Thales Blog

Cloud Security: Happy Anniversary ISO 27018!

October 13, 2015

One Year Anniversary of ISO 27018While protecting data in the cloud can seem like a daunting task, now more than ever enterprises are rising up to the task to defend data while keeping systems compliant. This month marks the anniversary of ISO 27018, a globally recognized standard that details a strong set of controls for enabling the processing of data within cloud computing environments; the first of its kind. As we approach the one year mark of ISO 27018, I wanted to reflect on cloud computing and privacy, and what it means to technology providers, security professionals and end-users.

ClickToTweet: Reflections on #CloudSecurity and #ISO27018

Since the inception of ISO 27018, here’s what you need to know:

  • As the first international-privacy standard for cloud services, this is a milestone for cloud-based security. Unlike ISO 27001 and ISO 27002 that are focused on generalized computing standards and best practices, this standard is specifically focused on the cloud, and the protections needed in cloud environments to meet the needs of  compliance frameworks and data privacy laws (especially in the EU but also applicable to laws in other jurisdictions).
  • Certification is available to essentially any company that is able to process personal identifiable information, (PII). That’s why this standard is so valuable for cloud-based providers—because the standard protects and regulates all of the ins and outs of PII.
  • From information consent and security, to data transparency and breach notification, ISO 27018 has PII at the core of every component of the standard.
  • While ISO 27018 provides an excellent framework, there are still some hurdles that cloud providers must overcome. This includes understanding the storage and documentation of PII and creating awareness for customers to better understand how their data is managed. According to Vormetric’s Insider Threat Report, in the U.S. 82 percent of IT decision makers note that the lack of control over the location of their data in cloud environments as their top cloud data security concern.

As standards continue to develop in the coming years, it is important for cloud service providers of all types to take note of the increasing regulation of sensitive data. As seen last week with the revocation by the EU's top court of the  Safe Harbor Agreement under which U.S. organizations have been using PII from EU, companies all over the world are seeing an increased demand for strict policies in cloud and data management; particularly in the EU as data protection laws are setting the pace.

Ultimately, data is the target. True data security requires a combination of technologies to reduce the attack surface available – limiting the ‘who, what, when, where and how’ of data access, and keeping a careful eye on those with a legitimate need to access it by monitoring their behavior that may indicate an attack.

The Vormetric Cloud Encryption Gateway works alongside ISO 27018 to protect data. Enterprises can now fully trust their providers, as the enterprise is always the custodian of encryption keys and sensitive user data is always encrypted. Additionally, the Vormetric Cloud Encryption Gateway protects against privileged user abuse and reduces the risk of data being subpoenaed without prior knowledge. All data usage is monitored, providing high visibility into data access. With the Vormetric Cloud Encryption Gateway, IT is empowered to offer secure and compliant cloud storage services, delivering data control with on-premise key management.

Privacy remains the most pressing issue when it comes to anticipating new legislation. Not only has it impacted the debate, but it has shaped the security industry more broadly. This is especially the case as we store increasingly large amounts of data on the cloud.

Questions? Comments? Would love to hear your thoughts. Tweet to me @CJrad.