Protecting Personal Data in Cloud Environments
23rd May 2015
Data security continues to attract the attention of organisations worldwide, at least if the uptake of the Information Security Management System standard ISO27001 is anything to go by. The proper identification of information assets (and the supporting assets such as premises, hardware, software, etc. upon which they rely) is essential if a proper assessment of vulnerabilities and threats is to be undertaken, and appropriate actions taken to manage identified risks.
Whilst ISO27001 provides a framework of 114 controls to help manage, reduce or remove risks, until recently these needed to be carefully implemented to provide specific protection to data in cloud environments. An additional standard, ISO27018:2014, is being widely welcomed by the risk community as it provides an extended control set specifically designed to highlight and address a range of risks and issues associated with personally identifiable information (PII) in the cloud.
Commercial and public sector ICT cloud systems seek to take advantage of the removal of dedicated infrastructure, reduction in operational costs and increase in flexibility and scalability, but must also remain focussed on managing data risks. Media reported issues about iCloud, Snapchat and Dropbox have not gone unnoticed by the public, and ongoing debates around off-shoring and the relevance of country-specific data protection legislation do little to build their confidence.
So how can ISO27018 help? Responsible cloud providers and application developers should be studying its contents and working out how they can implement the additional controls and provide the associated assurance that consumers seek. Whether it’s understanding the geographic location of PII data, having processes for reporting PII breaches and disclosures, or managing the printing or copying of PII data by a provider, there’s a family of more than 20 focused controls to choose from.
InfoSaaS already provides cloud based IT risk management software which helps organisations to establish an effective Information Security Management System, from which many proceed to successfully gain formal ISO27001 certification. The next InfoSaaS update in early June will include “PII Data in the Cloud” as a risk assessment type, presenting organisations with a relevant range of cloud security risks and summaries of the ISO27018 controls which may address them.
For those organisations which manage cloud environments or develop cloud applications, being proactive in managing associated risks not only protects their business from significant issues (data loss, legislative fines, brand damage etc.) but also builds customer confidence which in turn will increase the pace of cloud adoption. InfoSaaS can help – providing one of the most effective toolsets for managing today’s ICT risks.