Embed Size (px)
Citation preview
Cloud Services & the Development of ISO/IEC 27018
Adding “privacy” to information security Alan Shipman
Data Privacy, June 2015
Processing your personal data in the cloud
• If you have personal data to process you are probably a data controller and subject to the ‘Data Privacy Law’ 2010. This presentation is about adding governance for processing personal data (PII, personal information, etc.) to baseline information security
• Data Privacy legislation does require adequate security (e.g. ISO/IEC 27001 for the management system process and for the controls covering confidentiality, integrity and availability) but it also demands more
• There are two main scenarios to address: • process your personal data yourself in a private cloud; or• outsource that processing to a public cloud acting as a data processor
• This presentation places both scenarios into context but concentrates on solving some issues raised by processing personal data in a public cloud
Processing personal data – in house
Data controllerIn-housePrivatecloud
In-house ‘normal’ IT
STANDARDS: BS 10012:2009 *
ISO/IEC 29151 (draft)
Data controller whenever you process for your own purposes
YOU ARE HERE
* BS 10012:2009. Data protection. Specification for a personal information
management system. For a controller; does not specify the processor requirements sub-set.
Processing personal data – in the public cloud
Data controllerIn-housePrivatecloud
Sub-contractor
Public Cloud Data
Processor
In-house ‘normal’ IT
STANDARDS: BS 10012:2009 *
ISO/IEC 29151 (draft)
STANDARDS: ISO/IEC 27001 plus
ISO/IEC 27018
Data processor(s), only if they exclusively follow the
controller’s instructions
Data controllerwhenever you process for your own purposes Data processing
agreementYOU ARE HERE
Your cloud service provider
* BS 10012:2009. Data protection. Specification for a personal information
management system. For a controller; does not specify the processor requirements sub-set.
Processing personal data in the cloud: how does this work?• Data protection obligations remain with a data controller even if
processing is outsourced to a cloud data processor.
• If you want to have your personal data processed by a cloud service provider, acting solely according to your instructions, then you have to:• choose a data processor providing sufficient guarantees in respect of the technical
and organisational security measures governing the processing to be carried out• take reasonable steps to ensure compliance with those measures
• Standards cannot replace the requirements of law but for one good route towards obtaining the required guarantees, a data controller could: • select a cloud service provider which complies with ISO/IEC 27001 for security and
also implements all of the data protection controls in ISO/IEC 27018 as part of that compliance; and
• get a regularly audited commitment to the above from the cloud service provider (and make that a part of the data processing agreement).
How does ISO/IEC 27018 help a data controller to process personal data in the cloud?
• Select a well-governed cloud data processor: A well-governed cloud data processor should have independently audited and certified compliance to ISO/IEC 27001 as extended with all of the controls from ISO/IEC 27018.
• What your cloud data processor should tell you: The implementation guidance and some of the controls from ISO/IEC 27018 provide information on what your cloud data processor needs to tell you as a cloud service customer before you enter into a data processing agreement.
• What you should agree with your cloud data processor: The implementation guidance and some of the controls from ISO/IEC 27018 provide information on what you and your cloud data processor need to agree on about matters such as the distribution of responsibilities.
What’s in ISO/IEC 27018 (selected)?• Title: Information technology — Security techniques — Code of
practice for protection of personally identifiable information (PII) in public clouds acting as PII processors• Controls: Cloud data processor (CDP) shows that it is a data processor (not a
controller) by processing data only to implement customer instructions
• Controls: CDP knows where data is stored and is sure where it is sending it
• Controls: CDP ensures its sub-contractors also implement relevant security and data protection measures, and discloses changes in sub-contracting
• Controls: CDP implements the means to cooperate with its customer to allow the customer to meet obligations to data subjects
• Guidance: issues a CDP should disclose to a prospective customer before entering into the contract to process personal data
• Guidance: issues where CDP and the customer should agree on the split of responsibilities
How is ISO/IEC 27018 constructed & used?
France
Germany
Spain
UK
Stage 1: Find current EU Data Privacy laws applying to cloud data processors
ISO/IEC 27002:2013: existing controls & guidance
Annex A: New controls & new guidance
Body: New guidance for existing controls in 27002
Stage 2: Create new controls to cover EU laws based on the current Data Protection Directive
Stage 4: Eliminate controls & guidance already in ISO/IEC 27002 Draft ISO/IEC 27018 with the remaining new controls & guidance
New controls and guidance
Stage 3: Analyse Data Protection Authority cloud opinions and update the controls for cloud-specific issues
ISO/IEC 27018:2014
ISO/IEC 27001:2013management
system
Stage 5: Cloud data processor uses the
management system in ISO/IEC 27001 with the combined control
set in ISO/IEC 27002 and ISO/IEC 27018
In summary• Voluntary standards cannot replace the requirements of law. ISO/IEC
27018 is not a destination. It’s a first step in a journey towards good governance of personal data processing in the cloud. However …
• For the public cloud data processor: • ISO/IEC 27018 shows how to add “privacy” to an existing ISO/IEC 27001
certification so that customers who have personal data to process can more confidently use the service.
• For the cloud service customer with personal data to process: • Certified ISO/IEC 27001 compliance by a public cloud data processor with
ISO/IEC 27002 controls extended with all of the controls in ISO/IEC 27018 provides a good baseline for doing the essential due diligence; and
• ISO/IEC 27018 also addresses matters a public cloud data processor should be disclosing to its customers and matters that may need to be addressed in a data processing agreement.
