Privacy, compliance and the cloud

Use of the cloud clearly brings with it major privacy concerns. Whilst a range of technical solutions, including use of one of the many variants of homomorphic encryption, potentially enable these concerns to be addressed, in practice such complex privacy enhancing technologies are not widely used. Instead, cloud users, including both individuals and organisations, rely in practice on contractual agreements to help ensure that Personally Identifiable Information (PII) stored in the cloud is handled appropriately. This contractual approach builds on compliance, a widely used notion in information security. Specifically, cloud service providers obtain certification of compliance to appropriate security standards and guidelines, notably the ISO/IEC 27000 series, to prove they provide a secure service. To provide privacy guarantees, a standard, ISO/IEC 27018:2014, has recently been published specifically aimed at enabling cloud service vendors to show compliance with regulations and laws governing the handling of PII. This is just the first in an emerging series of standards providing guidelines on cloud security and privacy, as well as more general PII handling in IT systems. This paper reviews the state of the art in such standards, and also looks forward to areas where further standards and guidelines are needed, including discussing the issues that they need to address.