Security
Cloud Policy & Data Protection
Introduction
Cloud computing is a competitive field for enterprises with the longest investment horizons and enough cash to be able to build the economies of scale. According to research firm Synergy, the cloud infrastructure services market was worth 21bn in 2015 (from Cloud UC Market Primer, March 2014).
The Cloud Computing Market is mainly comprised of:
- Infrastructure as a Service (IaaS),
- Platform as a Service (PaaS), and
- Software as a Service (SaaS).
Synergy estimated that the four largest players accounted for 50 per cent of this market, with Amazon at 28 per cent, Microsoft at 11 per cent, IBM at 7 per cent and Google at 5 per cent. Of these, Microsoft’s 2014 revenues almost doubled over 2013, whilst Amazon’s and IBM��’s were each up by around half.
Moreover, the proportion of computing sourced from the cloud compared to on-premise looks to rise rapidly. Already in 2014, enterprise applications in the cloud accounted for one fifth of the total. This is predicted to increase to one third by 2018.
Most importantly, this rapid growth represents a huge increase in the amount of personal data (Personally Identifiable Information or PII) going into the cloud and the number of cloud customers contracting for the various services. As the growth takes place in such staggering manner, questions about security of personal data in the cloud continues to be a concern for many.
Personally Identifiable Information (PII)
The biggest concern when it comes to cloud computing is the security of PII. PII is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII. In this regard, questions about PII is not a new concern nor specific to cloud computing. These concerns apply to any organisational environment which carries sensitive customer data. Anyone who has such data needs to comply with certain standards and practices, which is rather vague in most jurisdictions.
This definition of PII is important and governs most practices in financial institutions. The PII is encrypted, mostly through information processing practices within an organisation. Essentially, organisations will anonymise the identity of the information and safeguard the mapping of the anonymised information and the personal data. This process, which can be defined as anonymisation, lies at the heart of any organisational security practice which deals with sensitive personal data internally.
Universal Security Standards
Until very recently, there were no international standards focusing on the protection of personal data in the public cloud. In 2014, however, ISO 27018 was published focusing on the protection of personal data in the public cloud. Here are the key principles of ISO 27018:
- Consent and choice
- Cloud service providers should make available tools to enable customers to comply with data access, data correction and data removal requirements;
- Purpose legitimacy and specification
- Cloud service providers should only process PII in accordance with the customer’s instructions, should refrain from using customer data for its own purposes and may process PII for marketing or advertising purposes only with the customer’s express consent. Such consent should not be a condition for receiving the service;
- Data minimisation
- Temporary files and documents should be erased or destroyed within a specified, documented period and periodic checks should be conducted to ensure that unused temporary files above a certain age are deleted;
- Use, retention and disclosure limitation
- Disclosure of PII to law enforcement authorities should only be made when there is a legal obligation to do so and, if permissible, cloud service providers should notify customers in advance of such disclosure. Disclosures of PII to third parties should also be recorded, including what PII has been disclosed, to whom and at what time;
- Openness, transparency and notice
- Cloud service providers should disclose to customers, prior to entering into a service contract, the identity of sub-contractors and possible locations where the PII may be processed;
- Accountability
- Cloud service providers should promptly notify the relevant customer in the event of any unauthorised access to PII or unauthorised access to processing equipment or facilities resulting in loss, disclosure or alteration of PII;
- PII return, transfer or disposal
- Cloud service providers should have a policy regarding the return, transfer or erasure of PII and should make this policy available to the customer;
- Information security
- Personnel under the cloud service provider’s control with access to PII should be subject to confidentiality obligations.
- The creation of hard copy materials containing PII should be restricted and must be destroyed securely e.g. cross-cutting, shredding etc.
- There should be procedures to log any data restoration efforts.
- There should be protection for data on storage media leaving the cloud service provider’s premises including authorisation procedures and restricting access to authorised personnel only (e.g. by encryption).
- Portable physical media devices that do not permit encryption should not be used except where it is unavoidable and any such use should be documented.
- PII should be encrypted prior to transmission over public data-transmission networks.
Our Policy
We treat the issue of data protection with utmost care and vigilance in order to protect our customers and our entire business model from potential setbacks. Long before ISO 27018 was published, we adhered to the principles outlined in the ISO 27018 document and integrated it into our vendor of cloud solution choices as well as embedded them into our minimum system requirements and recommendations and advices to our endusers when it comes to anonymising data and/or in-house deployments.
Cloud Security Standard Due Diligence
Our current principle cloud service providers are:
Our cloud service providers do not access, disclose or use customer content, including personal content, stored or processed on their cloud inrastructure and are therefore not controllers of the data. As such, although Telostat has control over the way data is stored and processed, our operational procedures are aligned to Non-Disclosure and Data Processing Agreements signed with our clients which consequently creates security practices as ISO 27018 requires and ensures compliance to other international standards.
Should clients require a cloud solution in the jurisdiction in which our current cloud service providers are not available, Telostat will do its due diligence of the available vendors and find the most suitable vendor which comply with the guidelines.
Anonymisation of PII
Upon request, Telostat will advice clients on anonymising their data securely and help with the necessary encryption, mapping and process flow to ensure information processing and identification are separated and it the control of Telostat’s clients solely.
Our Cloud Service Providers’ Security Certifications
Following schedule provides a list of security certifications which our cloud providers carries or adheres to as officially advertised on their websites:
At the time of the preperation of this document, following certificates are listed for these cloud service providers:
| Microsoft Azure | Amazon Web Services | Digital Ocean |
|---|---|---|
| CDSA | PCI DSS Level 1 | ISO/IEC 27001:2013 |
| CJIS | SOC 1 / ISAE 3402 | EU-U.S. and Swiss-U.S. Privacy Shield Certification |
| CSA CCM | SOC 2 | |
| DIACAP | SOC 3 | |
| DISA Level 2 | FIPS 140-2 | |
| EU Model Clauses | CSA | |
| FDA 21 CFR Part 11 | FedRAMP (SM) | |
| FedRAMP | DIACAP and FISMA | |
| FERPA | ISO 27001 | |
| FIPS 140-2 | MPAA | |
| FISC | Section 508 / VPAT | |
| IRS 1075 | HIPAA | |
| FedRAMP | Dod CSM Levels 1-2, 3-5 | |
| FISMA | ISO 9001 | |
| HIPAA / HITECH | CJIS | |
| CCSL (IRAP) | FERPA | |
| ISO/IEC 27001/27002:2013 | G-Cloud | |
| ISO/IEC 27018:2014 | IT - Grundschutz | |
| MLPS | IRAP (Australia) | |
| iDA Singapore | MTCS Tier 3 Certification | |
| MTCS SS Tier 3 | ITAR | |
| NZ GCIO | ||
| PCI DSS Level 1 | ||
| SOC 1 Type 2 and SOC 2 Type 2 | ||
| TCS CCCPPF | ||
| UK G-Cloud | ||
| Section 508 / VPATs |