Cloud computing is rapidly becoming an integral part of daily life. However, cloud computing services can involve the collection, storage, processing and transmission of sensitive data across multiple jurisdictions and through numerous parties including sub-contractors. As cloud computing moves beyond the hype to become a genuine business solution, the tension between the benefits and risks of the cloud becomes more acute.
The Hong Kong Government is keen to promote Hong Kong as an information and communications technology hub, citing Hong Kong’s mature IT infrastructure, high mobile internet penetration rate, free content transmission and proximity to Mainland China as providing a sound environment for the development of web-based businesses, such as cloud computing. However, concerns about cloud security and privacy may be holding some companies back from adopting cloud computing services in Hong Kong. Such fears are obviously not unique to Hong Kong; the European Commission noted in 2012 that data protection concerns were identified as one of the most serious barriers to cloud computing take up. The Commission called for a wider use of standards, certification of cloud services and the endorsement of such certificates by regulatory authorities.
In response, in July 2014, the International Organisation for Standardisation (ISO) published ISO 27018 which establishes guidelines for cloud service providers for the protection of Personally Identifiable Information (PII). The standard was developed in consultation with contributors from 14 countries and 5 international organisations and is the first privacy-specific international standard for the cloud.
Key Principles of ISO 27018
ISO 27018 is based on ISO 27001 (which is the existing best practice standard on information security management) but specifically addresses the risks to PII protection arising from the processing of PII by public cloud service providers. Annex A to ISO 27018 provides a set of additional controls and guidance to address public cloud PII protection requirements in accordance with the 11 privacy principles set out in ISO/IEC 29100 which include:
Cloud service providers should subject their services to periodic independent information security reviews.
ISO 27018 does not replace applicable national legislation and regulations, but can assist by providing a common compliance framework for public cloud service providers, in particular those that operate in a multinational market.
The Office of the Government Chief Information Officer in Hong Kong has stated its commitment to promoting the development and adoption of international cloud standards and best practices in Hong Kong to stimulate the development of the cloud computing industry and facilitate cloud adoption by local enterprises. The “Expert Group on Cloud Computing Services and Standards” has been established since 2012. In April 2013 it published a “Security and Privacy Checklist for Cloud Service Providers in Handling Personal Identifiable Information in Cloud Platforms” which provides some high level guidance for cloud service providers to consider when implementing management, operational and technical measures:
The ISO 27018 standard has now created a more streamlined system for adhering to regulations set by data protection authorities around the world. As cloud computing services mature, cloud service providers are becoming more competitive. In the opening speech at the “BSI Information & Cloud Security Conference 2014” Daniel Lai, the Government Chief Information Officer, stated that there is a need for cloud service consumers to understand cloud computing and to evaluate different cloud service providers' offers, including information security and privacy protection offerings. However, an average cloud service consumer may be confused about how to choose a trustworthy cloud service provider from the massive market players.
He noted that standards might be the key to this dilemma. Through information and cloud security standards, security requirements and offerings of both cloud service consumers and providers are explicitly set out, which facilitates the alignment of security expectations and services of both parties. He said that service providers acquiring security-related certifications can illustrate their credentials, instil confidence in potential customers, and demonstrate their capabilities to deliver trusted products and services.