Microsoft has reached a major milestone in its cloud privacy efforts. The Redmond, Wash.-based software company’s Azure cloud computing platform has been certified ISO 27018-compliant by the British Standards Institution (BSI), a first for the industry, announced Lori Woehler, principal group manager of Microsoft’s Compliance and Trust unit.
The testing and certification group found that Microsoft’s cloud “incorporates controls that are aligned to the ISO/IEC 27018 code of practice for the protection of personally identifiable information (PII) in public clouds acting as PII processors,” wrote Woehler in a Feb. 16 blog post. “ISO 27018 is the first international set of privacy controls in the cloud, and Azure is the first cloud computing platform to adopt ISO 27018.” Other Azure-backed services, such as Office 365, Dynamics CRM Online and Microsoft Intune, have also adopted the standard, she added.
According to the International Organization for Standardization (ISO), the standard “establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect PII in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.” ISO 27018 was published July 30, 2014.
Companies that adhere to ISO 27018 cannot leverage personal data for the advertising and marketing efforts without their express consent and must make their services available to customers that opt not to allow the use of their data for such purposes, according to Woehler. In the event of a breach, the companies “should notify customers, and keep clear records about the incident and the response to it,” she added.
For businesses, “ISO 27018 assures enterprise customers that privacy will be protected in several distinct ways,” wrote Brad Smith, general counsel and executive vice president, Legal and Corporate Affairs, Microsoft, in a separate blog post. Notably, sensitive data that resides on Azure is cloaked in enterprise-grade data security policies and safeguards.
“It ensures that there are defined restrictions on how we handle personally identifiable information, including restrictions on its transmission over public networks, storage on transportable media, and proper processes for data recovery and restoration efforts,” said Smith. “In addition, the standard ensures that all of the people, including our own employees, who process personally identifiable information must be subject to a confidentiality obligation.”
And when governments come knocking, Microsoft is obligated to let their business customers know.
“The standard requires that law enforcement requests for disclosure of personally identifiable data must be disclosed to you as an enterprise customer, unless this disclosure is prohibited by law,” Smith said. “We’ve already adhered to this approach (and more), and adoption of the standard reinforces this commitment.”
Microsoft’s tough stance on cloud privacy has already landed the tech giant in court.
The company is currently appealing a federal court order instructing it to turn over emails sought by the U.S. Department of Justice. The emails at the center of the case are stored in a data center in Dublin, Ireland. Several technology and media organizations, including Apple, Amazon, HP, National Public Radio (NPR) and The Washington Post, have filed friend of the court briefs in support of Microsoft.
