As it approaches its first birthday, ISO 27018 – the first international standard focusing on the protection of personal data in the public cloud – continues to move centre stage as the battle for the Cloud moves up a gear.
At the highest level, this is a competitive field for the biggest companies – think billion dollar investments and million square foot data centres with a hundred thousand servers using enough energy to power a city.
According to research firm Synergy, the Cloud infrastructure services market - Infrastructure as a Service (Iaas), Platform as a Services (PaaS) and Private and Hybrid Cloud – was worth $16bn in 2014, up 50% on 2013, and is predicted to grow 30% to over $21bn in 2015. Synergy estimated that the four largest players accounted for 50% of this market, with Amazon at 28%, Microsoft at 11%, IBM at 7% and Google at 5%. Of these, Microsoft’s 2014 revenues almost doubled over 2013 and Amazon recently reported its AWS (Amazon Web Services) revenues at $1.6bn in the first quarter of 2015, up 50% on 2014.
Global SaaS (Software as a Service) revenues were estimated by Forrester Research at $72bn in 2014 and are predicted to grow by 20% to $87bn in 2015. Equally significantly, the proportion of computing sourced from the Cloud compared to on-premise is set to rise steeply: enterprise applications in the Cloud accounted for one fifth of the total in 2014 and this is predicted to increase to one third by 2018.
This growth represents a huge increase year on year in the amount of personal data (PII or personally identifiable information) going into the Cloud and the number of Cloud customers contracting for the various and growing types of Cloud services on offer. But as the Cloud continues to grow at these startling rates, the biggest inhibitor to Cloud services growth – trust about security of personal data in the Cloud – continues to hog the headlines.
Under data protection law, the Cloud Service Customer (CSC) retains responsibility for ensuring that its PII processing complies with the applicable rules. In the language of the EU Data Protection Directive, the CSC is the data controller. In the language of ISO 27018, the CSC is either a PII principal (processing their own data) or a PII controller (processing other PII principals’ data). Where a CSC contracts with a Cloud Service Provider (CSP), Article 17 the EU Data Protection Directive sets out how the relationship is to be governed. The CSC must have a written agreement with the CSP; must select a CSP providing ‘sufficient guarantees’ over the technical security measures and organizational measures governing PII in the Cloud service concerned; must ensure compliance with those measures; and must ensure that the CSP acts only on the CSC’s instructions.
As the pace of migration to the Cloud quickens, the world of data protection law continues both to be fragmented – 100 countries have their own laws – and to move at a pace driven by the need to mediate all competing interests rather than the pace of market developments.
In this world of burgeoning Cloud take-up, ISO 27018 is building a bridge over troubled data protection waters between Cloud market developments and effective Cloud contracts by providing CSCs with a workable degree of assurance in meeting their data protection law responsibilities. Almost a year on from publication of the standard, Microsoft has become the first major CSP (in February 2015) to achieve ISO 27018 certification for its Microsoft Azure (IaaS/PaaS), Office 365 (PaaS/Saas) and Dynamics CRM Online (SaaS) services (verified by BSI, the British Standards Institution) and its Microsoft Intune SaaS services (verified by Bureau Veritas).
Microsoft’s certifications show that ISO 27018 is not tied to any particular kind of Cloud service and applies to IaaS (Azure), PaaS (Azure and Office 365) and SaaS (Office 365 and Intune). If you consider computing services as a stack of layered elements ranging from networking (at the bottom of the stack) up through equipment and software to data (at the top), and that each of these elements can be carried out on premise or from the Cloud (from left to right), then ISO 27018 is flexible enough to cater for all situations across the continuum.
Software as a Licence to Software as a Service: the Cloud Continuum
Indeed, the standard specifically states at Paragraph 5.1.1:
“Contractual agreements should clearly allocate responsibilities between the public cloud PII processor [i.e. the CSP], its sub-contractors and the cloud service customer, taking into account the type of cloud service in question (e.g. a service of an IaaS, PaaS or SaaS category of the cloud computing reference architecture). For example, the allocation of responsibility for application layer controls may differ depending on whether the public cloud PII processor is providing a SaaS service or rather is providing a PaaS or IaaS service upon which the cloud service customer can build or layer its own applications.”
Certification also shows that the provider’s service is fit for processing personal data even if the provider doesn’t know if the customer’s data contains personal data. Perhaps the biggest practical boon to the CSC however is the contractual certainty that ISO 27018 certification provides. So when the procurement group at the Cloud customer is running a tender for a large Cloud contract, ISO 27018 certification enables them to grade the bidders; and then to include the requirement to comply with the standard as a contractual obligation when the agreement is let.
In the Cloud contract lifecycle, the flexibility provided by ISO 27018 certification, along with the contract and the CSP’s policy statements, goes beyond this to provide the CSC with a framework to discuss with the CSP on an ongoing basis the Cloud PII measures taken and their adequacy.
In its first year, it is emerging that complying, and being seen to comply, with ISO 27018 is providing genuine assurance for CSCs in managing their data protection legal obligations. This reassurance operates across the continuum of Cloud services and through the procurement and contract lifecycle, regardless of whether or not any particular data is PII. All this becomes more important when the market for Cloud infrastructure and platform services is growing by 30% a year; and when Cloud enterprise applications are set to rise from a fifth of the total to a third by 2018.
About the author
Richard Kemp is the founder of Kemp IT Law. With over thirty years’ experience at the leading edge of technology law practice, Richard is widely recognised as one of the world’s top IT lawyers. He has built an outstanding reputation for advice that combines commerciality and client service with innovative legal solutions to the business challenges of technology development, deployment and regulation.