Microsoft Assures Customers of Data Protection in the Cloud with ISO/IEC 27018 Certification

Microsoft has become the first major cloud provider to adopt the world’s first international standard for cloud privacy, ISO/IEC 27018 in its relentless effort to assure customers and the public of the privacy and security of their data in Microsoft’s cloud.

The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) jointly adopted the standard in July, 2014 to establish a uniform, international approach to protection and privacy of personal data stored in the cloud.

In February 2015, Microsoft adopted this standard which demonstrates the depth of the devices and technology giant’s commitment to the protection and security of customers’ data in the cloud and its continuing leadership in the cloud space.

“Microsoft cloud will empower customers of all sizes to do more, be more, achieve more in their digital work and life and still be fully in control of their data and how they are used at all times, said Ijeoma Abazie, Director Corporate Affairs, Microsoft Nigeria while speaking at a media parley.

She said Microsoft’s ISO 27018 Certification and adherence to the standard is important, given all the benefits to customers in guaranteeing the privacy and security of their data which gives them peace of mind and enables customers focus on their businesses. Given recent government surveillance practices and following the U.S National Security Adviser (NSA) Snowden leakages, there have been growing concerns regarding the security of data stored online and in the cloud.

“For over 10 years Microsoft has remained committed to providing strong privacy and security protections for its customers’ data. Undertaking the audit culminating in receipt of the ISO 27018 certification affirms its unrelenting and longstanding commitment to the privacy and security of customers’ data in the cloud,” she said.

ISO 27018 builds on ISO/IEC 27001 (ISO 27001). ISO 27001 is a widely-recognized comprehensive international security standard for implementing and maintaining an information management system. ISO 27018 enhances ISO 27001 as the former is customized for the cloud and includes a range of cloud-specific requirements and controls specifically for processing personally identifiable information (PII) in cloud services.

Microsoft’s adherence to ISO 27018 assures its enterprise customers that the privacy of their data will be protected and are assured of being fully in control of the use of their data in the cloud as Microsoft processes their personally identifiable information only as they instruct Microsoft.

Also, in line with Microsoft’s transparent policies on the processing of customers’ data, Microsoft will inform its customers about location of their data and make clear commitments about how it handles their data. This is particularly important for customers including government customers whose privacy compliance requires them not to store customer data in specified locations enabling them comply with this requirement.

By this standard, Microsoft customers are assured of defined restrictions on how Microsoft handles personally identifiable information, including restrictions on its transmission over public networks, storage on transportable media, and proper processes for data recovery and restoration efforts.

Also anyone, including Microsoft’s employees, who process personally identifiable information are subject to a confidentiality obligation by this standard. As part of ISO 27018, cloud providers must not use the data they receive for purposes of their own advertising and marketing unless expressly instructed to do so by the customer.

Abazie said Microsoft fully identifies with Enterprise customers who increasingly express concerns about other cloud service providers using their data for advertising purposes without consent and assures them and the public that it does not capture, maintain, scan, index, or mine enterprise customer data or use its customers’ data for advertising, marketing or other hidden purpose but accesses customer data only to provide services and support.

“Microsoft does not require its customers to consent to marketing, advertising, or profiling and they can use the service without submitting to such use of their personal data.”

In terms of transparency regarding use, return, transfer and deletion of customers’ data, ISO/IEC 27018 provides clear standards for cloud service providers for the return, transfer and/or secure disposal of personal information of customers leaving their service.

Microsoft’s Privacy Policies in this regard are transparent and following expiry of a customer’s contract, Microsoft retains customer data for 90 days so that the customer can continue to extract the data. After the 90 days’ retention period ends, Microsoft will disable the customer’s account and delete its data given its belief that customer data remains its customers’ property and as they are only used to provide customers the services required.

The director of Corporate Affairs maintains that Microsoft’s ISO 27018 certification additionally empowers Microsoft enterprise customers to meet their own privacy compliance obligations.
“Microsoft’s privacy controls are regularly independently audited by third-party experts and it provides audit reports to help customers meet regulatory requirements which they can rely upon to demonstrate presumption of compliance with local data protection requirements.”

“The ISO 27018 cloud privacy standard affirms that our customers and the public can trust Microsoft on all the highlighted security benefits that Microsoft informs our customers and the public are inherent in it cloud services.

An international security standard such as the ISO 27018 is important as it proves that Microsoft’s cloud is the trusted cloud. The ISO 27018 standard conveys trust, has wide acceptance and global reach as a result of the independent, robust review and adoption process. ISO 27018 was jointly adopted by the ISO and IEC after input from representatives from 14 countries and 5 international organizations.”

Microsoft has more than 30 years of experience working with enterprises to build on-premises workplace environments that comply with standards and regulations and has transferred that knowledge to cloud services and the “modern compliance environment.”

Microsoft products and services hold other key security certifications, attestations, and authorizations as applicable to their service, including: ISO 27001, SOC 1 and SOC 2 SSAE 16/ISAE 3402 attestations, Cloud Security Alliance Cloud Controls Matrix, FISMA, EU Model Clauses, HIPAA BAA, and FedRAMP JAB P-ATO. Microsoft also ensures that all billing transactions meet the PCI (DSS) (Payment Card Industry Data Security Standard) used on all ATMs.

Microsoft does not provide any government with direct, unfettered access to customers’ data and encryption keys or assist their efforts to break its encryption and has committed to enhancing its encryption efforts to further protect customer data.
Microsoft publishes details about legal demands for customer data as part of its commitment to transparency on the number of law enforcement requests that it receives from law enforcement agencies around the world and how it responds to those requests.

The company is regularly audited by independent external auditors, such as Deloitte and the British Standards Institution (BSI). Microsoft’s cloud services can be trusted because in addition they have been independently verified by reputable global standards and certifications bodies.

The British Standards Institute (BSI) which has independently verified that in addition to Microsoft Azure, both Microsoft’s Office 365 and Dynamics CRM Online conform to ISO 27018 standard’s code of practice for the protection of Personally Identifiable Information (PII) in the public cloud.

Bureau Veritas, a global leader in standards testing, inspection and certification services also verified that Microsoft Intune conforms to ISO 27018’s code of practice for protecting Personally Identifiable Information in the public cloud.
The European Data Protection Authorities in 2014 verified that Microsoft’s enterprise cloud contracts conform to “model clauses” under EU privacy law on the international transfer of data.

Olayinka Oni, Chief Technology Officer, Microsoft Nigeria affirmed that Microsoft believes that students are a vulnerable group and that their data should only be used to provide and enable them access educational and learning materials. Hence, Microsoft in 2014 became one of the first major companies to sign the Student Privacy Pledge developed by the Future of Privacy Forum and the global Software & Information Industry Association to establish standardized principles to protect the privacy of student information.

“This is our privacy creed. We signed on to the Student Privacy Pledge and other providers followed suit. Locally, we have sponsored inputs into the Cybercrime Bill, we are driving conversation with different regulators to ensure that services are secure from end-to-end,” Oni said.