Microsoft Azure

Microsoft First Cloud Provider to Adopt Cloud Privacy Standard

Microsoft’s General Counsel and Executive Vice President of Legal and Corporate Affairs, Brad Smith, took to the Internet today to announce that Microsoft is the first of the big cloud service providers to adopt the first international standard for cloud privacy.

In a time when there are many questions about storing data in the cloud, attacks on public services, and privacy against government snooping, Microsoft has been on the front line fighting for their customers’ rights. Microsoft isn’t doing this out of the goodness of their hearts; the future of Microsoft is cloud services, from your grandmother using all the way to enterprise usage of Azure. When there are threats to cloud computing, there are threats to the economic viability of Microsoft.

Microsoft's General Counsel and Executive Vice President of Legal and Corporate Affairs, Brad Smith (Image Credit: Microsoft)
Microsoft’s General Counsel and Executive Vice President of Legal and Corporate Affairs, Brad Smith (Image Credit: Microsoft)

The ISO/IEC 27018 cloud privacy standard is described on www.iso27001security​.com as a standard that:

“…provides guidance aimed at ensuring that cloud service providers (such as Amazon and Google) offer suitable information security controls to protect the privacy of their customers’ clients by securing PII (Personally Identifiable Information) entrusted to them.”

Sponsored Content

Maximize Value from Microsoft Defender

In this ebook, you’ll learn why Red Canary’s platform and expertise bring you the highest possible value from your Microsoft Defender for Endpoint investment, deployment, or migration.

In other words, any hosting company that complies with ISO/IEC 27018 will be implementing processes, policies, and restrictions to security the privacy of their customers. Microsoft says that this means:

  • User’s control of data: Microsoft will not be able to do anything with data that you haven’t previously agreed to. Now you just need a lawyer to read through those lengthy end user agreements!
  • Transparency of data: You will know who is using your data, including any authorized third-parties. You have complete visibility “over the return, transfer and deletion of personal information,” according to Smith.
  • Security protection for data: Your data will be secure, either at rest or in transit. This ensures that personal information will be encrypted and only authorized employees (who have signed confidentiality agreements) can access your information. An interesting thing to note in the post is the phrase “transportable media”; many leaks by government agencies have involved this kind of data transport.
  • Data and advertising: Watch out, Google! Enterprise customers do not want advertising that is based on their data. That’s how companies such as Google make a profit. Microsoft does not do this sort of business, and this standard ensures that they will not be scanning your company’s data to advertise to your employees.
  • Government access to data: Microsoft wants to be very transparent about government access to data but various governments, particularly the USA, prevent this, going to such lengths as issuing search warrants from secretly convened courts. Microsoft does report on the quantity of warrants served, but there’s little they can do beyond that.

I believe Microsoft is fighting the good fight and trying to be as open as possible, and it’s in their best interest to do this. There is a history of this; Microsoft received “confirmation from European data protection authorities that Microsoft’s enterprise cloud contracts are in line with ‘model clauses’ under EU privacy law regarding the international transfer of data,” according to Smith. And Microsoft is currently appealing a decision to force the turnover of data from a mailbox stored in Ireland to the US FBI.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

Aidan Finn, Microsoft Most Valuable Professional (MVP), has been working in IT since 1996. He has worked as a consultant and administrator for the likes of Innofactor Norway, Amdahl DMR, Fujitsu, Barclays and Hypo Real Estate Bank International where he dealt with large and complex IT infrastructures and MicroWarehouse Ltd. where he worked with Microsoft partners in the small/medium business space.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by: