geneva, switzerland, 14 november 2014 data protection for public cloud (international standard iso...
TRANSCRIPT
Geneva, Switzerland, 14 November 2014
Data Protection for Public Cloud (International Standard ISO 27018)
Stéphane GuilloteauEngineer Expert, Orange Labs
ITU Workshop on “Cloud Computing Standards – Today and the Future”
(Geneva, Switzerland 14 November 2014)
Geneva, Switzerland, 14 November 2014 2
Agenda
IntroductionScope of 27018MethodologyContextRequirementsStructurePrinciplesSector-specific examplesConclusion
Geneva, Switzerland, 14 November 2014 3
ISO/IEC 27018
Title Code of practice for PII protection in public clouds acting as PII processorsPII=Personally Identifiable Information
ISO/IEC JTC1 SC27 WG5 Information technology, Security techniques, Identity management and privacy technologies
published in 2014/08
Geneva, Switzerland, 14 November 2014 4
SC 27
Figure by Jan Schallaböck, Vice-Convenor WG5
Geneva, Switzerland, 14 November 2014 5
WG5
Figure by Jan Schallaböck, Vice-Convenor WG5
Geneva, Switzerland, 14 November 2014 6
Scope
ObjectiveTo create a common set of security categories and controls that apply to a public cloud computing service providerTo meet the requirements for the protection of PII
Geneva, Switzerland, 14 November 2014 7
Methodology
Collecting together PII protection requirements according to ISO/IEC 29100 and the guidance for implementing controls given in ISO/IEC 27002Designed for
All types and sizes of organizations
Geneva, Switzerland, 14 November 2014 8
Context
A public cloud service provider is a “PII processor” when it processes PII for and according to the instructions of a cloud service customer (controller) “Privacy by Design”“PII lyfecycle consideration”Information security risk environment
Geneva, Switzerland, 14 November 2014 9
Ecosystem
Figure by Chris Mitchell, 27018 Editor
Geneva, Switzerland, 14 November 2014 10
Requirements
Three main sourceslegal, statutory, regulatory and contractual requirementsriskscorporate policies
Geneva, Switzerland, 14 November 2014 11
27002 structure
Security policiesOrganization of information securityHuman resource security
Asset managementAccess controlCryptographyPhysical and environmental securityOperations security
Communications securitySystem acquisition, development and maintenanceSupplier relationshipsInformation security incident managementInformation security aspects of business continuity managementCompliance
Geneva, Switzerland, 14 November 2014 12
29100 principles
Consent and choice Purpose legitimacy and specification Collection limitation Data minimization Use, retention and disclosure limitation Accuracy and quality
Openness, transparency and notice Individual participation and access Accountability Information security Privacy compliance
Geneva, Switzerland, 14 November 2014 13
sector-specific examples
clearly allocate responsibilities between the public cloud PII processor, its sub-contractors and the cloud service customerfacilitate the exercise of PII principals’ rightsensure purpose specification and limitation principlesnotify data breachspecify PII geographical location
Geneva, Switzerland, 14 November 2014 14
Conclusion
comply with applicable obligationsbe transparententer into contractual agreementdemonstrate effective implementation of PII protectiondo not replace applicable legislation and regulations, but can assistcomplete with standards in progress (29151, 29134…)