Confidence on the Cloud – A New Cloud Privacy Standard (ISO 27018)

The Cloud Today

The growing marketplace of cloud computing.

Cloud computing’s growth in use and popularity has been soaring at a great pace! According to Gartner (2013), the marketplace for cloud computing will grow ~20% to USD 131 billion in 2017 from USD 111 billion in 2012.

What’s more?

2016 will be a defining year for cloud as this cutting-edge technology will just get more sophisticated in the next few years.

The Cloud Landscape

Cloud computing started as an in-house infrastructure established by companies such as Microsoft, Google and Amazon to serve their individual business needs. This consists of a set of technologies and service models that focus on Internet-based use and delivery of IT applications, processing capability, storage and memory space.

But now it has evolved into a platform that most part of our daily life is dependent on. While public and private cloud offers one means to differentiate the infrastructure sharing options, SaaS (Software as a Service), PaaS (Platform as a Service) and IaaS (Infrastructure as a Service) have come to define the extent and level of control held by the cloud service provider (CSP) vs. the cloud user.

According to National Institute of Standards and Technology (NIST), the “cloud” is composed of five essential characteristics.

  1. the on-demand self-service which implies that a customer can order service via the web or some other method at any point in time, to become immediately available for his or her use.
  2. the broad network access, in the sense that services are available over the network and are accessed through standard mechanisms (mobile phone, tablet, laptop, etc.).
  3. Other characteristics are the rapid elasticity of the cloud capabilities and the fact that it is a measured service – means additional capacity remains available and accessible on an ‘as needed’ basis and customers are automatically billed for their consumption.
  4. Last but not least, resource pool, meaning the provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand.

The Confidence for Tomorrow – ISO 27018

The massive courses of data across cloud computing services are becoming ever more complex. Identifying and protecting personal data in those flows is becoming a daunting issue for many cloud service providers and cloud users. Given the substantial data protection risks, cloud computing measures need to be undertaken in order to mitigate their effect to the benefit of the cloud computing industry and its clients.

While there are several laws and regulations around it, a common benchmark or standard was lacking for some time. ISO 27018:2014 – Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors is the first set of international privacy controls launched.

Following and using the privacy controls foreseen in ISO 27018 offers greater assurance for service providers that they are doing the right thing and doing everything recommended to protect customers’ personal information. This mechanism also offers beneficial effect for both cloud providers and cloud users – if a consumer is buying cloud services, it can help them to identify the requirements for selecting a cloud provider and in defining contractual clauses and for cloud service provider, it can provide them with a unique selling proposition to potential clients because as more clients become familiar of the standard, the more that they will see it in their request proposal.

ISO 27018 has taken into account as a public policy from around the world as it integrates input from many regional regulators. A cloud service provider and it’s conformation to the standard makes the whole job of compliance to particular legislation in one country or region that much easier. The standard provides a common set of guidelines for the whole industry and adds needed protections to improve PII security and defiance in an increasingly cloud-based information environment.

ISO 27018 – Quick Overview

Key Elements of the Standard

ISO 27018 is a standard out forward by Internal Organization for Standardization (ISO) that seeks to create a common set of security categories and controls that can be implemented by a public cloud computing service provider acting as a data processor. In order to fulfill the standard, cloud service providers must understand the following key elements:

  1. Personally Identifiable Information (PII) instead of Personal Data

Scope of “personal data” is not only about the information that “can be used” or “linked” to a PII principal/ data subject, but “any information” relating to an identifiable natural person 

  1. Cloud Providers as Data Processors

In ISO/IEC 27018 the client is regarded as PII controller and the cloud service provider is the PII processor.

  1. Personal Data Protection Principles

The ISO/IEC 27018 contains a comprehensive set of controls regarding:

  • Information security policies
  • Organization of information security
  • Human resource security
  • Asset management
  • Asset control
  • Cryptography
  • Physical and environmental security
  • Operations and communications security
  • System acquisition, development and maintenance
  • Supplier relationships
  • Compliance
  • Information security aspects of business continuity management.

As the PII processor enables the cloud service client to comply with its regulatory obligations (data protection), through this controls, PII processor conforms to its own obligations, either legal or contractual.

