Posts tagged ‘cloud providers’

ISO 27018 and protecting personal information in the cloud: a first year scorecard #CloudWF

ISO 27018 has been around for a year – but is it effective?

Source: Business Cloud NewsData-protection

A year after it was published,  – the first international standard focusing on the protection of personal data in the public cloud – continues, unobtrusively and out of the spotlight, to move centre stage as the battle for cloud pre-eminence heats up.

At the highest level, this is a competitive field for those with the longest investment horizons and the deepest pockets – think million square foot data centres with 100,000+ servers using enough energy to power a city.  According to research firm Synergy, the cloud infrastructure services market – Infrastructure as a Service (Iaas), Platform as a Services (PaaS) and private and hybrid cloud – was worth $16bn in 2014, up 50 per cent on 2013, and is predicted to grow 30 per cent to over $21bn in 2015. Synergy estimated that the four largest players accounted for 50 per cent of this market, with Amazon at 28 per cent, Microsoft at 11 per cent, IBM at 7 per cent and Google at 5 per cent.  Of these, Microsoft’s 2014 revenues almost doubled over 2013, whilst Amazon’s and IBM’s were each up by around half.

Significantly, the proportion of computing sourced from the cloud compared to on-premise is set to rise steeply: enterprise applications in the cloud accounted for one fifth of the total in 2014 and this is predicted to increase to one third by 2018.

This growth represents a huge increase year on year in the amount of personal data (PII or personally identifiable information) going into the cloud and the number of cloud customers contracting for the various and growing types of cloud services on offer. but as the cloud continues to grow at these startling rates, the biggest inhibitor to cloud services growth – trust about security of personal data in the cloud – continues to hog the headlines.

Under data protection law, the Cloud Service Customer (CSC) retains responsibility for ensuring that its PII processing complies with the applicable rules.  In the language of the EU Data Protection Directive, the CSC is the data controller.  In the language of ISO 27018, the CSC is either a PII principal (processing her own data) or a PII controller (processing other PII principals’ data).

Where a CSC contracts with a Cloud Service Provider (CSP), Article 17 the EU Data Protection Directive sets out how the relationship is to be governed. The CSC must have a written agreement with the CSP; must select a CSP providing ‘sufficient guarantees’ over the technical security measures and organizational measures governing PII in the Cloud service concerned; must ensure compliance with those measures; and must ensure that the CSP acts only on the CSC’s instructions.

As the pace of migration to the cloud quickens, the world of data protection law continues both to be fragmented – 100 countries have their own laws – and to move at a pace driven by the need to mediate all competing interests rather than the pace of market developments.

In this world of burgeoning cloud uptake, ISO 27018 is proving effective at bridging the gap between the dizzying pace of Cloud market development and the slow and uncertain rate of legislative change by providing CSCs with a workable degree of assurance in meeting their data protection law responsibilities.  Almost a year on from publication of the standard, Microsoft has become the first major CSP (in February 2015) to achieve ISO 27018 certification for its Microsoft Azure (IaaS/PaaS), Office 365 (PaaS/Saas) and Dynamics CRM Online (SaaS) services (verified by BSI, the British Standards Institution) and its Microsoft Intune SaaS services (verified by Bureau Veritas).

In the context of privacy and cloud services, ISO 27018 builds on other information security standards within the IS 27000 family. This layered, interlocking approach is proving supple enough in practice to deal with the increasingly wide array of cloud services. For example, it is not tied to any particular kind of cloud service and, as Microsoft’s certifications show, applies to IaaS (Azure), PaaS (Azure and Office 365) and SaaS (Office 365 and Intune). If, as shown in the graphic below, you consider computing services as a stack of layered elements ranging from networking (at the bottom of the stack) up through equipment and software to data (at the top), and that each of these elements can be carried out on premise or from the cloud (from left to right), then ISO 27018 is flexible enough to cater for all situations across the continuum.

