Geneva, Switzerland, 14 November 2014

Data Protection for Public Cloud (International Standard ISO 27018)

Stéphane GuilloteauEngineer Expert, Orange Labs

stephane.guilloteau@orange.com

ITU Workshop on “Cloud Computing Standards – Today and the Future”

(Geneva, Switzerland 14 November 2014)

Geneva, Switzerland, 14 November 2014 2

Agenda

IntroductionScope of 27018MethodologyContextRequirementsStructurePrinciplesSector-specific examplesConclusion

Geneva, Switzerland, 14 November 2014 3

ISO/IEC 27018

Title Code of practice for PII protection in public clouds acting as PII processorsPII=Personally Identifiable Information

ISO/IEC JTC1 SC27 WG5 Information technology, Security techniques, Identity management and privacy technologies

published in 2014/08

Geneva, Switzerland, 14 November 2014 4

SC 27

Figure by Jan Schallaböck, Vice-Convenor WG5

Geneva, Switzerland, 14 November 2014 5

WG5

Figure by Jan Schallaböck, Vice-Convenor WG5

Geneva, Switzerland, 14 November 2014 6

Scope

ObjectiveTo create a common set of security categories and controls that apply to a public cloud computing service providerTo meet the requirements for the protection of PII

Geneva, Switzerland, 14 November 2014 7

Methodology

Collecting together PII protection requirements according to ISO/IEC 29100 and the guidance for implementing controls given in ISO/IEC 27002Designed for

All types and sizes of organizations

Geneva, Switzerland, 14 November 2014 8

Context

A public cloud service provider is a “PII processor” when it processes PII for and according to the instructions of a cloud service customer (controller) “Privacy by Design”“PII lyfecycle consideration”Information security risk environment

Geneva, Switzerland, 14 November 2014 9

Ecosystem

Figure by Chris Mitchell, 27018 Editor

Geneva, Switzerland, 14 November 2014 10

Requirements

Three main sourceslegal, statutory, regulatory and contractual requirementsriskscorporate policies

Geneva, Switzerland, 14 November 2014 11

27002 structure

Security policiesOrganization of information securityHuman resource security

Asset managementAccess controlCryptographyPhysical and environmental securityOperations security

Communications securitySystem acquisition, development and maintenanceSupplier relationshipsInformation security incident managementInformation security aspects of business continuity managementCompliance

Geneva, Switzerland, 14 November 2014 12

29100 principles

Consent and choice Purpose legitimacy and specification Collection limitation Data minimization Use, retention and disclosure limitation Accuracy and quality

Openness, transparency and notice Individual participation and access Accountability Information security Privacy compliance

Geneva, Switzerland, 14 November 2014 13

sector-specific examples

clearly allocate responsibilities between the public cloud PII processor, its sub-contractors and the cloud service customerfacilitate the exercise of PII principals’ rightsensure purpose specification and limitation principlesnotify data breachspecify PII geographical location

Geneva, Switzerland, 14 November 2014 14

Conclusion

comply with applicable obligationsbe transparententer into contractual agreementdemonstrate effective implementation of PII protectiondo not replace applicable legislation and regulations, but can assistcomplete with standards in progress (29151, 29134…)