Microsoft has gained third-party verification that its core cloud services adhere to a new international standard for handling private information in public clouds.
The standard Microsoft has adopted is ISO/IEC 27018, which was developed by the International Organisation for Standardisation last year in response to calls by European regulators for a compliance framework to audit cloud providers.
Europe has raised concerns over standard “take-it-or-leave-it” contracts typically offered by cloud providers. As noted in the European Commission’s 2012 Cloud Strategy, even larger companies had little power to negotiate terms of the contract, which often don’t provide for liability for data integrity, confidentiality and service continuity. A proper framework that helped providers comply with local legislation would improve uptake of cloud services.
Microsoft’s chief legal counsel Brad Smith announced on Monday that the British Standards Institute has now independently verified that Microsoft’s Azure cloud, Office 365 and Dynamics CRM Online are aligned with the standard’s code of practice for protecting private data in the cloud. Bureau Veritas has verified alignment for Microsoft Intune.
Used in conjunction with the earlier information security ISO 27002 standard, the cloud standard aims to “create a common set of security categories and controls that can be implemented by a public cloud computing service provider acting as a PII processor”.
Besides greater transparency for the customer, the standard also offers customers a framework for exercising audit and compliance rights in cloud environments and helps both customer and provider enter into a contractual agreement.
Smith highlighted several benefits for enterprise customers, including that Microsoft’s adherence to it ensures it only processes PII as per the customer’s instructions.
It also means Microsoft met the standard’s guidelines on transparency about its policies for the return, transfer and deletion of personal information that customers store in its data centres.
“We’ll not only let you know where your data is, but if we work with other companies who need to access your data, we’ll let you know who we’re working with. In addition, if there is unauthorized access to personally identifiable information or processing equipment or facilities resulting in the loss, disclosure or alteration of this information, we’ll let you know about this,” said Smith.
Some of the security assurances the standard includes are restrictions on the transmission of PII over public networks, storage and portable media, as well as requirements it has proper processes for data recovery and restoration.
“In addition, the standard ensures that all of the people, including our own employees, who process personally identifiable information must be subject to a confidentiality obligation,” said Smith.
Microsoft's adoption of the standard also means it’s required to tell enterprise customers when a government requests access to PII in its control, unless it’s been prohibited by law.
This article is brought to you by Enex TestLab, content directors for CSO Australia.
Read more: Data centres need to lift their standards
Upcoming IT Security Events
March 3rd, March 5th, March 9th 2015
Join CSO for the day@#csoperspectives and hear from @kimzetter @LeviathanSec
3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more.. Register today
Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)