The privacy push continues at Microsoft, as the software and now cloud giant announced that its Azure cloud platform, Office 365, and Dynamics CRM Online have been verified by the British Standards Institute (BSI) as complying with guidelines laid out in ISO’s international standard for protecting personal information in the cloud. The company also noted that Bureau Veritas has provided the same verification for Microsoft Intune.
According to two official company blogs, Microsoft is “the first major cloud provider to adopt the world’s first international standard for cloud privacy,” and Azure “is the first cloud platform to adopt ISO 27018.”
Issued by ISO in July of last year, ISO/IEC 27018:2014 “establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment”, according to the international standards body. The cloud privacy standard was published as a new component of ISO’s information security standard (27001).
Cloud providers adopting ISO 27018 must uphold several key principles to protect customer data. They include the ability to control what personal data is processed as determined by the cloud provider’s customer; transparency about where data is being stored, how it is being used, and who has accessed it, whether legitimately or unauthorized; security measures on how data is process, stored, transmitted, and recovered; use of personal data for advertising and marketing only if a customer has consented; submit to yearly third-party audits to determine compliance; and inform customers about government requests for data unless prohibited by local laws.
Adopting the standard comes in response to enterprise client concerns about cloud-related privacy issues, noted Brad Smith, Microsoft’s general counsel and executive VP of Legal and Corporate Affairs, in a blog post announcing the achievement.
“We’re optimistic that ISO 27018 can serve as a template for regulators and customers alike as they seek to ensure strong privacy protection across geographies and vertical industry sectors,” he wrote, adding that “the validation that we’ve adopted this standard is further evidence of our commitment to protect the privacy of our customers online.
Privacy in a Post-Snowden World
Since Edward Snowden’s disclosures about NSA-related surveillance became public, Microsoft has been keen to establish itself as a privacy bastion. Whether on principle or to distance the company’s reputation from initial – and likely erroneous – reports claiming it aided NSA efforts, Microsoft has gone great lengths to maintain the privacy of its customers’ data and publicize the number of national security requests it receives.
This past December, fellow tech giants Apple, Amazon, and HP backed Microsoft’s appeal of a court order demanding it provide the US government with emails stored at one of its data centers in Dublin. This past summer, a Manhattan-based federal judge ordered Microsoft hand over the emails of a European customer who was part of a drug trafficking investigation. Microsoft defied the order and was slapped with a contempt of court charge for refusing to hand over the data. The company has consistently argued that any subpoena for the emails – stored in Dublin – should come from Irish authorities and not the US government.