Microsoft Gains Key Cloud Security ISO Certification
Microsoft announced that it's the first major cloud provider to achieve compliance with a stringent international standard meant to prove strict practices by cloud vendors in protecting the privacy of customer data. Compliance with ISO 27018 for Azure, Office 365 and Dynamics CRM Online give Microsoft cloud partners a big differentiator for enterprise and compliance-focused customers.
February 19, 2015
By Ericka Chickowski 1
Channel partners focused on servicing large organizations, global firms and highly regulated industries should take note of news out of Redmond this week. Microsoft (MSFT) announced that it’s the first major cloud provider to achieve compliance with a stringent international standard meant to prove strict practices by cloud vendors in protecting the privacy of customer data.
The company gained certification from the International Organization for Standardization (ISO) that Azure, Office 365 and Dynamics CRM Online are all compliant with one of the newest standards in the ISO 27000 family of information security standards, ISO 27018. First published last summer, ISO 27018 is a landmark international standard for proving controls to protect personal data in the public cloud.
“ISO 27018 is a great example of a standard ‘filling the gaps’ between the data protection ‘trust’ deficit that cloud customers perceive and the highly fragmented, rapidly evolving, unpredictable world of data protection regulation,” writes Richard Kemp, founder of UK-based Kemp IT Law.
According to Brad Smith, general counsel for Microsoft, the certification gives enterprise customers assurances that Microsoft is providing strong security protection over Azure customer data and that the customer is ultimately in control of that data.
Click here for Talkin’ Cloud’s Top 100 CSP list
“It ensures that there are defined restrictions on how we handle personally identifiable information, including restrictions on its transmission over public networks, storage on transportable media, and proper processes for data recovery and restoration efforts,” he wrote in a blog on the announcement. “In addition, the standard ensures that all of the people, including our own employees, who process personally identifiable information must be subject to a confidentiality obligation.”
Smith explained that the standard demands transparency from a cloud vendor about policies around data stored in its data centers, as well as government demands for access to the data. The latter point has long been a legal cause for Microsoft, which has fought U.S. government requests for customer access. It’s not purely an altruistic pursuit, as many of its international business clients are particularly concerned about the international legal implications of a government accessing the private details of foreign customers residing in countries with strict privacy laws.
In addition, the ISO 27018 certification verifies that a vendor will never use a client’s data for advertising. This could be especially huge on the Office 365 front as Microsoft looks to differentiate itself from Google, which has increasingly worried some business customers about the potential for hooking into their data for advertising purposes.
The certification could be a big boon for channel partners and cloud brokers interested in working within the risk-averse enterprise market. Not only does it offer better assurance over Microsoft’s cloud practices, but it also makes it easier for partners to aid customers with compliance objectives without sacrificing cloud agility.
“ISO 27018 enables the cloud service customer to demonstrate compliance with its data protection responsibilities by showing that the cloud service provider it is contracting with has been audited and certified as ISO 27018 compliant,” Kemp explains. “This mechanism, painstakingly pieced together by ISO over two years from February 2012, will boost customer and regulatory authority trust and confidence in cloud privacy.”
You May Also Like