ISO 27018 And Personal Information In The Cloud: First Year Scorecard
Getting on for a year after it was published, ISO 27018 - the first international standard focusing on the protection of personal data in the public cloud - continues, unobtrusively and out of the spotlight, to move centre stage as the battle for Cloud pre-eminence hots up.
At the highest level, this is a competitive field for those with the longest investment horizons and the deepest pockets - think million square foot data centres with 100,000+ servers using enough energy to power a city. According to research firm Synergy, the Cloud infrastructure services market - Infrastructure as a Service (Iaas), Platform as a Services (PaaS) and Private and Hybrid Cloud - was worth $16bn in 2014, up 50% on 2013, and is predicted to grow 30% to over $21bn in 2015. Synergy estimated that the four largest players accounted for 50% of this market, with Amazon at 28%, Microsoft at 11%, IBM at 7% and Google at 5%. Of these, Microsoft's 2014 revenues almost doubled over 2013, whilst Amazon's and IBM's were each up by around half. Global SaaS (Software as a Service) revenues were estimated by Forrester Research at $72bn in 2014 and are predicted to grow by 20% to $87bn in 2015. Equally significantly, the proportion of computing sourced from the Cloud compared to on-premise is set to rise steeply: enterprise applications in the Cloud accounted for one fifth of the total in 2014 and this is predicted to increase to one third by 2018.
This growth represents a huge increase year on year in the amount of personal data (PII or personally identifiable information) going into the Cloud and the number of Cloud customers contracting for the various and growing types of Cloud services on offer. But as the Cloud continues to grow at these startling rates, the biggest inhibitor to Cloud services growth - trust about security of personal data in the Cloud - continues to hog the headlines.
Under data protection law, the Cloud Service Customer (CSC) retains responsibility for ensuring that its PII processing complies with the applicable rules. In the language of the EU Data Protection Directive, the CSC is the data controller. In the language of ISO 27018, the CSC is either a PII principal (processing her own data) or a PII controller (processing other PII principals' data). Where a CSC contracts with a Cloud Service Provider (CSP), Article 17 the EU Data Protection Directive sets out how the relationship is to be governed. The CSC must have a written agreement with the...
To continue reading
Request your trial