Cloud-licenses-1024x528Indeed, the standard specifically states at Paragraph 5.1.1:

“Contractual agreements should clearly allocate responsibilities between the public cloud PII processor [i.e. the CSP], its sub-contractors and the cloud service customer, taking into account the type of cloud service in question (e.g. a service of an IaaS, PaaS or SaaS category of the cloud computing reference architecture).  For example, the allocation of responsibility for application layer controls may differ depending on whether the public cloud PII processor is providing a SaaS service or rather is providing a PaaS or IaaS service upon which the cloud service customer can build or layer its own applications.”

Equally, CSPs will generally not know whether their CSCs are sending PII to the cloud and, even if they do, they are unlikely to know whether or not particular data is PII. Here, another strength of ISO 27018 is that it applies regardless of whether particular data is, or is not, PII: certification simply assures the CSC that the service the CSP is providing is suitable for processing PII in relation to the performance by the CSP of its PII legal obligations.

Perhaps the biggest practical boon to the CSC however is the contractual certainty that ISO 27018 certification provides.  As more work migrates to the cloud, particularly in the enterprise space, the IT procurement functions of large customers will be following structured processes in order to meet the requirements of their business and, in certain cases, their regulators. In their requests for information, proposals and quotations from prospective CSPs, CSCs now have a range of interlocking standards including ISO 27018 to choose from in their statements of requirements for a particular Cloud procurement.  As well as short-circuiting the need for CSCs to spend time in writing up detailed specifications of their own requirements, verified compliance with these standards for the first time provides meaningful assurance and protection from risk around most aspects of cloud service provision. Organisations running competitive tenders can benchmark bidding CSPs against each other on their responses to these requirements, and then include as binding commitments the obligations to meet the requirements of the standards concerned in the contract when it is let.

In the cloud contract lifecycle, the flexibility provided by ISO 27018 certification, along with the contract and the CSP’s policy statements, goes beyond this to provide the CSC with a framework to discuss with the CSP on an ongoing basis the cloud PII measures taken and their adequacy.

In its first year, it is emerging that complying, and being seen to comply, with ISO 27018 is providing genuine assurance for CSCs in managing their data protection legal obligations.  This reassurance operates across the continuum of cloud services and through the procurement and contract lifecycle, regardless of whether or not any particular data is PII.  In customarily unobtrusive style, ISO 27018 is likely to go on being a ‘win’ for the standards world, cloud providers and their customers, and data protection regulators and policy makers around the world.

………………………………………………………………………………………………………………………………………………………Visit the Cloud World Forum taking place on the 24th – 25th June 2015 at Olympia Grand in London.

Don’t miss the chance to take advantage of all the knowledge and networking opportunities presented by EMEA’s only content-led Cloud exhibition.

Register you free exhibition pass here.

CWF static banner

Advertisements

Cloud MENA 2015 Event Brochure now available #cloudMENA

The Cloud MENA 2015 brochure is here! View the most recent agenda and full speaker line-up. IT leaders from all industries will come together in 2015 to reflect on their experiences and offer hands on advice to help you advance your IT strategy. Additionally, pioneering telco leaders convey the go to market strategies which are bringing ROI and delivering only the most secure cloud services.

Cloud MENA agenda

Key topics you will get to discuss throughout the 2 days…

The regulatory landscape of Cloud Computing and data protection in the region
• Tackling the security fear which surrounds Cloud Computing
• Evaluating cloud business models and selecting the one that fits your particular needs
• Making the right choice when selecting a vendor
How can an Operator make it as a Cloud Provider: Best in class business, sales and marketing strategies
• How can Cloud result in job losses?
• Becoming part of the smart cities initiative
Monetising Big Data and advanced Business Intelligence solutions to improve customer insights

Topics

Early confirmed Sponsors include:

MENA sponsors

Secure your FREE pass today and join Middle East & North Africa’s Leading Cloud Computing Event!

