Security

Cloud Policy & Data Protection

Introduction

Cloud computing is a competitive field for enterprises with the longest investment horizons and enough cash to be able to build the economies of scale. According to research firm Synergy, the cloud infrastructure services market was worth $16bn in 2014, up 50 per cent on 2013 and is predicted to grow 30 per cent to over $21bn in 2015 (from Cloud UC Market Primer, March 2014).

The Cloud Computing Market is mainly comprised of:

Synergy estimated that the four largest players accounted for 50 per cent of this market, with Amazon at 28 per cent, Microsoft at 11 per cent, IBM at 7 per cent and Google at 5 per cent. Of these, Microsoft’s 2014 revenues almost doubled over 2013, whilst Amazon’s and IBM’s were each up by around half.

Moreover, the proportion of computing sourced from the cloud compared to on-premise looks to rise rapidly. Already in 2014, enterprise applications in the cloud accounted for one fifth of the total. This is predicted to increase to one third by 2018.

Most importantly, this rapid growth represents a huge increase in the amount of personal data (Personally Identifiable Information or PII) going into the cloud and the number of cloud customers contracting for the various services. As the growth takes place in such staggering manner, questions about security of personal data in the cloud continues to be a concern for many.

Personally Identifiable Information (PII)

The biggest concern when it comes to cloud computing is the security of PII. PII is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII. In this regard, questions about PII is not a new concern nor specific to cloud computing. These concerns apply to any organisational environment which carries sensitive customer data. Anyone who has such data needs to comply with certain standards and practices, which is rather vague in most jurisdictions.

This definition of PII is important and governs most practices in financial institutions. The PII is encrypted, mostly through information processing practices within an organisation. Essentially, organisations will anonymise the identity of the information and safeguard the mapping of the anonymised information and the personal data. This process, which can be defined as anonymisation, lies at the heart of any organisational security practice which deals with sensitive personal data internally.

Universal Security Standards

Until very recently, there were no international standards focusing on the protection of personal data in the public cloud. In 2014, however, ISO 27018 was published focusing on the protection of personal data in the public cloud. Here are the key principles of ISO 27018:

Consent and choice
Cloud service providers should make available tools to enable customers to comply with data access, data correction and data removal requirements;
Purpose legitimacy and specification
Cloud service providers should only process PII in accordance with the customer’s instructions, should refrain from using customer data for its own purposes and may process PII for marketing or advertising purposes only with the customer’s express consent. Such consent should not be a condition for receiving the service;
Data minimisation
Temporary files and documents should be erased or destroyed within a specified, documented period and periodic checks should be conducted to ensure that unused temporary files above a certain age are deleted;
Use, retention and disclosure limitation
Disclosure of PII to law enforcement authorities should only be made when there is a legal obligation to do so and, if permissible, cloud service providers should notify customers in advance of such disclosure. Disclosures of PII to third parties should also be recorded, including what PII has been disclosed, to whom and at what time;
Openness, transparency and notice
Cloud service providers should disclose to customers, prior to entering into a service contract, the identity of sub-contractors and possible locations where the PII may be processed;
Accountability
Cloud service providers should promptly notify the relevant customer in the event of any unauthorised access to PII or unauthorised access to processing equipment or facilities resulting in loss, disclosure or alteration of PII;
PII return, transfer or disposal
Cloud service providers should have a policy regarding the return, transfer or erasure of PII and should make this policy available to the customer;
Information security
  1. Personnel under the cloud service provider’s control with access to PII should be subject to confidentiality obligations.
  2. The creation of hard copy materials containing PII should be restricted and must be destroyed securely e.g. cross-cutting, shredding etc.
  3. There should be procedures to log any data restoration efforts.
  4. There should be protection for data on storage media leaving the cloud service provider’s premises including authorisation procedures and restricting access to authorised personnel only (e.g. by encryption).
  5. Portable physical media devices that do not permit encryption should not be used except where it is unavoidable and any such use should be documented.
  6. PII should be encrypted prior to transmission over public data-transmission networks.

Telostat’s Policy

As Telostat, we treat the issue of data protection with utmost care and vigilance in order to protect our customers and our entire business model from potential setbacks. Long before ISO 27018 was published, we adhered to the principles outlined in the ISO 27018 document and integrated it into our vendor of cloud solution choices as well as embedded them into our minimum system requirements and recommendations and advices to our endusers when it comes to anonymising data and/or in-house deployments.

Cloud Security Standard Due Diligence

Telostat’s current principle cloud service providers are:

Our cloud service providers do not access, disclose or use customer content, including personal content, stored or processed on their cloud inrastructure and are therefore not controllers of the data. As such, although Telostat has control over the way data is stored and processed, our operational procedures are aligned to Non-Disclosure and Data Processing Agreements signed with our clients which consequently creates security practices as ISO 27018 requires and ensures compliance to other international standards.

Should clients require a cloud solution in the jurisdiction in which our current cloud service providers are not available, Telostat will do its due diligence of the available vendors and find the most suitable vendor which comply with the guidelines.

Anonymisation of PII

Upon request, Telostat will advice clients on anonymising their data securely and help with the necessary encryption, mapping and process flow to ensure information processing and identification are separated and it the control of Telostat’s clients solely.

Our Cloud Service Providers’ Security Certifications

Following schedule provides a list of security certifications which our cloud providers carries or adheres to as officially advertised on their websites:

Microsoft Azure

  • CDSA
  • CJIS
  • CSA CCM
  • DIACAP
  • DISA Level 2
  • EU Model Clauses
  • FDA 21 CFR Part 11
  • FedRAMP
  • FERPA
  • FIPS 140-2
  • FISC
  • IRS 1075
  • FedRAMP
  • FISMA
  • HIPAA / HITECH
  • CCSL (IRAP)
  • ISO/IEC 27001/27002:2013
  • ISO/IEC 27018:2014
  • MLPS
  • iDA Singapore
  • MTCS SS Tier 3
  • NZ GCIO
  • PCI DSS Level 1
  • SOC 1 Type 2 and SOC 2 Type 2
  • TCS CCCPPF
  • UK G-Cloud
  • Section 508 / VPATs

Amazon Web Services

  • PCI DSS Level 1
  • SOC 1 / ISAE 3402
  • SOC 2
  • SOC 3
  • FIPS 140-2
  • CSA
  • FedRAMP (SM)
  • DIACAP and FISMA
  • ISO 27001
  • MPAA
  • Section 508 / VPAT
  • HIPAA
  • Dod CSM Levels 1-2, 3-5
  • ISO 9001
  • CJIS
  • FERPA
  • G-Cloud
  • IT - Grundschutz
  • IRAP (Australia)
  • MTCS Tier 3 Certification
  • ITAR

Rackspace Inc

  • ISO 27001
  • ISO 27002
  • PCI-DSS (PAYMENT CARD INDUSTRY DATA SECURITY STANDARD)
  • SSAE16
  • SOC 1
  • SOC 2
  • SOC 3
  • SAFE HARBOR
  • CONTENT PROTECTION AND SECURITY STANDARD (CPS)