Cloud Data Privacy: Is there a ‘Standard’ approach?

      Comments Off on Cloud Data Privacy: Is there a ‘Standard’ approach?

With the advent of IoT (Internet of Things) and IoE (Internet of Everything) concerns about Data Privacy are predicted to increase exponentially. It is therefore not a big surprise that data privacy has become a hot topic especially in the past few years. According to Gartner Research, by 2020 about 25 Billion “things” will be connected to the internet. This is a five-time increase from the current 4.9 Billion “things” that are connected. Even in terms of money, Gartner estimates that IoT will support total services spending of $69.5 billion in 2015 and $263 billion by 2020.[1]

Data Privacy is a huge and a complex topic encompassing both PII (Personally Identifiable Information) and PHI (Protected Health Information). To add to this, definition of PII also varies from one country to another. People often get confused with security and privacy. Security is one of the means to achieve privacy and both are not the same. Just because we have ‘secured’ an application does not mean that we have also ensured data privacy.

In this article we will have a quick overview of the different standards on cloud data privacy. The topic is challenging as well as interesting as it combines both cloud and privacy, each a complex topic by itself! Recently many countries have been enacting laws on Data privacy. Laws are also known as regulations.  It is important that we understand the basic difference between standard and regulation. Regulations are mandated by government and hence compulsory. Discussing regulations is beyond the scope of this article. Standards are documents published by standard bodies such as IEEE, ISO, NIST etc… Standards can also be sector specific E.g. Healthcare, Finance etc…

Until last year there was no international standard on cloud data privacy. There were few documents /guidelines published by National Institute of Standards Technology (NIST) and Cloud Security Alliance. NIST,  whose guidelines are mandated for federal organizations in the US has also been a leader in publishing cloud guidelines. However, critics say it is US centric and has not seen wide acceptance in other countries. As early as 2011, NIST published a guideline under its Special Publication series (800-144) titled “Guidelines on Security and Privacy in Public Cloud Computing” [4]. In August 2014, ISO/IEC published a 23 page standard titled “Information technology — Security techniques —Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors”.  ISO/IEC JTC 1/SC 27 is also responsible for all the standards published in the 27000 series.

ISO/IEC 27018:2014 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.

In particular, ISO/IEC 27018 specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services. This aspect makes this standard relatively easy to understand as people are familiar with ISO/IEC 27001 & 27002.

ISO/IEC 27018 is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which provide information processing services as PII processors via cloud computing under contract to other organizations.

The guidelines in ISO/IEC 27018 might also be relevant to organizations acting as PII controllers; however, PII controllers can be subject to additional PII protection legislation, regulations and obligations, not applying to PII processors.

Another important aspect of this standard is that it is certifiable. On February 16, 2015 Microsoft announced that its Azure became the first cloud computing platform to be certified ISO/IEC 27018. [3] Last month Dropbox announced that ‘Dropbox for Business’ has been certified ISO/IEC 27018 [5]. It is good that cloud service providers are adopting international standards as it ensures both interoperability and flexibility.

As more and more “things” get connected to the internet, more data containing PII and PHI will be pushed into the cloud. We can soon expect IEEE, ANSI and other standard bodies to have their own data privacy and cloud standards emerging. Among BRICS (Brazil, Russia, India, China and South Africa), Indian software market experienced the highest growth rate in 2013 as well as 2014 [6]. In India there is no single law or standard that addresses the issue of cloud data privacy. However IT Amendment Act (2008) deals with sensitive data protection covering certain aspects of data privacy. We must realize that there is no silver bullet.  It is only wise to take a balanced approach – a balance between regulations and international standards. There is a lot of work ahead and this might just be the beginning.

Sources:

[1] http://www.gartner.com/newsroom/id/2905717

[2] ISO/IEC  27018:2014 Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors

[3] http://azure.microsoft.com/blog/2015/02/16/azure-first-cloud-computing-platform-to-conform-to-isoiec-27018-only-international-set-of-privacy-controls-in-the-cloud/

[4] http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf

[5] https://www.dropbox.com/static/business/resources/dropbox-certificate-iso-27018.pdf

[6] http://www.gartner.com/newsroom/id/3060118