Outsourcing IT services to cloud providers #cloudwf

CWF Banner (s)

Birger Steen, CEO of Parallels, the world’s leading enabler of cloud computing services, recently stated that slightly more than half of businesses globally outsource their IT services to cloud providers choosing that over the traditional model of building those services in-house.

Network software company, Spiceworks, says that in the last 12 months it has seen a 10 per cent decrease in companies using on premise IT pushing the base of cloud users to 55 per cent.

But what is cloud all about? Cloud storage services make sure that important files are available 24×7 wherever you are and using whatever device you have at hand, be it a laptop, desktop or a mobile device. You don’t have to worry any more about losing vital information if you misplace your device or your computer dies down.

Cloud saves your files, documents or photos not only on your computer or other devices but also in a date centre on premise. The cloud’s value proposition to companies includes lowered costs and handing of technical headaches to a third party. But barriers to adoption for enterprises include data sovereignty and worries over the stability of handing IT functions over to a vendor.

With the proliferation of online, cloud based storage solutions such as Dropbox and SugarSync accessing data has never been easier. Losing that very same data has also become easier. Data leaks are a serious concern for both large and small business. Apart from violating data privacy and regulatory rules, other concerns such as data confidentiality and integrity come into play.

Data loss becomes a serious problem since the aforementioned services allow users to keep any uploaded data even once they leave the company. Data is no longer under the control of a business’ IT team.

SkySync by 6PM introduces an alternative to the myriad of file sharing services found in the market. It has been designed and built for business. It ensures that you can access your files both online and offline; a true file synchronisation to any device; easy to control and track and a single sign-on integration. SkySync ensures that you can remotely back-up the contents of your file service and remotely wipe your devices.

And if you are worried about having control over confidential information SkySync understands such matters and strives to match its product to your security needs. It makes sure that only authorised files can be opened besides securing data in transit and on every device. It allows one to share documents among colleagues, suppliers, etc while retaining control over company files even on devices that one does not have control on. These include:

Ease of use: Designed from the ground-up, to be easy to deploy and administer, SkySync emphasizes short deployment times and short learning curves while still offering a feature rich product.

Ease of integration: Core to the SkySync implementation is integration. 6PM’s SkySync has been designed to be minimally intrusive to the client’s already existing infrastructure. SkySync can leverage Microsoft Active Directory to control logins and natively integrates with existing windows server file shares to free your existing data, synchronizing across multiple devices while still leaving control firmly in the hands of windows server administrators.

Private on-premise: Unlike other solutions, none of 6PM’s SkySync infrastructure depends on third party servers. Each SkySync deployment is a self-contained installation. Neither the control messages nor the data passes through 3rd party infrastructure. Every bit of communication goes directly to the client installation leaving control once again firmly in the hands of IT, allowing control over all aspects and reducing the risk of data leakage while still allowing employees to be productive and access data anytime, anywhere.

Security: All data between clients and the SkySync server is secured using industry standard encryption standards via SSL. By using 6PM’s SkySync, the number of entry points to your windows file servers is reduced since all requests are first sent to the SkySync Server. It is possible to increase security by allowing only the SkySync Server to communicate directly with the windows file servers.

Feature Rich: SkySync offers features that users have come to know and love, such as apps for popular mobile platforms like Apple iPhone and Android. Other features include public file sharing… meaning users no longer need to use third party services leaving your data safe and secure within your data centre at all times.

You can find out more about SkySync at the Cloud World Forum at the Olympia National Hall in Central London on June 17 and 18 or log onto http://6pmsolutions.com/products/6pm-tools/skysync/

Annette Vella is the Public Relations Executive at 6PM. Before joining 6PM she worked as a journalist with one of the leading media houses in Malta writing scripts and features for television, radio and newspapers.

Facebook
LinkedIn
Twitter

Tag Cloud

%d bloggers like this: