Roman Sakhno - Fotolia

Why the cloud provider community needs to get on board with ISO 27018

Despite being published more than a year ago, cloud providers are only really just starting to take notice of ISO 27018. We explore what it is and why it matters to the enterprise

The cloud industry is accustomed to seeing service providers boast about their conformance with the International Organisation for Standardisation (ISO) 27001 information security management systems standard, but they’ve been markedly less vocal when it comes to discussing their adherence to 27018, ISO’s standard for personal privacy.

This ISO was published in spring 2014 but, a year and a half later, 27018 has still not really penetrated public consciousness. Rob Whitcher, the British Standards Institute’s (BSI) technical manager for ISO 27018, says he never expected companies to support it in the same way.

Having said that, he acknowledges the fear people have about their personal information being mistreated in the cloud, and while much of this anxiety is irrational, it’s also very real.

“There is a fear around what happens to people’s data when it’s in the cloud. They’ll do things like run a small server in the kitchen and they think it’s safer than running Amazon Web Services [AWS]. That server is not more secure – datacentres are extremely well protected. But many people don’t think that way,” says Whitcher.

ISO 27018 and why it matters

ISO 27018’s aim is to give credibility to service providers who want to protect their data by demonstrating that they follow internationally recognised guidelines.  

“The BSI is looking to help those organisations,” says Whitcher. “We will certify them to 27001 but can give them both if they want to look at obtaining 27018.”

There is also, he adds, a bit of a misunderstanding about the standards and what they are for. “27001 is all about the protection of information, not the personal information that is protected by 27018,” he explains. 

To this end, what 27018 does is set out what’s meant by “personally identifiable information” (PII) and what should happen to it. 

Under the terms of it, PII is any information that (a) can be used to identify the PII principal to whom such information relates, or (b) might be directly or indirectly linked to a PII principal.

Subsidiary definitions are of the PII principal – sometimes known as the data subject – and the PII controller, the person who determines the purposes for which that data is processed.

Read more about cloud standards

The use of the 27018 standard doesn’t interfere with the responsibilities of the customer, however. Ultimately, if you’re organisation is looking after personal data, the standard doesn’t absolve you of that responsibility.

“Contractual agreements should clearly allocate responsibilities between the public cloud PII processor – in this case the cloud service provider – its sub-contractors and the cloud service customer,” the standard’s text states.

While organisations still have to take care of customer data, 27018 does provide a path to follow.  

ISO 27018: Who has and who hasn’t adopted it?

There is, however, another standard – 27017 – just around the corner that is yet to be ratified but is expected to be much more wide-ranging.

This one will be a code of practice offering additional advice beyond that featured in ISO 27002. Crucially it will assist cloud service providers and their customers by giving them information and a summary of their responsibilities. It will go beyond that of 27018, although organisations will have to wait a few more months before it’s available.

In the meantime, for those who want peace of mind in the cloud, service providers have eagerly adopted the standard. Microsoft and AWS were two of the first and the latter firm, in particular, is making much of its adherence to the standards.

Ian Massingham, technical evangelist for AWS UK, says the award of ISO 2718 is a crucial part of the company’s commitment to privacy.

“Achievement of ISO 27018 demonstrates to customers that AWS has a system of controls in place that specifically address the privacy protection of their content,” he adds.

“The commitment to the privacy and protection of customers' content will always be top priority for AWS, and for our customers, now and in the future.”

According to BSI’s Whitcher, there are also other companies looking to follow suit. “Salesforce is looking at it as is Box,” he says, while Dropbox announced it had received the standard back in May 2015.

“We can certainly expect to see greater interest in the standard as more organisations become aware of its existence and more demand for cloud service providers to support it,” he adds.

While the number of cloud providers holding ISO 27018 begins to steadily rise, Massingham explains why it is an important standard for them to hold.

“As customers move more sensitive and mission-critical workloads to AWS they are asking for more certifications and accreditations specific to their needs, such as ISO 27018,” he says.

“ISO 27018 is based on ISO information security standard 27002 and provides implementation guidance on ISO 27002 controls applicable to public cloud [stored] PII.

“As more customers are moving more PII to the cloud this is something they have been asking for,” particularly, he adds, those operating in the life sciences and healthcare industries.

Despite the rapid adoption of cloud within enterprises, security remains a big concern for users.

Industry figures such as Whitcher can point out the deep flaws in the thinking that says everything on-premise is secure and everything in the cloud is at risk, but the reality is that’s how many people think.

Times are changing, though, and there is a growing realisation that cloud companies can provide exactly the same amount of protection, but there’s also an acceptance that relying on gut instinct isn’t enough.

The rise of 27018 is the first indication that cloud deployment and personal information protection aren’t contradictory – and we can expect to see growing interest in this area over the coming months.

Read more on Infrastructure-as-a-Service (IaaS)