To quote the Chinese proverb, "a journey of a thousand miles begins with a single step". But is Microsoft's adoption of ISO/IEC 27018, the (not so) new cloud data privacy standard published in July 2014, the start of a journey or no more than an isolated step?
My experience is that, in some areas, cloud service providers' commercial offerings are becoming more flexible, and in particular, there's an increased willingness to negotiate certain issues and to provide assurances that regional privacy and security concerns are taken seriously. So, what does ISO/IEC 27018 add - and should other cloud service providers follow Microsoft's suit?
ISO/IEC 27018 is a "Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors" published by the International Organization for Standardization (ISO). (Like others, ISO definitely needs help to liven up its naming procedures.)
It is intended to provide a common compliance framework for public cloud service providers, particularly those operating in a multinational market where data privacy and security laws and regulations vary from jurisdiction to jurisdiction.
ISO/IEC 27018 takes into account the specific risk environment which applies to cloud service providers, and augments more generic standards in two ways: (i) it provides additional guidance on how to implement the existing standards and controls within a public cloud setting, and (ii) it introduces additional controls that are specific to cloud services. It is firmly aimed at cloud service providers, not customers.
Cloud service providers can become certified under ISO/IEC 27018, and cloud customers can verify a provider's compliance with the standard via the provider's certificate of conformity. That would seem to be a good way to reduce time-consuming and distracting discussions over data privacy compliance in the cloud. So why is Microsoft so far the only big public cloud provider to come out in favour of ISO/IEC 27018? Is it a cost thing?
Certification under the ISO/IEC 27000 standards family outside the cloud is generally considered best practice in terms of information security, and many customers mandate that their providers meet these standards. In the same way, cloud service customers may begin to require that cloud service providers comply with this new voluntary standard for cloud service. Even where a cloud service provider has not achieved certification, a customer may wish to include in the contract an obligation that the provider must comply with the requirements set out in the standard.
Maybe the downside is that even the fact that a customer uses a cloud service provider certified to the new standard will not ensure that the customer is compliant with its legal obligations. Customers will still need to ensure that they comply with all applicable privacy laws and regulations in the applicable territories when appointing a cloud service provider. But the new standard may be useful to customers in terms of identifying any specific controls that may be appropriate to include in the information security requirements detailed in the contract.
While ISO/IEC 27018 was seen, after its adoption, as a positive step towards more uniform cloud privacy and security practices, it existed somewhat in a vacuum. It really needed wider adoption to give it a stamp of credibility. Microsoft's decision to adopt it could spur other cloud service providers into action. But ISO/IEC 27018 still has a long way to go to become the de facto standard employed by cloud providers industry-wide.