1 / 14

Data Protection for Public Cloud (International Standard ISO 27018)

ITU Workshop on “Cloud Computing Standards – Today and the Future” (Geneva, Switzerland 14 November 2014). Data Protection for Public Cloud (International Standard ISO 27018). Stéphane Guilloteau Engineer Expert, Orange Labs stephane.guilloteau@orange.com. Agenda. Introduction

dianacooper
Download Presentation

Data Protection for Public Cloud (International Standard ISO 27018)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. ITU Workshop on “Cloud Computing Standards – Today and the Future” (Geneva, Switzerland 14 November 2014) Data Protection for Public Cloud (International Standard ISO 27018) Stéphane Guilloteau Engineer Expert, Orange Labs stephane.guilloteau@orange.com

  2. Agenda • Introduction • Scope of 27018 • Methodology • Context • Requirements • Structure • Principles • Sector-specific examples • Conclusion

  3. ISO/IEC 27018 published in 2014/08 • Title • Code of practice for PII protection in public clouds acting as PII processors • PII=Personally Identifiable Information • ISO/IEC JTC1 SC27 WG5 • Information technology, Security techniques, Identity management and privacy technologies

  4. SC 27 Figure by Jan Schallaböck, Vice-Convenor WG5

  5. WG5 Figure by Jan Schallaböck, Vice-Convenor WG5

  6. Scope • Objective • To create a common set of security categories and controls that apply to a public cloud computing service provider • To meet the requirements for the protection of PII

  7. Methodology • Collecting together PII protection requirements according to ISO/IEC 29100 and the guidance for implementing controls given in ISO/IEC 27002 • Designed for • All types and sizes of organizations

  8. Context • A public cloud service provider is a “PII processor” when it processes PII for and according to the instructions of a cloud service customer (controller) • “Privacy by Design” • “PII lyfecycle consideration” • Information security risk environment

  9. Ecosystem Figure by Chris Mitchell, 27018 Editor

  10. Requirements • Three main sources • legal, statutory, regulatory and contractual requirements • risks • corporate policies

  11. 27002 structure Security policies Organization of information security Human resource security Asset management Access control Cryptography Physical and environmental security Operations security Communications security System acquisition, development and maintenance Supplier relationships Information security incident management Information security aspects of business continuity management Compliance

  12. 29100 principles Consent and choice Purpose legitimacy and specification Collection limitation Data minimization Use, retention and disclosure limitation Accuracy and quality Openness, transparency and notice Individual participation and access Accountability Information security Privacy compliance

  13. sector-specific examples • clearly allocate responsibilities between the public cloud PII processor, its sub-contractors and the cloud service customer • facilitate the exercise of PII principals’ rights • ensure purpose specification and limitation principles • notify data breach • specify PII geographical location

  14. Conclusion • comply with applicable obligations • be transparent • enter into contractual agreement • demonstrate effective implementation of PII protection • do not replace applicable legislation and regulations, but can assist • complete with standards in progress (29151, 29134…)

More Related