alphaspirit - Fotolia

AWS compliance questioned for Amazon WorkMail, WorkDocs

As AWS expands into apps such as email, experts say it should strengthen its data privacy credentials with ISO certification 27018, as Microsoft has.

Amazon Web Services is expected to follow Microsoft in earning a new data privacy certification for its email and file-sharing apps -- though the cloud giant hasn't made the move to certify that users have control over their personal information just yet.

The International Organization for Standardization (ISO) 27018 certification is fairly new, published in July 2014, and applies specifically to the controllers of personally identifiable information (PII).  Microsoft last month was the first cloud services provider to earn the ISO 27018 certification.

Certification under this standard attests that the cloud service provider will not use personal data for advertising and marketing unless expressly instructed by the customer; that it will give the customer explicit control over how information is used; that it will inform customers where data resides and disclose the use of contractors used to process personal data; that it will notify customers about data breaches; and that it will submit to a yearly audit from a third party based on these requirements.

Amazon Web Services (AWS) already has ISO certifications under the ISO 27001 and 9001 standards. ISO 27001 specifies security management best practices and 9001 governs the general quality of products and services. Microsoft also has ISO 27001 certification.

'In this case, where they are moving up the stack, offering more and more higher-value services like mail or desktop as a service, then they should fulfill this new ISO standard.'
Rene Buestsenior analyst for Crisp Research

There is also the question of whether AWS counts as a PII controller; as an infrastructure provider, AWS does not access, disclose or use customer content, including personal content, stored or processed in the AWS cloud. Infrastructure providers are not controllers per se.

However, some industry analysts raise the question of whether Amazon WorkMail and WorkDocs services, which remain in preview in the U.S. East (Northern Virginia) and Europe (Ireland) regions, would make it subject to laws and standards like ISO 27018 that apply to data controllers.

"In this case where they are moving up the stack, offering more and more higher-value services like mail or desktop as a service, then they should fulfill this new ISO standard," said Rene Buest, senior analyst for Crisp Research, based in Kassel, Germany. He believes Amazon will follow Microsoft and obtain ISO 27018 certification.

There are also conflicting directives companies doing business in both the U.S. and Europe must contend with, according to Renee Murphy, a senior analyst for Forrester Research, Inc., specializing in security and risk management. As part of an EU privacy directive, European data centers have to notify a user when a law enforcement agency wants access to records, and the user can refuse. In the U.S., those rights don't exist under the auspices of the Patriot Act.

Microsoft is fighting just such a case of U.S. access to records stored in Ireland, struggling with what the U.S. government sees as corporate borders.

"Microsoft is trying to make the case that data is local and that data is under the EU law," Murphy said.

This also isn't Amazon's problem, specifically, but getting that case overturned is critical to the future of not just Microsoft, but all U.S.-based cloud vendors, if they want to be competitive in Europe.

"If they win, everything goes back to normal," Murphy said. "If they lose it puts the whole U.S. cloud provider market in jeopardy."

Thus, while not a technical or legal requirement, it would offer customers concerned about data privacy and security some additional comfort if AWS were to get the certification as well, legal experts said.

"They've got ISO certifications already and they want to be seen as being active in this space in helping to protect data," said Frank Jennings, partner at Wallace LLP, London, who specializes in legal questions surrounding cloud computing. "I can't see why they wouldn't want to do that, especially if WorkMail is but one of many office functionality type suites that they're going to be introducing."

Amazon declined to comment for this article.

Beth Pariseau is senior news writer for SearchAWS. Write to her at [email protected] or follow @PariseauTT on Twitter.  

Dig Deeper on AWS compliance, governance, privacy and regulations