Cloud providers' requirement to demonstrate their security capabilities to existing and potential customers is driving key cloud services to undergo certification to an emerging global standard that will help Australian businesses meet legal requirements for protection of personally identifiable information (PII).
Cloud-storage company Dropbox is the latest cloud services provider to sign on to the ISO/IEC 27018:2014 standard, which was published in August 2014 and outlines a code of practice for the protection of PII in public clouds.
Compliance with the standard – an extension of the ISO 27001 standard that adds security and privacy requirements around things like encryption and employee-access controls – will see the company's Dropbox for Business product wrapped in a layer of security-related compliance that includes clear directions about what customer data the company uses and what those customers can do with it.
The standard also includes a commitment to share information about where customers' data resides on Dropbox servers, and which partners might also be storing or have access to that information.
“We'll tell you what happens when you close an account or delete a file,” the company said in a recent blog post.
“Privacy and data protection regulations and norms vary around the world, and we're confident this certification will help our customers meet their global compliance needs.”
Cloud operators certified to ISO 27018 requirements must provide controls in five key areas: consent, control, transparency, communication, and independent and yearly audits.
Compliance in these areas will be of particular value to Australian companies, which have slowly but steadily changed corporate culture around the protections maintained over PII.
Despite a concerted education campaign by the Privacy Commissioner, however, most companies still have a long way to go towards compliance with the new Privacy Act 1988 changes, which went into effect in March 2014.
A recent survey found that just 54 percent of workers believe their employees have given them adequate training around the protection of PII, while an Office of the Australian Information Commissioner (OAIC) study published in May found that just 55 percent of companies had adequate privacy policies in place.
Broader compliance with ISO 27018 is expected to not only boost everyday protections for the personal data of Australian and overseas users, but will help foster a culture of privacy that cloud providers believe will help them overcome customer concerns about entrusting cloud platforms with sensitive customer data.
Microsoft was the first cloud provider to achieve ISO 27018 compliance, spruiking the certification of its Azure cloud platform in February. Office 365, Dynamics CRM Online, and Microsoft Intune have also adopted the standard.
Rival Amazon Web Services (AWS) has certified its products to ISO 27001 requirements but has not yet followed suit on ISO 27018, while Google and Apple also have yet to achieve ISO 27018 compliance for their respective cloud offerings.
This article is brought to you by Enex TestLab, content directors for CSO Australia.
- Cloud-based threat aggregation replacing “self-defeating” signature-based security as endpoints diversify
- Making the Best of BYOx
- How Can I Protect Myself from Identity Theft Online?
- Google shows security questions are terrible for forgotten passwords
- Adobe breached Privacy Act leaving 38 million customers exposed