New cloud standard brings 5 principles to government cloud
Most of the government leaders I talk to appreciate ISO standards for the uniformity and security they bring to their IT operations. But few associate the International Standards Organization with cloud standards, and for good reason: until recently, cloud standards didn’t exist. Then last July, ISO published ISO/IEC 27018 and the world shifted just a bit.
The new standard challenges cloud service providers to implement a set of universal, international guidelines for protecting personal information in the cloud. I’m happy to say that Microsoft was an early adopter (you may have seen Brad Smith’s recent announcement or the write-up in Tech Times and other sources). I’m even happier to discuss what it means for the public sector. For the first time, governments and cities can get all the benefits of the cloud while knowing that their cloud-based data is governed by known, documented guidelines.
There are five principles behind the ISO standard. Think of them as a code of conduct in the cloud—a kind of promise between you, your cloud provider, and the citizens who entrust you with their Personally Identifiable Information (PII).
1. It’s your data. You control it.
Under the ISO standard, you control what information resides in the cloud, who can access it, how it’s transmitted, and how it’s restored in the event of a loss. Your role on the front end is vital. You need to understand the types of data you’re storing, classify it, and define policies for how it will be handled. With that done, you can control your data wherever it lands in the cloud.
2. You should know what’s happening with your data.
You should know where it is, when it moves, and who sees it. Here again, your role is crucial. Make sure you understand your local laws and requirements. Where can various data types reside? Who’s authorized to access it? How should it be handled in an emergency? Once you define the policies, your ISO-compliant cloud provider will help your rules get implemented.
3. Your data must be protected.
The standard provides guidelines for protecting personal information during storage, transmission, and recovery. The layers of protection are deep and evolving fast, as evidenced by Azure, Office 365, Dynamics CRM Online , and other parts of Microsoft’s ISO-compliant cloud suite. If you haven’t investigated cloud security recently, you should take a fresh look. It’s a new ballgame.
4. Your data won’t be used for advertising.
It seems so basic: your data is your data. No one has the right to use it without your permission. Thanks to ISO, the days are almost behind us where big, cloud-based service providers can access and sell your personal information simply because you use their service. If you opt-in for targeted advertising, great. Otherwise, see point 1.
5. If authorities want access to your data, you’ll be notified.
If a law enforcement agency requests access to your records, you’ll be notified as long as there’s no legal requirement prohibiting the disclosure. The ISO standard is designed to establish a unilateral process for how, when, and to what extent cloud-based records can be accessed by authorities. This is an issue we know well at Microsoft. The ISO standard simply reinforces our commitment.
ISO/IEC 27018 is just the tip of the spear. Its five basic principles are welcome and needed, and there’s more to come. I often tell my colleagues in government to keep the pressure on. Encourage your IT team to challenge the status quo, demand more cloud standards, and embrace new security measures. The next wave of cloud standards is already being developed. Let’s make sure our voices in the public sector are heard.
Have a comment or opinion on this post? Let me know @Microsoft_Gov. Or e-mail us at ongovernment@microsoft.com.
