPs to serve your standard data processing and storage needs, you can take significant steps toward ensuring the security and privacy of your business and customer data. No longer will your company have to rely on vague promises of data security and privacy, like so many of Joni Mitchell's "ice cream castles in the air." Instead, your CSPs will have finally moved to a world of real, verifiable and workable security and privacy solutions for your business data needs.

To view Foley Hoag's Security, Privacy and The Law Blog please click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.