  1. Accountability and Certification

Elements of the principle of accountability are incorporated into the standard, in particular the data breach notification, privacy by design, audits and certifications. In general, the standard may be seen as an instrument that assists the PII processor to comply with the principle of accountability requirements. Key to the demonstration of compliance in the context of the principle of accountability is third party certification. The cloud service provider that implements the new standard may ask for a conformity assessment, in order to be certified for complying with the standard.

In order to comply with the standard, participating cloud service providers must provide transparency in the following practices:

  • only process personal data in accordance with the customer’s instructions;
  • only process personal data for marketing or advertising purposes with the customer’s express consent;
  • be transparent around the use of sub-processors (which will include providing the names of, and any possible locations where the data may be processed by, any sub-processors);
  • ensure that staff who have access to personal data enter into confidentiality agreements and receive appropriate staff training;
  • make required disclosures to law enforcement authorities and/or regulators only when legally bound to do so;
  • assist cloud customers to comply when individuals assert their access rights; and
  • help cloud customers comply with their notification obligations in the event of a data breach.

Top 10 Things to Know about Cloud Security and ISO 27018

Way Forward

The current landscape for cloud security standard is best characterized as immature but emerging. ISO 27018 provides a transparent guidance for cloud service providers to establish privacy protection and allows businesses to make careful decisions about the cloud. But even with the present guidelines that ISO 27018 provides, it can also serve as reference point for standards’ future improvement. As the first international standard dedicated for cloud privacy, it initiated CSPs interchange of ideas on providing the best practice on data privacy and security.  ISO 27018 is an important step to protecting PII in the cloud, it emerges from previous ISO guidelines and it will continue to evolve along with cloud service providers’ technology to provide more secure services for the growth and success of businesses.


ECC International is a leading process improvement solutions provider in Southeast Asia, focused on process consulting, automation solutions and learning outsourcing services. We help companies achieve performance excellence by assisting them implement management systems and international standards/best practices across multiple domains and industries.

Our partnerships with nest-in-class technology companies help drive sustained excellence for our customers. As a solutions provider with instructional design capability and subject matter expertise in niche areas, we help organizations implement learning strategies and design learning content for improved performance.

APEX Global (The Academy for Professional Excellence) is the learning solutions arm of ECCI – the leading process improvement solutions provider in Southeast Asia.

Our sole aim is to promote performance excellence among professionals. We help our customers achieve greater success through effective, experiential and result – oriented training delivery.

Empowered with a strong pool of expert trainers and facilitators having expertise in a niche array of domains and a strong regional presence, we provide an extensive portfolio of excellent industry specific and functional programs coupled with high quality training materials to provide best –in – class services for professionals around.

We are a market leader when it comes to Information Security and Risk Management solutions (in the form of training, consulting and GRC solutions- www.metricstream.com) in SE Asia.

To learn more about cloud security, ISO 27018 guidelines and requirements, correlation with existing standards such as ISO 27001 and EU Data Protection Laws, join us at the Confidence on the Cloud- Data Security Best Practices based on ISO 27018 training program.

Sources

  1. http://www.bishopfox.com/blog/2015/05/iso-27018-the-long-awaited-cloud-privacy-standard/
  2. http://www.kemplittle.com/site/articles/kl_bytes/iso-27018-a-new-cloud-privacy-standard
  3. http://www.iso.org/iso/isofocus_108.pdf
  4. http://www.brusselsprivacyhub.org/Resources/BPH-Working-Paper-VOL1-N2.pdf

 

Advertisements

Taking the next step with the new ITIL® Practitioner Qualification

?????????????????????????????????????????

Axelos, the ITIL course owner has announced the most significant evolution for ITIL – the new ITIL Practitioner qualification.

ITIL Practitioner is being developed in collaboration with Practitioners worldwide to help organizations and individuals increase the value they obtain from using ITIL by offering additional practical guidance to adopt and adapt the framework to support the business. It will be the next step after ITIL Foundation for professionals who have already learned the basics of IT Service Management (ITSM) and the business value of well-designed and delivered services. It will help guide them through the practical side of successfully applying the theory in the workplace.

