Microsoft Adopts ISO/IEC 27018 For Personal Data, Privacy Protection In Public Cloud
Microsoft has adopted an international standard for certifying the security of its cloud offerings, making it the first major cloud services provider to do so, the company says.
The company adopted the International Organization for Standardization and International Electrotechnical Commission's standard 27018 to certify the security of its cloud offerings, using the guidelines to set a uniform, international approach to protecting privacy for personal data stored in the cloud.
Microsoft's Azure Cloud, Office 365 and Dynamics CRM Online have all been certified to meet ISO/IEC 27018's privacy and security standards. Each of the cloud products' compliance with the standard has been independently verified by the British Standards Institute, according to Brad Smith, general counsel and executive vice president of legal and corporate affairs at Microsoft.
"As we've said before, customers will only use services that they trust," says Smith. "The validation that we've adopted this standard is further evidence of our commitment to protect the privacy of our customers online."
Microsoft's compliance with ISO/IEC 27018 gives a set of assurances to customers of its coulds for enterprises and for individuals. For starters, users are in control of their data and Microsoft can only use that information in a manner laid out by its customers.
Customers are apprised of any events related to their data, which includes movement inside data centers and law enforcement requests to access that information.
"We'll not only let you know where your data is, but if we work with other companies who need to access your data, we'll let you know who we're working with," says Smith.
Customers will be made aware of any unauthorized access to personal information or data centers that results in the alteration of disclosure of its customers data. And law enforcement requests will be passed along to customers, expect in countries where it isn't lawful to do so.
Compliance with the standard means Microsoft will continue its practice of keeping its customer's cloud data out of the hands of advertisers, says Smith. Microsoft's enterprise customers continue to express concerns that cloud service providers could be selling their data to advertisers, but Redmond's commitment against handing data over to marketers is now backed by its ISO/IEC 27018 certification, says Smith.
"The adoption of this standard reaffirms our longstanding commitment not to use enterprise customer data for advertising purposes," says Smith.
The standard also sets restrictions on how the company handles personally identifiable information, including restrictions on how it is transmitted over public networks, its storage on transportable media, and processes for data recovery and restoration. Additionally, the standard requires that everyone who processes personally identifiable information is subject to confidentiality rules.
There has been reluctance on the part of enterprise organizations to embrace cloud apps and storage following National Security Agency analyst Edward Snowden's revelation about the spy organization's monitoring of information managed by cloud service providers.
Microsoft's ISO/IEC 27018 certification is the latest development in the company's drive to gain the trust of current and potential cloud customers. Signing on months before Google and Apple, Microsoft was one of the first technology companies to sign the Pledge to Safeguard Student Data.