The transition to cloud computing is a modern reality for businesses of all sizes. Cloud computing gives companies an efficient and inexpensive way to provide services and run their businesses. It has enabled companies to cut IT costs by over 35 percent, while helping improve IT staff productivity, simplify and standardize infrastructure, launch revenue-generating services more quickly, and improve resource utilization.

The portability and cost benefits are obvious, and have been the key driver – but today’s businesses are asking the next question: What about privacy and security? What will become of my business critical data residing on someone else’s cloud? What do I own, and what does the cloud provider have access to? Can my cloud provider profit from my data?

How do I know what an “industry best practice” even looks like?

For the first time, an industry standards body has attempted to answer some of those questions; or at least provide a winnowing tool to know what are the features one should expect from a business cloud provider.

In August, the International Standards Organization (ISO) jumpstarted the conversation around cloud privacy and security by releasing a new voluntary cloud standard called ISO/IEC 27018. This standard, which builds on existing ISO privacy standards, states that cloud services providers (CSPs) must do the following:

  • Give consumers explicit control over how their personally identifiable information (PII) is used. It also requires CSPs to receive affirmative permission from a user before their information could be used for advertising. Services cannot make agreement to use of PII for advertising required for use of the service.
  • Provide transparent PII security and data retention policies as regards how consumers’ data is handled and where it is stored. CSPs must also provide a method for consumers to extract their data or delete it after they leave the service.
  • Fully disclose a list third-parties who help process data. This allows the consumers to be better informed about who has access to their data and how they could use it.
  • In the event of a security breach, the CSP must conduct a review to determine if there was any loss, disclosure, or alteration of PII and notify consumers and regulators of the incident.

To be certified under the standard, a CSP must be independently audited by an accredited certification organization, and subject itself to periodic third-party reviews.

This standard attempts to address what all companies need from their CSP – reliable privacy and security in the cloud with transparency, accountability, and consent.  In simple terms, tech companies need their invention blueprints to stay safe until they submit a patent application, health care providers must ensure that patient data is secure, and educational institutions must know that student data is not misused.

27018 provides a foundation for a workable standard to equip businesses with safe and affordable cloud services. CSPs that are differentiated by their security practices will empower companies to make more educated decisions. And we can all agree that that’s good for business.

Image: UK Ministry of Defense / license