| REDMOND, WA | February 20, 2015
Microsoft's big move to adopt this standard represents a 'major milestone.'
Google and Amazon: you just got outplayed – at least in the security standards arena. Just this month, tech giant Microsoft announced it was adopting the first international set of privacy standards for the cloud, making it the first major cloud computing platform to do so.
Microsoft officials announced the company's cloud computing platform Azure has adopted the International Organization for Standardization's 27018 standard, which serves as a code of practice for personally identifiable data stored in public clouds. The move was partly in response to feedback from industry stakeholders, who wanted a platform that helps "improve capability to fulfill compliance obligations."
The standard, according to the ISO, was created to ensure that public cloud service providers implement adequate security controls to better safeguard their customers' data.
Microsoft's big move to adopt this standard represents a "major milestone," said Brad Smith, the corporation's general counsel and executive vice president of legal and corporate affairs, in a blog post announcement. And although a seemingly technical standard, Smith said it's one with "important practical benefits for enterprise customers around the world."
Microsoft's Azure platform, in addition to Office 365 and Dynamics CRM Online, have all been independently verified to be aligned with the ISO 27018 standard. What this means for Microsoft customers, as Smith pointed out, is for one there are added security restrictions on how the company handles personally identifiable information. For instance, there are more restrictions around transmitting data over transportable media, or public networks.
The standard's code of practice sets forth five key principles that certified companies must adhere to:
"All of these commitments are even more important in the current legal environment, in which enterprise customers increasingly have their own privacy compliance obligations,"
- Consent: Client data won't be used for advertising or marketing unless consented by the consumer.
- Control: The customer decides how their data is used.
- Increased transparency: Cloud service providers must provide clients with greater transparency regarding where their data resides, how it's handled and third-party subcontractors involved.
- Communication: If a breach were to occur, the company will notify customers. Cloud service providers also will inform customers about government access to data.
- Independent and annual audit: Conducted by a third party, the audits will examine the cloud service provider's compliance documents and adherence to the standard.
Smith added. "We’re optimistic that ISO 27018 can serve as a template for regulators and customers alike as they seek to ensure strong privacy protection across geographies and vertical industry sectors."