Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

ISO/IEC27018 to improve cloud data privacy

Michael Mudd, appointed expert to JTC-1 of the ISO and chief representative of the Open Computing Alliance for APAC and MEA | Jan. 12, 2015
The international privacy standard enables cloud service providers to check if their cloud privacy policies and practices are robust and in line with best industry practices.

The Internet has become pervasive with almost 3 billion now accessing information via the World Wide Web. Around 40% of the world population has an internet connection today compared to 1995 when it was only available in the realm of academia and some governments. The number of Internet users has increased tenfold from 1999 to 2013. This explosion has given considerable benefits; from almost free communication, via email, Instant Messaging (IM) and VoIP, to enabling online commerce for the biggest (think internet banking) to the smallest of businesses (such as online stores on Alibaba or eBay).

The volume of data sent across the Internet continues to grow exponentially. Global data has increased fivefold over the past 5 years, and will increase again threefold over the next 5 years. Overall, IP traffic will grow at a compound annual growth rate (CAGR) of 21 percent from 2013to2018. The estimate for growth in mobile data traffic is even more impressive, with a CAGR of 61 percent.

The need to ensure robust security is in place to protect customer's information has never been greater. It is difficult to switch on the news today without some story involving loss of information, hacked websites, stolen credit cards, or social media revealing intimate private details, leaked online. According to 2013 reports from CNN and NQ Mobile, the dramatic growth in mobile malware is intensifying, estimated to be up by 163%.

The International Standards Organisation (ISO) indicates that globally there are more than 18,000 companies that have achieved the ISO27001 certificate in Information Security Management. ISO/IEC 27001:2013 provides a management framework for assessing and treating risks,  taking account of past user experiences, improvements in security controls apt for today's IT environment, namely identity theft, risks related to mobile devices and other online vulnerabilities, and aligns with other management systems.

ISO/IEC27001:2013 provides a management framework for assessing and treating risks, taking account of past user experiences, improvements in security controls apt for today's IT environment, namely identity theft, risks related to mobile devices and other online vulnerabilities, and aligns with other management systems.

On July 30th 2014 an additional voluntary standard within the 27000 series, ISO/IEC 27018 was adopted specifically governing the processing of personally identifiable information (PII) by public Cloud Service Providers (CSP).

ISO/IEC 27018 is the first international privacy standard for the cloud. This new standard incorporates controls that reflect PII considerations specifically for cloud services, and will help a CSP demonstrate that its cloud privacy policies and practices are robust, and in line with best industry practices.

Whilst ISO/IEC27001:2013 addresses IT security, and in most respects aims to lower risks that unauthorised third parties will gain access to customer information, ISO/IEC27018:2014 specifically addresses what a service provider needs to do to protect the privacy of that data. This has particular importance where a jurisdiction may have weak or non-existent DP regulations or laws, such as in Indonesia, Thailand and Vietnam, to name some of the larger economies in Asia. Other economies may have DP laws that are not applicable to government entities.

 

1  2  Next Page 

Sign up for Computerworld eNewsletters.