Microsoft Azure, Office 365 gets tick for new Cloud privacy standard

Microsoft has gained third-party verification that its core cloud services adhere to a new international standard for handling private information in public clouds.

The standard Microsoft has adopted is ISO/IEC 27018, which was developed by the International Organisation for Standardisation last year in response to calls by European regulators for a compliance framework to audit cloud providers.

Europe has raised concerns over standard “take-it-or-leave-it” contracts typically offered by cloud providers. As noted in the European Commission’s 2012 Cloud Strategy, even larger companies had little power to negotiate terms of the contract, which often don’t provide for liability for data integrity, confidentiality and service continuity. A proper framework that helped providers comply with local legislation would improve uptake of cloud services.

Microsoft’s chief legal counsel Brad Smith announced on Monday that the British Standards Institute has now independently verified that Microsoft’s Azure cloud, Office 365 and Dynamics CRM Online are aligned with the standard’s code of practice for protecting private data in the cloud. Bureau Veritas has verified alignment for Microsoft Intune.

Used in conjunction with the earlier information security ISO 27002 standard, the cloud standard aims to “create a common set of security categories and controls that can be implemented by a public cloud computing service provider acting as a PII processor”.

Besides greater transparency for the customer, the standard also offers customers a framework for exercising audit and compliance rights in cloud environments and helps both customer and provider enter into a contractual agreement.

Smith highlighted several benefits for enterprise customers, including that Microsoft’s adherence to it ensures it only processes PII as per the customer’s instructions.

It also means Microsoft met the standard’s guidelines on transparency about its policies for the return, transfer and deletion of personal information that customers store in its data centres.

“We’ll not only let you know where your data is, but if we work with other companies who need to access your data, we’ll let you know who we’re working with. In addition, if there is unauthorized access to personally identifiable information or processing equipment or facilities resulting in the loss, disclosure or alteration of this information, we’ll let you know about this,” said Smith.

Some of the security assurances the standard includes are restrictions on the transmission of PII over public networks, storage and portable media, as well as requirements it has proper processes for data recovery and restoration.

“In addition, the standard ensures that all of the people, including our own employees, who process personally identifiable information must be subject to a confidentiality obligation,” said Smith.

Microsoft's adoption of the standard also means it’s required to tell enterprise customers when a government requests access to PII in its control, unless it’s been prohibited by law.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Read more: Data centres need to lift their standards

Upcoming IT Security Events

March 3rd, March 5th, March 9th 2015

Read more: Security focus underscores LivePerson's Australian analytics push

Join CSO for the day@#csoperspectives and hear from @kimzetter @LeviathanSec

3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more.. Register today

Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)

Join the CSO newsletter!

Error: Please check your email address.

Tags Bureau VeritasDynamics CRM Onlinethird-party verificationBritish Standards Institutedata centresEuropean Commission’s 2012 Cloud StrategyCSO Australiasecurity categoriesmicrosoft azureISO/IEC 27018Microsoft IntuneBrad Smithcloud privacy

More about CSOEnex TestLabEuropean CommissionISOIT SecurityMicrosoftVeritas

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts