There have been recent noteworthy trends in cloud computing. The major trends are briefly summarized below.
 

• Introduction of “Data Center” as New Subcategory of Building Use Classification System under the Building Act

On September 4, 2018, the government announced a proposed amendment to the Enforcement Decree of the Building Act.  The proposed amendment introduces “Data Center” as a new subcategory of the “Broadcasting and Telecommunications Facilities” category concerning building use. It is intended to reflect the changes in the market where data center buildings are becoming more common.

As there is currently no separate category of “Data Center” under the building use classification system, building owners have been classifying their buildings used for data center under different categories, such as “Broadcasting and Telecommunications Facilities,” and Research Fac“Business Facilities” or “Education ilities” when applying for approval of building construction with local governments.

The proposed amendment will enter into in effect six months after the date of its promulgation, which date is March 5, 2019.  After the effectiveness, it is more likely that buildings built for data center would be required to be categorized as “Data Center” and, under the zoning laws and regulation, the area in which a data center building can be located would differ from the areas where the buildings classified as categories other than “Broadcasting and Telecommunications Facilities,” which is the higher category of “Data Center” in the amendment, are located.  Further, as opposed to buildings that have already been designated for other uses, data center buildings may be subject to different requirements with respect to parking lots, evacuation facilities, fire hydrant facilities, etc.
 

• Cloud Security Assurance Program as Applied to SaaS

The Cloud Security Assurance Program (“CSAP”) is a certification system that certifies the security of a cloud system provided by a cloud service provider (“CSP”).  In July 2018, the Korea Internet & Security Agency (“KISA”), the agency that administers the CSAP certification system, newly established the CSAP certification standards for Software as a Service (“SaaS”).  Before July 2018, the CSAP certification system provided the certification standard for only Infrastructure as a Service (“IaaS”) and therefore only an IaaS could be certified by the CSAP.  Due to the KISA’s recent reform of the CSAP certification system, SaaS can now be certified by the CSAP as well. KISA has been actively promoting and providing guidance on the standards to date.

In general, CSAP certification is voluntary (and not mandatory).  However, customers in the public sector (i.e., public agencies) are required to use a cloud service that has obtained CSAP certification pursuant to the relevant guidelines and therefore it is needed for CSPs to obtain CSAP certification when providing cloud service to public agencies.

According to KISA, the CSAP certification may only be issued in respect of SaaS service running on a CSAP-certified IaaS. If the CSAP certification is applied for in respect of a SaaS service running on an IaaS without CSAP certification, both the IaaS and the SaaS will be reviewed as part of the CSAP certification review process.

Currently, only five domestic CSPs (i.e., KT, Naver Business Platform, Gabia, NHN Entertainment, and LG CNS) have acquired the CSAP certification for IaaS. It is anticipated that more CSPs that offer only SaaS will apply for the CSAP certification.
 

• Introduction of the ISMS-P Certification: a Certification Procedure Integrating ISMS and PIMS

The Personal Information & Information Security Management System (“ISMS-P”) certification process has been introduced, which integrates Information Security Management System (“ISMS”) and Personal Information Management System (“PIMS”).  ISMS deals with the appropriateness of an information protection management system, while PIMS addresses the appropriateness of a personal information protection management system.

While PIMS is a voluntary certification, ISMS certification is mandatory for data center operators, colocation service providers, nationwide facilities-based telecommunication service providers and telecommunication service providers who meet certain sales amount threshold or number of user threshold in the provision of telecommunication services.

The relevant ministries (the Ministry of Science and ICT and the Ministry of the Interior and Safety and Korea Communications Commission) have integrated the two certification systems (including certification procedures, standards and certification authorities) into a single system, called ISMS-P, in order to mitigate the burden of companies that are required to obtain both certifications since there are some overlapping aspects between the two.

Under ISMS-P, a business operator may obtain both ISMS and PIMS through one single application and review process, which may reduce the review timeframe and cost associated with obtaining the certifications.