ISO 27018 - Adding Trust in Cloud Storage

The purpose of the ISO/IEC 27XXX family is to standardise the use of information technology. The ISO 27018 – that Microsoft claims to be the first one with certification on its Azure platform – is dedicated to Cloud services. What are the new standards? What does that involve? What does it mean?

The standardisation of cloud storage seems to be almost impossible, yet, it is a question of methodology. One objective of the ISO 27018 is to improve the trust of clients storing data to the cloud. The protection of personal data is considered a key component. In February 2015, Brad Smith, executive vice-president of Microsoft in juridical field, explained what was necessary to complete the ISO/IEC 27018 certification on the Azure platform, Office 365 and the Dynamics CRM.

There are six fundamental principles which define the way to protect personal data and a cloud platform to the ISO 27018 standards.

1. Data control: Knowing where the data is stored and being in complete control of the data life cycle.
2. Data use: The data stored will not be resold or used for the purposes of marketing.
3. Data protection: Data is highly protected with the most up to date security technologies, not only to protect its content but also to access and recover that content. In addition, the staff involved in managing the cloud data is subject to total confidentiality.
4. Quality of cloud services: The services supplier has to be able to clearly explain what the service condition is at any time. They have to report every problem that occurs and take action with precision.
5. Access to data for authorities: Clients will be informed about every request from authorities to have access to their data. Authorities could have an access to the data if they have the right to do it in accordance with the current law and especially when compliance with law has been violated. Then it doesn’t matter where the data is stored, whether it be in the cloud or somewhere else.
6. Validation by a trusted third-party: Every year, a trusted third-party validates that the services adhere to principles of the standardisation and any revisions to the requirements.

We will talk more about technical requirements which are necessary for the compliance with these standards in the next blog and we will focus more deeply on the quality of the cloud services and give examples of what exists and the way it specifically works.  The key word of the ISO/IEC 27018:2014 standard is “trust” – a principle that both clients and providers have to keep in mind.

More information about ISO standards can be found here:

https://www.iso.org/fr/standards.html

https://en.wikipedia.org/wiki/International_Organization_for_Standardization

More information on Microsoft's certification:

http://blogs.microsoft.com/on-the-issues/2015/02/16/microsoft-adopts-first-international-cloud-privacy-standard/