Microsoft Adopts Cloud Privacy Standard

Written by

Microsoft has become the first major cloud provider to adopt the first international cloud privacy standard developed by the International Organization for Standardization (ISO).

ISO/IEC 27018, which provides a uniform, international approach to protecting personally identifiable information (PII) in the cloud, calls for mechanisms to allow companies and individuals to remain in control of their data when it’s housed in third-party data storage, and that it won’t be used for advertising, for instance.

Independent auditors at the British Standards Institute (BSI) have verified that Microsoft Azure, Office 365 and Dynamics CRM Online are all in compliance with the standard. And Bureau Veritas has done the same for Microsoft Intune.

“Adherence to ISO 27018 provides a number of important security safeguards,” said Microsoft executive vice president and general counsel Brad Smith, in a blog post. “It ensures that there are defined restrictions on how we handle personally identifiable information, including restrictions on its transmission over public networks, storage on transportable media and proper processes for data recovery and restoration efforts. In addition, the standard ensures that all of the people, including our own employees, who process personally identifiable information must be subject to a confidentiality obligation.”

The standard also requires that law enforcement requests for disclosure of personally identifiable data are disclosed to the enterprise customer.  

“As we’ve said before, customers will only use services that they trust," said Smith. “The validation that we’ve adopted this standard is further evidence of our commitment to protect the privacy of our customers online.”

This news follows other privacy milestones for the company, including confirmation from European data protection authorities that its enterprise cloud contracts are in line with ‘model clauses’ under EU privacy law, and signing the Student Privacy Pledge.

What’s hot on Infosecurity Magazine?