Microsoft adopts ISO cloud privacy standard

On 16 February Brad Smith, Microsoft’s chief lawyer, announced that the company had become the first to meet ISO/IEC 27018, designed by the International Organization for Standardization (ISO) to ensure the confidentiality of personal data stored in the cloud.

The standard attempts to lay down a uniform, global approach to protecting what ISO calls Personally Identifiable Information. Smith highlighted the following requirements:

  • Only the customer may define how the cloud-provider processes their personal information.
  • Microsoft will disclose in which data centre the information is held; when it is moved, transferred or deleted; and which other companies are allowed to see the data.
  • The company will disclose when there has been a data security breach (although it did not mention a timescale for informing users).
  • The standard ensures that the data will not be mined for advertising.
  • Microsoft will inform enterprise customers when a government or law-enforcement agency wishes to examine their data.

ISO has yet to confirm publicly that Microsoft is the first company to conform to ISO/IEC 27018. Separately, however, the British Standards Institute said that Microsoft had met its own benchmark for cloud security.

The standardisation push appears to be part of Microsoft’s efforts to promote its Azure cloud platform and, arguably, to raise barriers to competition. Last week the company published four new topics to support testing in a hybrid cloud environment (as opposed to a cloud-only one), in an attempt to encourage developers and testers onto Azure.