A specific amount of credit points will be assigned to ITIL Practitioner that will count towards ITIL Expert the same way as Foundation, Intermediate and Managing Across the Lifecycle (MALC) do today.


thinkWhy was this introduced?

The demands organizations are putting on their IT teams and IT service providers have changed significantly in the recent years. In many cases, we have moved from “let’s keep everything as stable as possible” to “let’s be as agile as possible (and make sure we can recover instantly)”. The technological capabilities – such as those enabled by rapidly evolving cloud computing – and associated practices have made it possible to better answer those demands. The detailed ‘how’ of all of this depends, though – what works for a Bay Area start-up might not work for a large multinational enterprise, and the expectations from existing customers of 10+ years differ from those acquired yesterday. For ITSM professionals, there is an ever-growing demand for more practical guidance on how to design fit-for-purpose and fit-for-use services and supporting processes.

That is where ITIL and other philosophies, frameworks and methodologies – such as Lean, DevOps and Agile – need to intersect for the best results. There are no silver bullets – organizations need to wisely choose the best ways to address specific challenges. ITIL helps with this by providing the framework where good practice of the ‘how’ can be plugged into. Additional, practical guidance was needed to bring this to life.

Enter… ITIL Practitioner

Setting what is often (mistakenly!) considered to be the last ITIL lifecycle stage, almost a nice-to-have feature – Continual Service Improvement (CSI) – as the backbone of the new qualification, ITIL Practitioner brings what is one of the most under-used and under-valued parts of ITIL to the real world. It is CSI that helps organizations to focus on the improvements delivering most value and to make sure the services and the practices supporting these can keep up with the needs from the ever-changing organization, and continually improve.

ITIL Practitioner equips ITSM professionals with the tools to identify the improvement needs and priorities in their organization, to successfully start and run the improvement initiatives and to deliver the value expected. The qualification – and the guidance supporting it – brings together various parts of ITIL, adding more detail as required, and combines this with the practical ‘how to’. The good practice from ITSM professionals from around the world is distilled into concepts, models and capabilities, and complemented with tools and methods to place it in the context of a specific organization. This is ITIL Practitioner.

For more information, please check this ITIL Practitioner page.

Reference:

https://www.axelos.com/news/blogs/march-2015/taking-the-next-step-with-itil

IT Governance – What’s It All About and How Can It Benefit Organizations

IT Governance – the buzz topic that many people in computing now mention in almost every conference, journal or IT Publications. So for a moment, just consider, what is IT Governance and why is it so important to you and your business?

There are many pressures on businesses these days to find the most cost and time efficient way to service customers. However, when it comes to modifying the behaviors of both individuals and of established business processes, this can be a challenge.

Often, the management team of companies are subject to the pressure of demonstrating to investors that the organization is well run and is capable of delivering maximum returns to shareholders and customers. Simultaneously, external agencies including government offices now expect companies to meet ongoing regulatory and governance directives to show that business and IT compliance requirements are being met.

These business drivers in turn place a range of pressures on the IT systems that support business processes.

In this article, we will go some way to explaining how IT Governance  is the answer to these burning questions.

IT governance framework is a discipline that involves managing people, processes and resources. Ultimately, it is about aligning the organization’s IT goals with its business goals to ensure optimum and uninterrupted service delivery. There are fundamental processes that need to be in place and companies who implement such IT governance solutions and procedures always benefit from knowing what they have, who is using the resources, why they are using the resources whether resources are being used in the most time- and cost-effective methods.

Several methodologies have been designed to help management structure and formalize the IT Governance framework which can help alleviate the pressure to:

  1.     Aid in aligning IT with the organizational goals and strategy.
  2.     Raise the profile of IT.
  3.     Aid in project and portfolio management.
  4.     Reduce IT risk.
  5.     Aid in IT strategic planning.
  6.     Aid in performance measurement.
  7.     Aid in embedding IT into the organization’s culture.
  8.     Aid in demand management (demand for IT’s services by other departments)
  9.     Optimize IT operations.
  10.     Increase project visibility.

In the next article, I will be discussing the best practices around implementing IT Governance Frameworks and ways of effectively choosing and implementing them for tasting the business benefits.

-Sree Krishna, Delivery Manager, ECCI