CISPE has recently published the first Code of Conduct for Cloud infrastructure providers: it’s important to acknowledge its existence and its content for both clients interested in Cloud service (in the choice of the service) and for providers of such services (to evaluate whether to adhere to it).
In this new article of our column we cover the aspects about security and secrecy of data in Cloud services, also with regards to reserved business content and to industrial properties to safeguard. But the recent publication by CISPE of the first Code of Cloud Infrastructure Service Providers last 27 September lead us to a little detour from our usual routine. What is CISPE, if you don’t happen to know it? The acronym stands for Cloud Infrastructure Services Providers in Europe and it’s an alliance of circa twenty Cloud infrastructure providers operating in different European countries.
Why adopting a Code of conduct?
The idea of the Code, as already stated in the introductory part, was born from the general observation, by the members of CISPE, that clients using a Cloud computing service (which deals with personal data) consider a key element the elaboration of data by the provider while being compliant with the European law about data protection. From a provider perspective, the Code aims being a tool to which voluntary adhere (or not) thus showing clients the compliance to Code’s rules of the services being offered.
Which Cloud services does this code applies to?
The Code focuses in particular on Cloud services provided by IaaS providers, which is one of the three fundamental Cloud services. It’s about Infrastructure-as-a-Service providers (ie providing virtual hardware or computing infrastructures) are called CISP, or “Cloud Infrastructure Services Providers”. The goal of the Code, as per its original conception, is to guide clients of these services when evaluating if a Cloud infrastructure service is suitable or not for the needs they have.
What are the requirements of the Code?
The fundamental normative part is contained in section Five and Six which contain a number of requirements in term of data protection and transparency that providers adhering to the Code must respect as data processors, with a particular attention to the security of processed data. Let’s see the main ones.
With regards to the data protection profile, which is contained in Chapter 5, providers certified with the CISPE Code of Conduct:
- Must offer their clients the option of computing and storing data inside the UE or the European Economic Area exclusively: this way, clients can control where data is physically treated and stored.
- Can’t perform profiling or data mining operations, which basically are the extraction of information from clients to take advantage of them for personal use of sale to third parties, for instance for marketing and advertising operations. In other words, they commit not to reuse or sell data.
- Must operate in compliance with the requirements stated in the new European Regulations in terms of data protection.
- Must stipulate contracts with clients with well defined clauses.
- Must adopt adequate security measures contained in the Code.
- Can’t subcontract its service unless there’s a written authorization and respecting the same conditions of the main contract with the client, which the main provider must be anyway responsible for.
- Must guarantee that their employees work with a specific commitment to secrecy
- Must notice the client any data breaches and any wrong or incorrect behaviour with no delay.
- At the end of the service, must destroy or return all personal data to the client.
In terms of transparency (Chapter 6), six elements are stated which the provider must offer the client in order to guarantee an adequate level of transparency:a written agreement that formalizes the division of responsibilities between the CISP and the client in terms of service security; a high level of carefulness to security measures and standards that are applied to the service; clear and precise information about the structure and the operating mode of the service; information about the existence of a risk management program (of the CISP); information about security measures arranged by the CISP; enough guarantee of the given information about security management and possibility for the client to verify them.
A CISP therefore can declare its adherence to the Code (compliant with Chapter 3) if: the services being offered (or some of them, and in this case they must be stated which ones) are provided in compliance with the norms contained in the Code; operates in compliance with all EU norms in terms of data protection, including Guidelines and the general Regulations about Data Protection; allows the client to treat and store data entirely inside the European Economic Area.
Lastly, how to know if a provider adheres to the Code and, if you are a provider yourself, how to certify it? Cloud infrastructure providers that adhere to the Code and are compliant with the norms contained in it are given a Compliance Mark that proves the adhesion, and its name will be added the public CISPE registry and indicated on its website.
The CISPE Code precedes the application of the new Data Protection European Regulations which, as we noted in a previous episode of this column, has been approved last May and will be fully operative in May 2018, and confirms the interest and fundamental attention that Cloud services users and Providers must have about data security in such services.