In mid-December 2011, Microsoft Corporation made some notable steps towards compliance with EU and US standards for data protection and security. This addressed the mounting tension around cloud services, caused by a number of high-profile data breaches and security scares that have plagued the cloud environment over the last year or so. This article takes a closer look at how the company has attempted to assuage consumers’ and regulators’ fears with Office 365, their latest cloud-based platform offering.
Introducing Office 365
Office 365 is touted as a product that integrates Microsoft Office, Microsoft SharePoint Online, Microsoft Exchange Online and Microsoft Lync Online in a convenient cloud service.
According to Microsoft’s press release on December 14, 2011, Office 365 would be
“… the first and only major cloud-based platform to offer leading information privacy and security standards for customers operating in the European Union and United States… Microsoft will now sign the EU’s model clauses, which will help customers certify compliance with the European Commission’s stringent Data Protection Directive, and the U.S.-mandated Health Insurance Portability and Accountability Act (HIPAA).”
According to Office 365 security and compliance website, the company has:
“… implemented and will maintain appropriate technical and organizational measures, internal controls, and information security routines intended to protect customer data against accidental loss, destruction or alteration; unauthorized disclosure or access; or unlawful destruction.”
As a result, Office 365 has the following certifications/accreditations:
- SAS 70 /SSAE 16 – Statement on Auditing Standards No.70/Statement on Standards for Attestation Engagements No.16
- ISO 27001 – certification on Information Security Management Systems (ISMS), based on the ISO 27002 Information Security Standards.
- EU Safe Harbor – certification that ensures personal data transferred from the EU to non-member states comply with the appropriate data protection safeguards and practices.
- HIPAA – Health Insurance Portability and Accountability Act
Complying with Standards
During February 2010, the EU developed standard contractual clauses (also referred to as “model clauses,” or “model contracts”), which legitimize the transfer of personal data through international networks to locations outside the European Economic Area (EEA). Model clauses inform customers that the appropriate steps have been taken to safeguard personal data, even data stored in a cloud located outside the EEA.
Microsoft has provided its customers with the model clauses, as well as created a data-processing agreement for its EU-based customers. The more rigorous data-processing agreement meets the requirements of 27 EU member states which have more stringent privacy requirements than those of the EU Data Protection Directive.
Office 365 has also been certified under ISO/IEC 27001, which is an important information security management benchmark. It requires Microsoft to have an independent expert conduct an annual audit of its information security policy and share results with customers.
Microsoft’s online services also fully comply with HIPAA requirements through physical, administrative and technical safeguards. This means that the service can be extended to US-based hospitals, insurers and clinics.
USA Patriot Act
Critics quickly noted that while Microsoft boasted about its compliance efforts, the USA Patriot Act was not mentioned on the Office 365 site or in its press material. This is surprising, as many suspected that the company’s compliance announcements were designed as a response to widely-publicized fears amongst EU customers that US law allows federal authorities to have excessive access to their data, when the data is hosted in US-based clouds.
This is a huge matter of interest and has sparked a trend of multinationals avoiding US-based public clouds, due to concerns that the USA Patriot Act would give the U.S. government the power to snoop on private data held by the cloud provider, as well as allowing the federal government to use gag order to silence cloud providers from informing their clients that their data may have been compromised.
When asked about USA Patriot Act concerns, a Microsoft spokesperson responded:
“It’s not uncommon for new technologies to create legal questions, and the current dialogue about data sovereignty and the cloud is only the latest example. This is an important topic which affects all cloud providers, including non-U.S. companies with a presence in the U.S., as well as those companies headquartered in the U.S…. We are seeing strong momentum from customers for our cloud services and most take a thoughtful approach considering issues of data sovereignty alongside other evaluation criteria when making a decision to move to the cloud.”
Office 365 Trust Center
At the same time all this was being released, Microsoft also announced the re-launch of the new Office 365 Trust Center, which provides information regarding Office 365-related privacy and security practices. The Trust Center is based on four key “Trust Principles,” which are briefly described below:
- Customer Privacy
- Office 365 does not allow advertising based on customer data (e.g. there is no data mining, analytics, etc.).
- Customer data can be kept separate from consumer services.
- Data portability is ensured.
- Transparent Leadership
- Microsoft informs customers on the location of Office 365 data centers and personnel, as well as the logic used to determine data location.
- Microsoft provides clear information on who is able to access customer data and under what circumstances.
- Changes in Office 365 data center locations are brought to the customer in a timely fashion.
- Independent Verification
- Microsoft ensures compliances with industry standards (i.e. ISO 27001; EU Model Clauses; and a standard Data Processing Agreement).
- Compliance is verified by third parties.
- Top-Quality Security Practices
- The company also boasts a high level of quality for its security processes, which include a secure development lifecycle; data security in five different layers; proactive monitoring; and access restriction.
- Data is secured in five layers: data, application, host, network and physical.
This article takes a look at Microsoft’s Office 365, a cloud-based service that brings together existing Microsoft services including Microsoft Office, Microsoft SharePoint Online, Microsoft Exchange Online and Microsoft Lync Online. In response to privacy and security concerns, the company has touted its certification and compliance with a host of industry standards, such as: SAS 70/SSAE 16; ISO 27001; EU Safe Harbor; and the US Health Insurance Portability and Accountability Act (HIPAA). The article also talks about critics’ concerns that the cloud-based service does not comply with the USA Patriot Act, which is a major deterrent for many foreign companies looking to move their data into US-based clouds.
CCSK Exam Preparation
In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:
- Dimensions of legal issues (Domain 3)
- Data locations (Domain 3)
- SAS 70 (Domain 4)
- ISO 27001/27002 (Domain 4)
- Compliance analysis requirements (Domain 4)