As organizations shift more of their data to the public cloud, including a steadily growing number of mission-critical workloads, the need for privacy controls grows. A group representing some of the biggest names in tech has put forth a standard aimed at addressing that requirement on an industry level for the first time.
The rather unassumingly named ISO/IEC 27018 is described as the official code of practice for protection of personally identifiable information (PII) in the public cloud. It’s the brainchild of The App Association, an organization representing software companies in Washington that lists the likes of Intel and Microsoft, one of the world’s top infrastructure-as-a-service providers, among its backers.
To become compliant with the standard, a cloud operator must meet a number of straightforward requirements that many platforms already fulfill to various extents but that have not previously been codified into a common policy. The first obligation is to commit to not exploiting sensitive data stored on behalf of customers for marketing or advertising purposes without explicit consent.
That clause reflects the standard’s broader emphasis on establishing trust, which extends to other areas as well. In particular, it calls to process personally identifiable information only as permitted by the customer. But it’s worth noting that the requirement pertains specifically to the provider, which, added up with The App Association’s decision to use the term “process” rather than “handle,” seems to deliberately exclude government snooping.
Since Microsoft and many of the group’s other members are obligated to hand over information to law enforcement agencies in certain situations, that’s an unavoidable reality for customers. However, the standard does establish some ground rules for protecting users. To meet compliance requirements, providers must “fully disclose all third parties who help process data and therefore have access to customer” information.
Moreover, the standard requires full transparency on where data is stored, the way it’s handled and for how long it’s kept. The latter is particularly important when it comes to sensitive information such as medical records, since healthcare providers and other heavily-regulated organizations not only need to ensure the privacy of their users but also convincingly prove to regulators that they don’t hold onto data for longer than absolutely necessary.
Meeting the standard can therefore provide cloud operators with a valuable marketing advantage when competing for many mission-critical workloads. Customers, meanwhile, stand to gain the benefit of a universal metric for assessing the suitability of different platforms that cuts across multiple regions and jurisdictions.
The emergence of standards is a positive sign of a market’s maturation. Nearly a decade after the public cloud phenomenon first emerged on the industry radar, it’s well time for that.