V3.co.uk

Office 365, Dynamics and Intune achieve ISO 27018 cloud security standard

Microsoft doing everything it can to entice customers to the cloud

Cloud security
Microsoft is assuring customers it has all the security concerns of the cloud under control
0 Comments

Microsoft has secured independent security accreditation for several of its major cloud services, in a move that could entice more security-conscious firms to use its web-hosted services.

Microsoft has received ISO 27018 compliance, a standard created by the International Standards Organisation, which sets out measures to "protect personally identifiable information [PII] stored in a public cloud environment".

Brad Smith, Microsoft general counsel for legal and corporate affairs, announced the accreditation in a blog post.

“The British Standards Institute has now independently verified that ... Office 365 and Dynamics CRM Online are aligned with the standard’s code of practice for the protection of PII in the public cloud. And similarly, Bureau Veritas has done the same for Microsoft Intune,” he said.

“Microsoft is the first major cloud provider to adopt the world’s first international standard for cloud privacy. It’s another reason customers can move with confidence to the Microsoft Cloud.”

ISO 27018 contains several important requirements that Smith outlined as key to achieving the certification.

These include the stipulation that Microsoft processes PII in accordance with instructions agreed to with a customer and adheres to the original commitments concerning how it will use data.

“Adherence to the standard ensures transparency about our policies regarding the return, transfer and deletion of personal information you store in our data centres,” Smith wrote.

“We’ll not only let you know where your data is, but if we work with other companies who need to access your data, we’ll let you know who we’re working with.”

Microsoft must also ensure strong security protection for the data it collects, and not use it for advertising purposes.

“The adoption of this standard reaffirms our long-standing commitment not to use enterprise customer data for advertising purposes,” Smith explained.

Lastly the accreditation means that Microsoft must inform the customer if the data is ever requested by law enforcement agencies.

“All of these commitments are even more important in the current legal environment, in which enterprise customers increasingly have their own privacy compliance obligations,” he said.

“We’re optimistic that ISO 27018 can serve as a template for regulators and customers alike as they seek to ensure strong privacy protection across geographies and vertical industry sectors.”

Microsoft’s move to achieve ISO 27018 accreditation comes during a legal battle with the US government over access to data stored in the cloud overseas.

The case, which is still rumbling on, could have major repercussions for US cloud firms by making it almost impossible to guarantee data sovereignty, regardless of location.

V3 Latest