alphaspirit - Fotolia

AWS urged to follow Azure on cloud data privacy

As AWS expands into apps such as email, experts say it should strengthen its data privacy credentials by following the controls set forth in the new ISO 27018 standard.

Microsoft Azure adheres to a new cloud data privacy standard for its email and file-sharing apps, and industry watchers expect Amazon Web Services to do the same. But the cloud giant hasn't made any public moves to ensure users have control over their personal information just yet.

The International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27018:2014 standard, published in July 2014, applies specifically to the controllers of personally identifiable information. Microsoft last month was the first cloud services provider to be accredited as following the provisions of the ISO/IEC 27018:2014 standard, colloquially known as ISO 27018, which is an extension of ISO 27001.

Compliance with the ISO 27018 standard means the cloud service provider will not use personal data for advertising and marketing unless expressly instructed by the customer; it will give the customer explicit control over how information is used; it will inform customers where data resides and disclose the use of contractors used to process personal data; it will notify customers about data breaches; and it will submit to a yearly audit from a third party based on these requirements.

AWS already has ISO certifications under the ISO 27001 and 9001 standards. ISO 27001 specifies security management best practices and 9001 governs the general quality of products and services.

Microsoft also has ISO 27001 certification. ISO 27018 isn't certified separately, but the British Standards Institute has independently verified that, in addition to Microsoft Azure, both Office 365 and Dynamics CRM Online are aligned with the ISO 27018 standard

Does AWS need to meet ISO 27018?

'In this case, where they are moving up the stack, offering more and more higher-value services like mail or desktop as a service, then they should fulfill this new ISO standard.'
Rene Buestsenior analyst for Crisp Research

Infrastructure providers are not controllers per se. AWS does not access, disclose or use customer content, including personal content, stored or processed in the AWS cloud. However, some industry analysts raise the question of whether Amazon WorkMail and WorkDocs services, which remain in preview in the U.S. East (Northern Virginia) and Europe (Ireland) regions, would make it subject to standards like ISO 27018 that apply to data controllers.

"In this case, where they are moving up the stack, offering more and more higher-value services like mail or desktop as a service, then they should fulfill this new ISO standard," said Rene Buest, senior analyst for Crisp Research based in Kassel, Germany. He believes Amazon will follow Microsoft and meet the standard.

There are also conflicting directives for companies that do business in both the U.S. and Europe must contend with, according to Renee Murphy, a senior analyst for Forrester Research, Inc. who specializes in security and risk management. As part of an EU privacy directive, European data centers have to notify a user when a law enforcement agency wants access to records, and the user can refuse. In the U.S., those rights don't exist under the auspices of the Patriot Act.

Microsoft is fighting just such a case of U.S. access to records stored in Ireland, struggling with what the U.S. government sees as corporate borders.

"Microsoft is trying to make the case that data is local and that data is under the EU law," Murphy said.

This also isn't Amazon's problem, specifically, but getting that case overturned is critical to the future of not just Microsoft, but all U.S.-based cloud vendors, if they want to be competitive in Europe.

"If they win, everything goes back to normal," Murphy said. "If they lose it puts the whole U.S. cloud provider market in jeopardy."

Thus, while not a technical or legal requirement, it would offer customers concerned about cloud data privacy and security some additional comfort if AWS were to follow the ISO 27018 standard as well, legal experts said.

"They've got ISO certifications already and they want to be seen as being active in this space in helping to protect data," said Frank Jennings, partner at Wallace LLP, London, who specializes in legal questions surrounding cloud computing. "I can't see why they wouldn't want to do that, especially if WorkMail is but one of many office functionality type suites that they're going to be introducing."

Other industry experts pointed out that ISO 27018 may be redundant to existing standards. For example, there is a lot of overlap between ISO standards and existing prescriptive regulations like the Payment Card Industry Data Security Standard, which AWS has already been certified against as compliant, according to Adrian Sanabria, senior security analyst with 451 Research, based in New York.

"In fact, it is quite common to see PCI and ISO 27001 assessments paired up because there is so much overlap between the two," Sanabria said.

Amazon declined to comment for this article.

Beth Pariseau is senior news writer for SearchAWS. Write to her at [email protected] or follow @PariseauTT on Twitter. news writer Trevor Jones contributed to this report.

Dig Deeper on AWS compliance, governance, privacy and regulations