Proposed Cloud Standard Would Guard Personal Data
With enterprise spending on cloud deployments expected to surpass all other IT expenditures by as early as 2016, industry standards are emerging in areas like data protection and guidelines for selecting cloud service providers.
Among them is a proposed international standard released this week focusing on data privacy in public clouds that would, among other things, spell out how customers can maintain control of "personally identifiable information" along with procedures for handling data breaches.
The proposed cloud privacy standard from the International Standards Organization is designated ISO/IEC 27018. A white paper released Wednesday (Feb. 4) states that the proposed spec creates "the first voluntary international standard around business-to-business cloud computing services."
Compliance with the standard would require cloud providers to be transparent in their privacy practices and provide a means of comparing services. For example, cloud providers would have to adhere to customer wishes in processing personal information. That means personal information could not be used by cloud vendors for advertising or marketing purposes without the consent of the customer.
The standard also covers privacy issues related to data retention policies and the listing of third parties that provide specific cloud services to a primary vendor.
If a data breach occurs, a cloud provider would be required under the standard to "conduct a review to determine if there was any loss, disclosure or alteration of" personal information. Cloud providers also would have to "notify customers and keep clear records about the incident itself and the [cloud providers'] response to it."
ISO defines "personally identifiable information" as "any information that (a) can be used to identify the PII principal to whom such information relates, or (b) is or might be directly or indirectly linked to a PII principal."
The ISO standard is generally described as "an important first step for protecting PII in the cloud. It is built on previous ISO guidance and will continue to evolve along with [cloud service providers] to provide more secure services upon which businesses can grow."
The ISO white paper was released by the Washington-based App Association, which advocates on behalf of software companies specializing in mobile applications. Among its members are Apple, Facebook, Intel and Microsoft.
The group argued that a data protection framework is needed because cloud providers "vary in the information they make available to potential customers about privacy protections and there is no guarantee that those promises are actually fulfilled."
The group added: "When comparing services, businesses are often left comparing apples to oranges. Now that the cloud market has matured, it is time for a systematic way to look at cloud privacy protections."
Some cloud storage providers are beginning to view data security as a potential revenue source. Storage giant EMC Corp. released a survey in December revealing that most global enterprises are "behind the curve" when it comes to data security.