According to recent studies the majority of organizations validates recognized security procedures or certifications by independent third parties as crucial decision criterion when selecting a cloud provider.
Serious cloud providers want to be certified by independent parties to guarantee optimal security levels. However, which certification garantees optimal security?
The most used European and international data security standards like ISO/IEC 27001 comprise mostly generic security regulations. The ISO/IEC 27018 standard (“Code of practice for protection of personally identifiable information (PII) in pbulic clouds acting as PII processors”) exclusively deals with the regulation of processing personal data in the cloud by fomulating requirements for data privacy protection for cloud services.
ISO/IEC 27018 therefore is an essential Add-On for providing adequate customer security in the cloud. The standard essentially follows the applicable European data privacy laws and requires comprehensive obligations for notification, information, transparency and evidence by cloud providers.
This includes the following practical implications:
Personally identifiable information may only be processed in accordance with the customer.
Tools have to be offered that help customers to access their personal data and allows them to edit, delete or correct those data.
Issuing data to law enforcement agencies may only be done in case of present obligation by law. The customer has to be notified about the issuance of their data, exept it is prohibited by law.
All relevant subcontractions as well as the countries in which the data is processed have to be disclosed before closing the customer contract.
Cloud providers are obligated to document all security violations, the expected consequences and the particular steps for problem solving. Security violations have to be reported instantly to the customer.
Mandatory rules for the transmission, return and use of customer data have to be established, e.g. in case of contract termination.
The provider is obligated to validate the offered cloud services periodically and in case of major system changes through independent third parties.