Kevin:
Kevin:
Theo, everyone knows about the concept of trust. How
does this relate to cloud though?
Microsoft clearly takes the issue of trust very seriously. In
the same vein, I believe there is a new cloud privacy standard on the way. Can you tell me a bit more about that?
Theo:
As with all new things there are elements of trust that need
to be considered, engendered and, if found to be appropriate finally accepted. Historically speaking one can easily
think of internet banking and air travel, to mention but a few.
The element of trust becomes vital when the man in the
street feels he has limited control over his person, belongings or interest and relies on a 3rd party to exercise all or elements of control over the aforementioned. Trust becomes
that much more important when the 3rd party provides
services that are designed to and do ultimately deliver value
to the individual.
Theo:
Yes indeed. In July 2015 the International Organization for
Standards published the ISO 27018 aimed at providing a
global bench mark standard for the handling of personally
identifiable information by cloud service providers. As an
addendum to ISO/IEC 27001, ISO/IEC 27018 provides
specific guidance to Cloud Service Providers (CSP) for
assessment of risks and implementation of state-of-the-art
controls for protection of PII stored in the cloud.
Cloud computing presents enormous benefits for individuals
and companies. Yet, since their data is effectively remotely
located and physically under the control of a 3rd party, customer trust becomes a core aspect of the relationship that
governs a cloud service provider and a consumer of
its services.
Kevin:
Ok, so as an attorney at Microsoft, can you tell us how trust
is woven into the business operations there?
Theo:
At Microsoft the issue of trust has long been written into the
DNA of the company. In January 2002 Bill Gates drafted an
oft quoted memo to the company in which he said:
“Computing is already an important part of many people’s lives. Within ten years, it will be an integral and
indispensable part of almost everything we do. Microsoft and the computer industry will only succeed
in that world if CIOs, consumers and everyone else
sees that Microsoft has created a platform for Trustworthy Computing.”
The memo also included the following:
“Trustworthiness is a much broader concept than security, and winning our customers’ trust involves more than
just fixing bugs and achieving “five-nines” availability. It’s
a fundamental challenge that spans the entire computing ecosystem, from individual chips all the way
to global Internet services. It’s about smart software,
services and industry-wide cooperation.”
As Microsoft moves into the Mobile First, Cloud First era,
trust is at the forefront of its services and devices – be this
the through privacy by design or the security development
life-cycle that is core to its products and services, not to
mention its recently established Digital Crimes Unit.
Microsoft’s commitments to trust are evidenced not only by
its internal processes and systems, but also by its responses and certifications regarding privacy and security as
found in its Safe Harbor Certification, HIIPA Certification,
EU Model Clauses and ISO 27001 Certification, to mention
but a few.
Kevin:
So what does the ISO 27018 standard mean in
practical terms?
Theo:
Well, often a standard can be overly technical leaving one
asking, what does this mean to me? The following six key
principles define what ISO 27018 standard means to users
of cloud services that comply with the standard:
1. Consent: Cloud Service Providers (“CSP”) may not
process personal data for purposes independent of the
instructions of the customer. Additionally CSP’s must not
use personal data for advertising and marketing unless
expressly instructed to do so. Moreover, it must be possible
for a customer to use the service without submitting to such
use of its personal data for advertising or marketing.
2. Control: Customers have explicit control of how their
information is used.
3. Transparency: CSPs must inform customers where their
data resides and make clear commitments about how that
data is handled.
4. Accountability: Any breach of information security
should trigger a review by the CSP to determine if there
was any loss, disclosure, or alteration of PII.
09 | www.firstdistribution.co.za