ISO27018 a step toward cloud standardisation? GuidelinesCambria

Transcription

1 ISO27018 a step toward cloud standardisation? GuidelinesCambria 32pt) Palo Alto Mark Webber, Partner Fieldfisher January 2015 Brussels / Düsseldorf / Hamburg / London / Manchester / Munich / Palo Alto /Paris / Shanghai / =ield=isher.com

2 Debunking a classic formula. Brussels / Düsseldorf / Hamburg / London / Manchester / Munich / Palo Alto /Paris / Shanghai / =ield=isher.com 1

3 A new cloud standard.iso Cloud remains an emerging technology Con=identiality Control Each remain key concerns ISO27018 focusses on the protection of personal data in the pubic cloud Addressing the trust de=icit Filling some of the gaps in a cloud service where data privacy regimes demand more It won t solve the problems of cloud and does not cover remove a data controller s discretion / obligations Brussels / Düsseldorf / Hamburg / London / Manchester / Munich / Palo Alto /Paris / Shanghai / =ield=isher.com 2

4 Privacy and cloud contracts today In the EU. the provisions that seem to cause most tension with cloud computing are: The distinctions between the role of a controller and a processor; Restrictions on data transfers; and Security obligations. At the core = this is about loss of control and the ability of the CSP to =ill this gap Brussels / Düsseldorf / Hamburg / London / Manchester / Munich / Palo Alto /Paris / Shanghai / =ield=isher.com 3

5 A new ISO standard for cloud computing - ISO27018 The summer of 2014 saw another ISO Standard published by the International Standards Organization (ISO) - ISO27018:2014 is a voluntary standard governing the processing of personal data in the public cloud. Titled: "Information technology Security techniques - Code of the practice for protection of personally identi;iable information (PII) in public clouds acting as PII processors" Brussels / Düsseldorf / Hamburg / London / Manchester / Munich / Palo Alto /Paris / Shanghai / =ield=isher.com 4

6 What is ISO 27018? What is it? ISO27018 sets out a framework of "commonly accepted control objectives, controls and guidelines" which can be followed by any data processors processing personal data on behalf of another party in the public cloud; ISO27018 has been crafted by ISO to have broad application from large to small and from public entity to government of non- pro=it. What is it trying to do? It's a tool to help the public cloud provider to comply with applicable obligations; It's an enabler of transparency allowing the provider to demonstrate why their cloud services are well governed; It will assist the customer and vendor in documenting contractual obligations; and It offers the public cloud customer a mechanism to exercise audit and compliance rights Brussels / Düsseldorf / Hamburg / London / Manchester / Munich / Palo Alto /Paris / Shanghai / =ield=isher.com 5

7 ISO27018 builds upon ISO29100 ISO29100 sets out a privacy framework based on these principles: Consent and Choice Purpose legitimacy and speci=ication Collection limitation Data minimisation Use, retention and disclosure limitation Accuracy and quality Openness transparency and notice Individual participation and access Accountability Information security Privacy compliance Brussels / Düsseldorf / Hamburg / London / Manchester / Munich / Palo Alto /Paris / Shanghai / =ield=isher.com 6

8 Where will adopting ISO27018 help the customer The following provisions assist with EU privacy compliance Consent and choice the ISO requires the CSP to process PII in accordance with the customer s instructions Noti4ication the ISO requires the CSP to disclose information about sub- processors Data retention the CSP is required to implement a policy to erase PII by the ISO {BUT BEWARE is this something a customer wants?} Supporting access rights the CSP should assist the customer in managing data subject access and correction requests Security the ISO requires the CSP to adopt policies and subjects the technical solution to independent security reviews International transfer restrictions the CSP must inform the customer where in the world its PII may be processed Sub- contracting - the ISO requires the consent of the customer before sub- processing and then that the CSP ensure some minimum requirements Brussels / Düsseldorf / Hamburg / London / Manchester / Munich / Palo Alto /Paris / Shanghai / =ield=isher.com 7

9 Why it s not perfect. ISO27018 is not an exhaustive framework It's been designed for use in conjunction with the information security controls and objectives set out in ISO27002 and ISO27001 which provide general information security frameworks. This is a high threshold It may be used as a benchmark for security and, coupled with contractual commitments to meet and maintain selected elements of ISO27018, but it won't be relevant to all cloud solutions and compliance situations (though some will use it as if it were); It perpetuates the use of the PII moniker which, already holding speci=ic US legal connotation (i.e. narrower application) is now used is a wider de=ined context under ISO27018 (in fact PII under ISO27018 is closer to the de=inition of personal data under EU Directive 95/46/EC); ISO27018 is of no use in situations where the cloud provider is (or assumes the role) of data controller and it assumes all data in the cloud is personal data (so watch this space for ISO27017 (coming soon) which will apply to any data (personal or otherwise)); and For EU based data controllers, other than constructing certain security controls, ISO27018 is not a mechanism or alternative route legitimize international data transfers outside of the European Economic Area. Brussels / Düsseldorf / Hamburg / London / Manchester / Munich / Palo Alto /Paris / Shanghai / =ield=isher.com 8

10 Thank you"! Any questions?" Mark Webber! Partner! " Phone: +1 (650) " Connect: " 9"