This year marks a major milestone as Microsoft becomes the first leading cloud provider to adopt the world’s pioneering International Standard for cloud privacy. It’s known as ISO/IEC 27018, and it was developed to establish a uniform, international approach to protecting privacy for personal data stored in the cloud.
Fact is, privacy in the cloud is not just a technology and engineering problem. Information security and data protection can certainly be addressed with tools and processes, but privacy is a social issue with impacts well beyond the data stored and managed by cloud services. This requires that governments, enterprises, academia and consumers reflect on the wider issues of harms and risks and, in particular, the consequences of decisions taken in their deployments of cloud services. ISO/IEC 27018 helps make that whole process clearer for all involved.
Global baseline for cloud services
Before ISO/IEC 27018, there wasn’t a robust, internationally recognized benchmark for protecting personally identifiable information (PII) stored in the cloud. There was, however, ISO/IEC 27001:2013, a well-established standard that provided a flexible system for identifying information security risks and choosing controls to address them. Building on that foundation, ISO/IEC 27018 now offers specific guidance to help Cloud Service Providers (CSPs) assess the risks and implement state-of-the-art controls for the protection of PII stored in the cloud.
Compliance with ISO/IEC 27018 guarantees a systematic approach to data protection and means a CSP can demonstrate that it is a “ good citizen ” in the cloud ecosystem. In an environment hampered by many national cloud privacy and security requirements, this certification can be viewed as a global baseline requirement for cloud services.
Microsoft, and other CSPs, must operate under six key principles of ISO/IEC 27018 :
- Consent: CSPs must not use the personal data they receive for advertising and marketing unless expressly instructed to do so by the customer. Moreover, a customer must be able to use the service without submitting to such use of its private information
- Control: Customers have explicit control of how their personal data is used
- Transparency: CSPs must inform customers where their personal data resides and make clear commitments as to how that data is handled
- Accountability: ISO/IEC 27018 asserts that any breach of information security should trigger a review by the service provider to determine if there was any loss, disclosure, or alteration of personal data
- Communication: In case of a breach, CSPs should notify customers, and keep clear records of the incident and the response to it
- Independent and yearly audit : A successful third-party audit of a CSP’s compliance documents the service’s conformance with the standard, and can then be relied upon by the customer to support their own regulatory obligations. To remain compliant, a CSP must subject itself to yearly third-party reviews
All of these commitments are even more important in the current legal environment, in which enterprise customers increasingly have their own privacy compliance obligations. We’re optimistic that ISO/IEC 27018 can serve as a template for regulators and customers alike as they seek to ensure strong privacy protection across geographies and vertical industry sectors.
The adoption of ISO/IEC 27018 is part of a broader commitment from Microsoft to provide enterprise cloud services that can be trusted. Why does this matter ?
The reasons are multiple. Adherence to ISO/IEC 27018 assures enterprise customers that their privacy will be protected in several distinct ways. With us, they :
- Will always know where their data is stored and who is processing that data
- Will not need to worry about their data being used for marketing and advertising purposes without their consent. The choice is always theirs
- Can be confident that we will be transparent about our ability to return, transfer, or securely dispose of any personal data at their request
- Can rely on us to help handle access, correction or deletion requests. Certain data protection laws (e.g. EU data protection law) impose specific requirements on CSPs, such as allowing individuals to access their personal information, correct it, and even delete it. We help customers meet these obligations
- Can rely on our ability to deliver notifications in the event of a security incident resulting in unauthorized disclosure of personal data, to help them comply with their notification obligations
- Can be confident that we will only comply with legally binding requests for the disclosure of customers’ personal data
- Can rely on independent third-party verification of the above principles. To claim compliance with ISO/IEC 27018, we must undergo a rigorous ISO/IEC 27001 certification process by an accredited independent certification body
These are among the many reasons consumers can move to the Microsoft cloud with confidence.
Backed by consumer demand
ISO/IEC 27018 can serve as a template for regulators and customers alike.
Trust is increasingly important to customers leveraging the cloud, particularly when they are considering letting a third-party handle and manage their most sensitive data. In such a scenario, even contractual commitments may not be sufficient.
Customers increasingly want verification that the promised practices are implemented. Microsoft understands these concerns and the importance of being transparent, which is why we were the first major CSP to adopt the stringent privacy principles outlined in
ISO/IEC 27018 and submit our cloud services to an independent audit of those controls.
Compliance with ISO/IEC 27018 is a testament to our trustworthiness and provides a clear signal that Microsoft will handle personal data securely and only use it for purposes approved explicitly by its owner. We’ve made it our pledge to protect the privacy of our customers online. With the Microsoft cloud, you’re in control.
- If the cloud computing trend sounds a bit nebulous, you're not alone. Many enterprises that opt for these services end up with complicated multicloud deployments...
- Information technologySecurity techniquesCode of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors