Microsoft is living in the cloud first world that CEO Satya Nadella has placed them in and one of the highest priorities for cloud service providers (CSPs) is security. In an effort to protect the privacy of customers the British Standards Institution creates codes and practices for CSPs. Microsoft's cloud based services are the first of their kind to meet the British Standards Institution's most recent code.
A recent code that the British Standards Institution titled ISO 27018 requires five key principles to be met by a cloud service provider to be validated by the institution. They focus on customers being able to keep their data private and secure. The full list is below.
- Consent: CSPs must not use the personal data they receive for advertising and marketing unless expressly instructed to do so by the customer. Moreover, it must be possible for a customer to use the service without submitting to such use of its personal data for advertising or marketing.
- Control: Customers have explicit control of how their information is used.
- Transparency: CSPs must inform customers where their data resides, disclose the use of subcontractors to process PII and make clear commitments about how that data is handled.
- Communication: In case of a breach, CSPs should notify customers, and keep clear records about the incident and the response to it.
- Independent and yearly audit: A successful third-party audit of a CSP’s compliance documents the service’s conformance with the standard, and can then be relied upon by the customer to support their own regulatory obligations. To remain compliant, the CSP must subject itself to yearly third-party reviews.
Cloud based servers are sometimes a legal no man’s land due to servers being located in multiple countries. While the British Standards Institution is not a government body it does help provide standardization for cloud based servers. Microsoft has also implemented the five principles to their Azure, Office 365, Dynamics CRM Online, and Microsoft Intune services.