When you put your data in the cloud, you are asking another entity to be its custodian, making trust fundamental. For Microsoft, trust is embedded in the very DNA of our cloud. We understand that however powerful a technology may be, people will only embrace it if they trust it. This is particularly true for customers in Europe, which is why our drive to help customers unlock productivity using the cloud is underpinned by our commitment to foster and maintain trust in our cloud.
Our guiding principle is simple: we believe a customer’s data is theirs and theirs alone. They are entitled to know where their data resides at any time, who has access to it, and how it is used. Customers should also have the peace of mind of knowing that their cloud service provider values the security and integrity of their customers’ data as highly as their own.
This approach sets us apart from others in the cloud service industry, whose primary business model is aggregating and selling customer data to advertisers, selling consumer devices or focusing primarily on retail. These companies might talk about their commitments to privacy, security and compliance with EU privacy law – but they do not share our commitments.
There are three pillars to Microsoft’s trusted cloud story:
In terms of compliance, there are two key points. First, the privacy authorities from all 28 EU member states found that Microsoft’s implementation of EU Model Clauses in our enterprise cloud contracts meet the high standards for international data transfer in the cloud. This recognition by the “Article 29 Working Party” ensures that our customers can use Microsoft services with confidence and move data freely through our cloud from Europe to the rest of the world without compromising data protection.
Nowhere is compliance more critical than in highly regulated industries such as financial services. In November 2012, Microsoft came to an agreement with the Dutch National Bank, the Netherlands’ financial services regulator, which enabled our cloud customers to satisfy the regulator’s requirement that moving to the cloud should not hinder the regulator’s ability to effectively supervise its regulated entities. Since then, we’ve developed similar agreements with financial services regulators around the world and have developed a compliance program for our customers, specifically focused on giving them the transparency and oversight they need to ensure they are operating with enterprise-grade security and to help them stay in compliance with all applicable regulations. Regardless of the sector – whether it’s financial services, healthcare or retail – we are committed to going the extra mile to give our customers peace of mind.
The second pillar is control – the customer’s control over their data. Earlier this year, Microsoft became the first major cloud service provider to adopt the world’s only international standard for cloud privacy. Introduced by the International Standards Organization, ISO / IEC 27018 is designed to offer a single, uniform approach for protecting data placed in the cloud. Microsoft Azure, Office 365, Dynamics CRM Online and InTune have all been third-party verified as complying with this standard.
Our world-class, environmentally sustainable, data center in Dublin serves as a regional hub for Europe allowing us to maintain data sovereignty for European businesses and governments when needed, and our investments in security and compliance assurances will continue to be a core focus across everything we do in the region and globally.
Because it assures our customers that their privacy, and the integrity of their data, will be protected. There’s no advertising in our enterprise cloud services. We are fully transparent in how a customer’s data is used. If a customer chooses to end one of our cloud services, they can get their data back. We have sound processes in place to address any threat to service continuity. And, should a government request access, we ensure customers are notified first unless prohibited by law. We have a compliance team that reviews each request, and is empowered to reject invalid demands.
We recognize ongoing concerns over government’s right to access data, concerns that have prompted global debate about the interplay between public safety and data privacy. As a result, Microsoft fought for, and won, the right to publish more information about government demands for customer data pursuant to national security laws. Microsoft is also pushing all governments to be more transparent and enact common sense reform. It has joined other technology companies in pushing to Reform Government Surveillance and has demanded the U.S. government take specific steps to help rebuild public trust.
In addition, the opening of our Transparency Center in Brussels strengthens our long-standing program to enable government customers to review our source code, and confirm there are no back doors.
We continuously update our world-class security controls, offering a level of sophisticated protection most organizations – large and small – could not achieve relying on on-premise solutions.
The third pillar is protection. For most European customers, moving to the cloud comes with concerns around security. Rightfully so. A customer’s data is increasingly one of their most valuable assets, and leveraging the power of the cloud demands a high level of trust in a third-party to protect that asset.
In turn, we are relentless in ensuring security, offering five layers of protection: data, application, host, network and physical. We proactively monitor to identify potential unknown threats by predicting malicious behaviour and monitoring for irregular events that may indicate threats. To further mitigate risk, access to production servers is restricted to a small number of identifiable operations personnel.
What’s more, we are continually expanding encryption across all services to provide the best encryption solutions for data in transit between a user and the service, data in transit between data centers, data at rest, and end-to-end communications between users. In addition, we give customers the ability to use their own encryption mechanisms to encrypt their data.
The bottom-line is that customers typically benefit from enhanced measures of security when they move from on-premise solutions to our cloud. This is particularly true for smaller companies, which might otherwise lack the resources to acquire and maintain these world-class security controls.
For both public and private sectors, the cloud offers important transformative power for our region – from small businesses looking to scale internationally or enterprises looking to empower thousands of employees with mobile work capabilities, to local governments improving services for citizens.
The full potential of the cloud, however, will only be realized when people trust it.
Earning and maintaining this trust does not happen overnight. It requires a long-term commitment from cloud service providers to offer technical excellence and contractual commitments. It also requires a continual, open dialogue with policymakers to strive for regulations that preserve privacy while also supporting the legitimate efforts of law enforcement to protect the safety of citizens.
This is the commitment Microsoft has made for the past 15 years, and it will remain our commitment into the future.
Businesses and institutions in Europe are embracing the cloud to digitally transform. While many of our customers are initially drawn to the cloud for cost savings, greater agility and reduced IT complexity are quickly becoming fundamental to their competitiveness. See how our customers across Europe are embracing the cloud to digitally transform and achieve more.