ISO 27018: Cloud Quality and Control

Wednesday, 1 July 2015 by Jennifer Duits

Among main characteristics of the ISO 27018 standard, there are those which require Cloud Service Provider (CSP) to allow users to control the quality of services for their data. The reporting given by the CSP gives interesting pieces of information about tools which are set up to enable this type of control.

Currently, there are not a lot of cloud platforms which comply with ISO 27018, the ones that do give precise indications about what happens within their platform. In this article, we will talk about elements from Microsoft Azure and Office 365 platforms. One thing to keep in mind is that this is a very new set of standards. The announcement of ISO 27018 only dates back to May 2015 and concerns only dropbox enterprises.

Microsoft was the first to act, but with their first cloud platform creation date of 2008, they are not a new provider. One of the oldest cloud platforms of SaaS services is Office 365, created more than 3 years ago after various important technical evolutions.

Quality of cloud services

Besides a very high securitisation on access and on data transport, the Office 365 platform includes an Exchange server, a SharePoint server, a Lync server (now named Skype Enterprises), a social network (Yammer), the access to data stored by Professional OneDrive and other services. Image 1 below shows the condition of each Office 365 service for a one week time period. The blue points depict an incident. If you click on one of these points, Microsoft displays the content in image 2; which is the complete detail of the incident and of its consequences. You can see that the incidents are not really numerous but they can have effects on the platform’s behaviour, particularly on the access to some functions. The current incidents are identified by separate colour than old incidents. Thanks to this short analysis, we can conclude that the supplier of the service doesn’t hide problems and does whatever he can to ensure a fully functioning system, which satisfies one of the main principles of the ISO 27018 standard: transparency. This also gives the user some control in that they have the knowledge of any incident involving their data or services.

Resources for administrators and partners

It is important to note that the global administrator of the cloud platform’s service handles the accounts, the access rights and etc. of the whole system and of related services (this could include administration on a physical server within a company). It is also very interesting that the delegated partner of the user company is also able to ensure the same functions as the administrator, which allows delegating the supervision of whole storage solution without the need for someone internally to handle everything. In other words, they are able to monitor the whole solution in the same way as the global administrator, but also to off-load some of the work.

Services of a global  supervisor

The partner referenced as an interlocutor of trust for cloud clients by Microsoft has access to a more precise console which allows him or her to have information about all incidents of all clients classified by types of services (image 3). This information confirms two concepts of the adherence to the ISO 27018 standard of providing information about service’s quality. However, this also shows that the global supervisor designated by the by the client is known and approved by Microsoft: so a trustworthy and confidential relationship is set up.

In conclusion, the ISO 27078 is a set of standards for cloud providers to adhere to in order to instill trust and an enhanced user experience for their clients.