Dropbox the latest to spruik cloud-privacy nous with ISO 27018 certification

Cloud providers' requirement to demonstrate their security capabilities to existing and potential customers is driving key cloud services to undergo certification to an emerging global standard that will help Australian businesses meet legal requirements for protection of personally identifiable information (PII).

Cloud-storage company Dropbox is the latest cloud services provider to sign on to the ISO/IEC 27018:2014 standard, which was published in August 2014 and outlines a code of practice for the protection of PII in public clouds.

Compliance with the standard – an extension of the ISO 27001 standard that adds security and privacy requirements around things like encryption and employee-access controls – will see the company's Dropbox for Business product wrapped in a layer of security-related compliance that includes clear directions about what customer data the company uses and what those customers can do with it.

The standard also includes a commitment to share information about where customers' data resides on Dropbox servers, and which partners might also be storing or have access to that information.

“We'll tell you what happens when you close an account or delete a file,” the company said in a recent blog post.

“Privacy and data protection regulations and norms vary around the world, and we're confident this certification will help our customers meet their global compliance needs.”

Cloud operators certified to ISO 27018 requirements must provide controls in five key areas: consent, control, transparency, communication, and independent and yearly audits.

Compliance in these areas will be of particular value to Australian companies, which have slowly but steadily changed corporate culture around the protections maintained over PII.

Despite a concerted education campaign by the Privacy Commissioner, however, most companies still have a long way to go towards compliance with the new Privacy Act 1988 changes, which went into effect in March 2014.

A recent survey found that just 54 percent of workers believe their employees have given them adequate training around the protection of PII, while an Office of the Australian Information Commissioner (OAIC) study published in May found that just 55 percent of companies had adequate privacy policies in place.

Broader compliance with ISO 27018 is expected to not only boost everyday protections for the personal data of Australian and overseas users, but will help foster a culture of privacy that cloud providers believe will help them overcome customer concerns about entrusting cloud platforms with sensitive customer data.

Microsoft was the first cloud provider to achieve ISO 27018 compliance, spruiking the certification of its Azure cloud platform in February. Office 365, Dynamics CRM Online, and Microsoft Intune have also adopted the standard.

Rival Amazon Web Services (AWS) has certified its products to ISO 27001 requirements but has not yet followed suit on ISO 27018, while Google and Apple also have yet to achieve ISO 27018 compliance for their respective cloud offerings.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Feeling social? Follow us on Twitter and LinkedIn Now!

Join the CSO newsletter!

Error: Please check your email address.

Tags privacy requirementsdropboxsecurityOffice of the Australian Information Commissioner (OAIC)ISO 27018CSO Australia

More about Amazon Web ServicesAppleAWSCSODropboxEnex TestLabGoogleISOMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts