Microsoft Azure, Office 365 gets tick for new Cloud privacy standard

Microsoft has gained third-party verification that its core cloud services adhere to a new international standard for handling private information in public clouds.

The standard Microsoft has adopted is ISO/IEC 27018, which was developed by the International Organisation for Standardisation last year in response to calls by European regulators for a compliance framework to audit cloud providers.

Europe has raised concerns over standard “take-it-or-leave-it” contracts typically offered by cloud providers. As noted in the European Commission’s 2012 Cloud Strategy, even larger companies had little power to negotiate terms of the contract, which often don’t provide for liability for data integrity, confidentiality and service continuity. A proper framework that helped providers comply with local legislation would improve uptake of cloud services.

Microsoft’s chief legal counsel Brad Smith announced on Monday that the British Standards Institute has now independently verified that Microsoft’s Azure cloud, Office 365 and Dynamics CRM Online are aligned with the standard’s code of practice for protecting private data in the cloud. Bureau Veritas has verified alignment for Microsoft Intune.

Used in conjunction with the earlier information security ISO 27002 standard, the cloud standard aims to “create a common set of security categories and controls that can be implemented by a public cloud computing service provider acting as a PII processor”.

Besides greater transparency for the customer, the standard also offers customers a framework for exercising audit and compliance rights in cloud environments and helps both customer and provider enter into a contractual agreement.

Smith highlighted several benefits for enterprise customers, including that Microsoft’s adherence to it ensures it only processes PII as per the customer’s instructions.

It also means Microsoft met the standard’s guidelines on transparency about its policies for the return, transfer and deletion of personal information that customers store in its data centres.

“We’ll not only let you know where your data is, but if we work with other companies who need to access your data, we’ll let you know who we’re working with. In addition, if there is unauthorized access to personally identifiable information or processing equipment or facilities resulting in the loss, disclosure or alteration of this information, we’ll let you know about this,” said Smith.

Some of the security assurances the standard includes are restrictions on the transmission of PII over public networks, storage and portable media, as well as requirements it has proper processes for data recovery and restoration.

“In addition, the standard ensures that all of the people, including our own employees, who process personally identifiable information must be subject to a confidentiality obligation,” said Smith.

Microsoft's adoption of the standard also means it’s required to tell enterprise customers when a government requests access to PII in its control, unless it’s been prohibited by law.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Read more: Data centres need to lift their standards

Upcoming IT Security Events

March 3rd, March 5th, March 9th 2015

Read more: Security focus underscores LivePerson's Australian analytics push

Join CSO for the day@#csoperspectives and hear from @kimzetter @LeviathanSec

3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more.. Register today

Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags data centresmicrosoft azureBrad SmithDynamics CRM OnlineCSO Australiathird-party verificationcloud privacyEuropean Commission’s 2012 Cloud StrategyBritish Standards Institutesecurity categoriesISO/IEC 27018Microsoft IntuneBureau Veritas

More about CSOEnex TestLabEuropean CommissionISOIT SecurityMicrosoftVeritas

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

More videos

Blog Posts