Infrastructure as a Service (IaaS)

According to the U.S. National Institute of Standards and Technology (NIST), IaaS is the capability to provision processing, storage, networks, and other fundamental computing resources where the consumer can deploy and run arbitrary software, including operating systems and applications, but does not manage the underlying cloud infrastructure. In short, it allows companies to rent a virtual data center instead of incurring the capital expense of building their own.

When adopting IaaS, Taiwanese companies primarily face compliance pressure from the Personal Data Protection Act (PDPA), which holds the company responsible for supervising the service provider when outsourcing data processing. The financial industry, in particular, is subject to strict regulations from the Financial Supervisory Commission (FSC), such as the "Self-Regulatory Rules for Outsourcing of Cloud Services by Financial Institutions," which mandates data encryption, audit rights, and an approval system for critical outsourcing operations. Inadequate security can lead to heavy fines and damage supply chain trust and corporate reputation.

Standards directly related to IaaS include: 1. **ISO/IEC 27017 (Code of practice for information security controls for cloud services)**: Provides specific security guidance for the cloud, such as defining security responsibilities between provider and customer in clause CLD.6.3.1. 2. **ISO/IEC 27001 (Information Security Management Systems)**: Serves as the foundational framework for security management. Its Annex A controls (e.g., A.5.23 Information security for use of cloud services) provide a basis for IaaS governance. 3. **ISO/IEC 27018 (Code of practice for PII protection in public clouds)**: Focuses on the protection of personally identifiable information in cloud environments.

As Taiwan's first consultancy to integrate ERM, industrial engineering, and technology law, Winners Consulting, led by a founder with a preventive law background, excels at vertically integrating standards like ISO 27017 with corporate governance and internal controls, preventing redundant systems. Our multidisciplinary team of tech lawyers, ISO lead auditors, and data scientists has assisted semiconductor leaders like TSMC and MediaTek in enhancing their cloud security and trade secret protection, offering the most comprehensive risk assessment and compliance strategy for your IaaS adoption.