Microsoft says it has become the first major cloud provider to adopt ISO/IEC 27018, the first international standard for cloud privacy.
The standard was published by the International Organisation for Standardisation (ISO) in July, and it aims to establish a uniform approach to protecting privacy and personal data stored in the public cloud, a hot topic of debate in light of NSA's mass surveillance and Microsoft's ongoing court case over cloud data jurisdiction.
The BSI has independently verified that Office 365, Dynamics CRM Online and Azure are aligned with code of practice for protecting PII in the public cloud, while Bureau Veritas has done the same for Microsoft Intune.
In short, the standard assures end-user that vendors, such as Microsoft, only have access to personally-identifiable information (PII) according to instructions they provided to said vendor, as well as transparency on the storage, return, transfer, deletion and use of personal information held at a data centre. Furthermore, the standard stipulates that these personal details are not used for advertising purposes, users are informed when third-parties have seen it, and strong security safeguards are in place at all times.
Crucially, Microsoft adds that the standard will also require CSPs to notify customers and keep clear records on security incidents in the event of a breach, while also requiring end-users to be kept in the loop when law enforcement requires access to their data.
On the latter, Microsoft said of its intentions: “We inform you about government access to data. The standard requires that law enforcement requests for disclosure of personally identifiable data must be disclosed to you as an enterprise customer, unless this disclosure is prohibited by law. We've already adhered to this approach (and more), and adoption of the standard reinforces this commitment.”
In a blog post, Microsoft general counsel Brad Smith said that the firm's adherence to the standard could rebuild trust in the firm, which took a hit – especially on its services in the cloud – shortly after the Snowden revelations broke.
“As we've said before, customers will only use services that they trust. The validation that we've adopted this standard is further evidence of our commitment to protect the privacy of our customers online,” said Smith.