Cloud Computing and Data Protection – What’s the point of Standards?
By: Peter F Brown, Independent Consultant, Secretary of OASIS
03 April 2012

Send EMail

One problem, one solution, right?

If I use some metaphors in my consulting work over and again, it’s because they work.

One such concerns Ironbridge: the settlement in the English industrial West Midlands named after its most famous asset – the first ever iron bridge. The bridge is interesting because, conceptually, it is a wooden bridge that happens to be made of iron. As the first iron bridge, there was nothing before it and therefore no template to use: instead the bridge is designed and executed using carpentry principles, as that was a familiar method for bridge building!

No-one is advocating that you can build a bridge any old way:  good architects and good engineers cooperate using a vast array of standards, processes, disciplines and materials. The best combinations are used over and again, albeit with different designs. No single design fits all. Some core standards will be used across a whole discipline. Others may seem duplicative but serve to solve specific implementations.

Experiences in the cloud

Likewise, different technology vendors and communities have come up with a myriad different ways to implement “cloud computing”. What is new with the popularisation of cloud computing is the range of policy implications that arise as this infrastructure is distributed also across boundaries of ownership and jurisdiction.

From a consumer’s perspective – be that a private individual, an independent consultant like myself, or the largest government department or global corporation – cloud computing is at its best when it is invisible: it “just works”. When we dig a little deeper, however, concerns arise: Where is my data being stored? What happens if my service provider goes silent or bankrupt? What if I want to move content somewhere else? Or one of the most talked about today: is my data secure and who can access it?

Well, there are standards addressing these concerns. The global standards ISO 27001 and 27002, for example, are concerned with information security in general. A more recent work, ISO 27018 (still under finalisation), is concerned more specifically with data protection for public cloud computing services. Alongside this, another standards body, OASIS, has working on the “Privacy Management Reference Model and Methodology” (PMRM) which provides a high-level methodology for data privacy practitioners to assess their organisation’s compliance with legislation and best practices. Standards from these, and other, organisations work together in providing a rich mixture of solutions addressing a wide array of problems – and it works!

Policy makers around the world continue to voice concerns, particularly in the area of data privacy, as part of their legitimate work representing citizens and businesses. The European Commission has contributed to this with its set of initiatives under the umbrella title of “Safeguarding Privacy in a Connected World”. There is much to welcome in the new proposals but equally some signs of “stone bridge building”. Being explicit about objectives, about what you want to achieve – whether that be portability of data between cloud platforms, data protection or other concerns – is important but mandating a single standard or way forward for each problem will not help. At a time of incredible technological innovation in this relatively new domain of cloud computing, it would be a pity to see ‘mere’ stone bridges.

We are pleased to host on our website contributions from external experts and stakeholders and we are grateful for their time and thoughts. The content developed by our guest bloggers is purely the reflections of the author and does not necessarily reflect Microsoft positions.

Related content: