I think the title says it all. Working in Cloud environments with various cloud providers you start to realize your comfort level with their services comes down to how much you Trust your provider and the services they provide. When issues come up – how they are handled and what measures are put in place to prevent them from happening again are small steps forward to continuing to build trust. I get asked the trust question a lot by customers who are considering using cloud services.
Today MSFT takes one more step forward by announcing we’re the first provider to adopt and adhere to ISO/IEC 27018 – an international standard for cloud privacy. It is one of many different ISO certifications and attestations that our cloud services achieve. This one is very cool as it relates specifically towards privacy and “Your Data”. I suggest you have a read at Brad Smith’s blog post to get some more specific info and links. Some quick points from his post I found interesting: By adhering to ISO 27018, we’re committed to protecting your privacy and data in a number of ways:
- You are in control of your data. Adherence to the standard ensures that we only process personally identifiable information according to the instructions that you provide to us as our customer.
- You know what’s happening with your data. Adherence to the standard ensures transparency about our policies regarding the return, transfer, and deletion of personal information you store in our data centers. We’ll not only let you know where your data is, but if we work with other companies who need to access your data, we’ll let you know who we’re working with. In addition, if there is unauthorized access to personally identifiable information or processing equipment or facilities resulting in the loss, disclosure or alteration of this information, we’ll let you know about this.
- We provide strong security protection for your data. Adherence to ISO 27018 provides a number of important security safeguards. It ensures that there are defined restrictions on how we handle personally identifiable information, including restrictions on its transmission over public networks, storage on transportable media, and proper processes for data recovery and restoration efforts. In addition, the standard ensures that all of the people, including our own employees, who process personally identifiable information must be subject to a confidentiality obligation.
- Your data won’t be used for advertising. Enterprise customers are increasingly expressing concerns about cloud service providers using their data for advertising purposes without consent. The adoption of this standard reaffirms our longstanding commitment not to use enterprise customer data for advertising purposes.
- We inform you about government access to data. The standard requires that law enforcement requests for disclosure of personally identifiable data must be disclosed to you as an enterprise customer, unless this disclosure is prohibited by law. We’ve already adhered to this approach (and more), and adoption of the standard reinforces this commitment.
Go read Brad’s article and check out the additional links – it makes for a good read.