Microsoft’s top attorney Brad Smith announced “a major milestone” for Microsoft Azure as it is “the first major cloud provider to adopt the world’s first international standard for cloud privacy.” According to Smith, what that means for you is “with the Microsoft Cloud, you’re in control.”
In July 2014, the International Organization for Standardization (ISO) developed ISO 27018, a voluntary standard “governing the processing of personal data in the cloud.” The ISO described the security technique standard as a “code of practice for the protection of Personally Identifiable Information (PII) in public clouds acting as PII processors.” When I tried to download the paper from that page, it was going to cost almost $127. Dream on.
ISO 27018 is described in numerous places online, including Inside Privacy which explained that in order for a cloud provider to be compliant, it must:
- Always process personal information in accordance with the customer’s instructions.
- Only process personal information for marketing or advertising purposes with the customer’s express consent. Such consent cannot be made a condition for receiving the service.
- Help cloud customers comply when individuals assert their access rights.
- Disclose information to law enforcement authorities only when legally bound to do so.
- Disclose the names of any sub-processors and the possible locations where personal information may be processed prior to entering into a cloud services contract.
- Help cloud customers comply with their notification obligations in the event of a data breach.
- Implement a policy for the return, transfer or disposal of personal data, for instance when the service comes to an end.
- Subject their services to independent information security reviews at scheduled intervals (or when significant processing changes occur).
- Enter into confidentiality agreements with staff who have access to personal data and provide appropriate staff training.
Microsoft said you are supposed to know “what’s happening with your data” such as if other companies need access to it, or if unauthorized parties access it. The “strong protection for your data” includes how PII is handled; there are restrictions on transmitting it over public networks and storing it on transportable media. Any Microsoft employee processing your data must sign a confidentiality obligation.
Additionally “your data won’t be used for advertising” and Microsoft will inform you about government access to your data. Regarding the latter, Smith specified, “The standard requires that law enforcement requests for disclosure of personally identifiable data must be disclosed to you as an enterprise customer, unless this disclosure is prohibited by law. We’ve already adhered to this approach (and more), and adoption of the standard reinforces this commitment.”
The Azure blog also explained that in order for a cloud service provider (CSP) to be ISO 27018 compliant, it must operate under five principles:
Consent: CSPs must not use the personal data they receive for advertising and marketing unless expressly instructed to do so by the customer. Moreover, it must be possible for a customer to use the service without submitting to such use of its personal data for advertising or marketing.
Control: Customers have explicit control of how their information is used.
Transparency: CSPs must inform customers where their data resides, disclose the use of subcontractors to process PII and make clear commitments about how that data is handled.
Communication: In case of a breach, CSPs should notify customers, and keep clear records about the incident and the response to it.
Independent and yearly audit: A successful third-party audit of a CSP’s compliance documents the service’s conformance with the standard, and can then be relied upon by the customer to support their own regulatory obligations. To remain compliant, the CSP must subject itself to yearly third-party reviews.
Both Lori Woehler, Microsoft Azure Engineering Security, Privacy & Compliance group manager, and Microsoft General Counsel Smith hammered home that trust is the point of ISO 27018. “Customers will only use services that they trust,” Smith wrote. “The validation that we’ve adopted this standard is further evidence of our commitment to protect the privacy of our customers online.”
Do you trust Microsoft and its cloud computing platform more now?