By Russell Craig, National Technology Officer, Microsoft NZ
27018. These five numbers might not seem immediately familiar or relevant to you, but if you’re considering moving your business to the cloud, you’ll want to get to know them as soon as you can.
ISO/IEC 27018 is the world’s first international standard for cloud privacy. It establishes a uniform, international approach to protecting privacy for personal data stored in the cloud.
“So, what?” you might ask. Doesn’t every cloud provider have to prove they are protecting data before they could even start delivering the most basic services to customers? You might assume so, but the reality might surprise you.
Last month, Microsoft announced proudly that we had become the first cloud provider to adopt ISO/IEC 27018. That’s right. The first, and so far only cloud provider to do so.
The British Standards Institute (BSI) has now independently verified that in addition to Microsoft Azure, both Office 365 and Dynamics CRM Online are aligned with the standard’s code of practice for the protection of Personally Identifiable Information (PII) in the public cloud. Similarly, Bureau Veritas has done the same for Microsoft Intune.
This is a big deal, and I’ll tell you why.
This is a cloud-first world, and Microsoft is one of world’s biggest cloud service providers. We deliver more than 200 cloud services, including Bing, MSN, Outlook.com, Office 365, OneDrive, Skype, Xbox Live and the Microsoft Azure platform.
Today, more than 1 billion customers and 20 million businesses in 90 global marketplaces use our cloud services. These services are hosted in Microsoft’s cloud infrastructure composed of more than 100 globally distributed datacenters, edge computing nodes, and service operations centres.
This infrastructure is supported by one of the world’s largest multi-terabit global networks, with an extensive dark fiber footprint, that connects them all. The company’s cloud infrastructure is managed by the Microsoft Cloud Infrastructure & Operations (MCIO) team.
Despite the vast scale and scope of our cloud operations, and our decades of experience in cloud service delivery stretching back to the time before cloud computing was even talked about, we do not take for granted the fact that we ask our customers to place great trust in us.
Around the world, we find our current and future customers asking a consistent set of questions aimed at working out whether they can trust our cloud services. In late 2014, I outlined some of these questions in a blog focused on the role trustworthy cloud services can play in the health sector.
In it, I focused on what Microsoft sees as being the four pillars of trust in cloud services – security, privacy, compliance and transparency. In each of these areas, we are constantly investing to ensure that we achieve and maintain industry leadership.
So what does all that mean for you and your business?
We believe our adherence to ISO 27018 is of great benefit to our enterprise customers for many reasons, including the following:
- You are in control of your data. Our adherence to the standard ensures that we only process personally identifiable information according to the instructions that you provide to us as our customer.
- You know what’s happening with your data. Adherence to the standard ensures transparency about our policies regarding the return, transfer, and deletion of personal information you store in our data centers. We’ll not only let you know where your data is, but if we work with other companies who need to access your data, we’ll let you know who we’re working with. In addition, if there is unauthorized access to personally identifiable information or processing equipment or facilities resulting in the loss, disclosure or alteration of this information, we’ll let you know about this.
- We provide strong security protection for your data. Adherence to ISO 27018 provides a number of important security safeguards. It ensures that there are defined restrictions on how we handle personally identifiable information, including restrictions on its transmission over public networks, storage on transportable media, and proper processes for data recovery and restoration efforts. In addition, the standard ensures that all of the people, including our own employees, who process personally identifiable information must be subject to a confidentiality obligation.
- Your data won’t be used for advertising. Enterprise customers are increasingly expressing concerns about cloud service providers using their data for advertising purposes without consent. The adoption of this standard reaffirms our longstanding commitment not to use enterprise customer data for advertising purposes.
- We inform you about government access to data. The standard requires that law enforcement requests for disclosure of personally identifiable data must be disclosed to you as an enterprise customer, unless this disclosure is prohibited by law. We’ve already adhered to this approach (and more), and adoption of the standard reinforces this commitment.
All of these commitments are even more important in the current legal environment, in which enterprise customers increasingly have their own privacy compliance obligations. We understand that they depend upon the steps that we take to enable them to meet these obligations.
We’re optimistic that ISO 27018 can serve as a template for regulators and customers alike as they seek to ensure strong privacy protection across geographies and vertical industry sectors.
We also understand that our customers will only use services that they trust. The validation that we’ve adopted this standard is both a new benchmark for the cloud services industry, and further evidence of our commitment to protect the privacy of our customers.
So if you’re a business that’s looking to move to the cloud, keep IOS 27018 in mind when you go looking for a cloud provider. They might seem like just five little numbers, but they will make a big difference to the safety of your data.
Russell Craig National Technology Officer, Microsoft NZ