Study: Privacy Commitment Key to Selection of Cloud Providers

REDMOND, Wash.

July 18, 2012
Attracted by the opportunity to improve efficiency while cutting IT costs, small to midsize businesses (SMBs) are rapidly adopting cloud computing, yet they continue to express concerns about privacy in the cloud, according to research released today by Microsoft Corp. Consequently, data protection policies and practices of cloud providers are figuring prominently in U.S. SMBs’ cloud-purchasing decisions.

Among the survey’s noteworthy findings:

  • 65 percent of U.S. SMBs surveyed say cloud computing is “important” or “essential” for their organization today, and 81 percent say it will be two years from now.

  • 59 percent said the privacy policies of cloud vendors impact their selection of cloud-service providers.

  • The cloud policies and practices that SMBs care about most include transparency about location of data, segregation of data between customers, and commitments not to mine cloud data for advertising.

“Not long ago, the IT industry wondered if privacy concerns would prevent small and midsize companies from moving to the cloud. Our research indicates that is not the case,” said Brendon Lynch, chief privacy officer, Microsoft Trustworthy Computing. “Instead, SMBs are expressing their interest in data protection by using it as a way to evaluate potential cloud providers. This desire for transparency from our customers is one reason we created resources such as the Microsoft Office 365 Trust Center to clearly explain our cloud privacy, security and compliance commitment.”

The research shows that SMBs expect potential cloud providers to prove their commitment to privacy in several different ways:

  • 51 percent insist on proof of compliance.

  • 43 percent require the completion of a self-assessment checklist.

  • 59 percent seek privacy provisions at the contract negotiation and legal review stages.

“It’s encouraging to hear SMBs asking the right questions of cloud providers,” said Jim Reavis, executive director, Cloud Security Alliance (CSA). “The CSA considers clear service-level agreements, proof of compliance and self-assessment checklists as best practices for conscientious cloud providers.”

To this end, the CSA created the Security, Trust & Assurance Registry (STAR) to help businesses assess cloud providers’ security and privacy capabilities. The STAR is a free, publicly accessible registry that documents the security controls provided by various cloud-computing offerings, thereby helping businesses assess the security of cloud providers. Since the STAR’s launch in December 2011, Microsoft has supported the registry by completing self-assessments for Microsoft Office 365, Windows Azure and Microsoft Dynamics CRM.

Seven hundred and sixty-nine privacy professionals in the U.S. with an average of 11 years working in IT, compliance, data security, risk management and privacy fields took part in the study, which was commissioned by Microsoft and conducted by The Ponemon Institute in April and May. Respondents were not screened according to which products or services they used, or aware of Microsoft’s involvement in the study.

The research was conducted in Denmark, Finland, Germany, Norway, Sweden and the United States. More information is available in the Microsoft Security, Privacy and Online Safety Newsroom and at http://www.microsoft.com/privacy.

Founded in 1975, Microsoft (Nasdaq “MSFT”) is the worldwide leader in software, services and solutions that help people and businesses realize their full potential.

Note to editors: For more information, news and perspectives from Microsoft, please visit the Microsoft News Center at http://www.microsoft.com/news. Web links, telephone numbers and titles were correct at time of publication, but may have changed. For additional assistance, journalists and analysts may contact Microsoft’s Rapid Response Team or other appropriate contacts listed at http://www.microsoft.com/news/contactpr.mspx.