Is the Microsoft Cloud Secure Enough For Your Business?

Posted by on Oct 13, 2015 in Cloud, Microsoft | 0 comments

Can my Business Trust the Microsoft Cloud?

The simple and straightforward answer to this question is yes.  If its secure enough for the US Navy, the MoD and a variety of other government departments, its safe to say that the Microsoft Cloud will meet the security requirements of your business in most cases.  But lets take a look at your security needs in a bit more detail and look at some examples of how are where the standards are met.  In this blog post I want to help colleagues working in the Legal Services Industry to fully understand the benefits and implications of a cloud strategy for their business.

Microsoft have published a great deal of information detailing how Office 365, Azure and CRM Online are in compliance with the Governments 14 Cloud Security Principles.  You can read all about this in an article written by Stuart Aston, the Chief Security Advisor at Microsoft UK.  The Law Society of England and Wales and the Solicitors Regulation Authority have both issued guidance notes explaining the requirements and recommendations for the industry when using cloud services like Office 365 and Azure.  In this article we will look at each section of the guidance and provide some real life examples of how the requirements can be met.

Microsoft-Logo

Thank you to Microsoft for allowing us to republish content from their original articles which are linked below.

The Data Protection Act 1998

keep-calm-and-obey-the-data-protection-act-1

When handling personal data Solicitors must comply with the Data Protection Act 1998.

The processes in place for Office 365 and the way your data is handled by Microsoft are transparently clear and independently audited.  As Microsoft cloud customers you can find out where your data resides, who can access it and how that data is processed.  Its your data and you maintain ownership.  Microsoft provide easy to understand information detailing how that data is managed and their commitment to your privacy.  The Office 365 Trust Centre and the Azure Trust Centre provide further details on what exactly this commitment to your privacy means.

 

Protecting Confidential Informationspy

Outcome 4.1 of the SRACode of Conduct.

It is essential that your clients trust you to keep their affairs confidential.  Microsoft do not provide any third party organisation, including government with direct and unfettered access to your data and does not provide any ‘back door’ method for gaining unauthorised access.  Microsoft will provide the customer with legal requests for Customer data and will insist on all authorities complying with the correct legal process.  In fact, in response to internet speculation regarding governmental surveillance of the internet, Microsoft has already taken steps to further improve data encryption and further reinforce the legal protection for customer’s data.

Save Harbour Protected Data

Firms must be aware of the eighth principle of the DPA.  Firms must ensure a written contract is in place with the cloud provider, requiring the provider to follow the firm’s instructions.

Microsoft have a regionalised data centre strategy such that all European customer data is stored within the EU.  The Online Service Terms include this commitment by default.  In April 2014, Microsoft became the first (and to date, only) company to receive approval from the data protection regulators of all 28 European Union Member States (Article 29 Working Party) that its implementation of the EU Model Clauses meets the higher standard of EU data protection legislation.  If effect this means that customers can be totally reassured that no matter where their data is located throughout the world, it is protected by a standard which is no lower than required by the EU data protection authorities. In addition Microsoft abide by the relevant Safe Harbour frameworks regarding the collection, use, transfer and retention of data from the EEA and Switzerland.

Who Owns the Data?

Outcome 7.10 of the SRA Code of Conduct.

When it comes to storing data in the cloud and using Office 365, one of the most frequently asked questions is ‘Who Owns the data’.  The simple answer is you.  When you store data in Office 365, you will always own the data and retain all rights, title and interests in it.  You can download a copy of your data at any time with full fidelity without requiring any assistance from Microsoft.

thFOKJFDRYHow Can I Demonstrate Compliance?

The provider should offer audited information security that as a minimum is compliant with ISO27001 

Its all very well making these claims, but how can you demonstrate Microsoft’s compliance to the relevant regulatory bodies?  All Microsoft Cloud services, Office 365, Azure and CRM Online, and the infrastructure on which they are built employ security frameworks which are ISO 27001 2005 certified.  These frameworks are certified and independently audited by the British Standards Institute to ensure compliance.  The ISO 27001 certification is supplemented by ISO 27002 and both the service and underlying infrastructure undergo a yearly SSAE16 audit.

 

Managing the Risks

You will want to make sure and be able to demonstrate that your data is being stored safely and meeting the requirements of the SRA Code of Conduct.  To assist with risk management, Microsoft make available a non-proprietary and standards based formal decision support toolset including a Decision Framework and Cloud Risk Assessment model templates based on ISO 31000.  This provides principles and generic guidelines on risk management which the customer can use to improve the identification of opportunities and threats.

The main areas that customers will want to ensure is foolproof and audible is the arrangement for back up recovery.  On a regular basis Microsoft will take a copy of your and ensure that there are multiple copies in the event that data recovery is required.  The data is stored in a different location (still within the EU) from that of the primary computer processing your data.  Data recovery processes are reviewed on a regular basis.

If you wish at any time to switch to an alternative provider, (though why would you?) you can download a full copy of your data without restriction.

cantkeepaSecretHow do Microsoft use my data?

Finally the question of how else will Microsoft use your data.  The answer is simple.  They won’t.  Microsoft will only use your data to provide the cloud service you have purchased.  They will not use your enterprise data for advertising based services and there is a commitment to only access that data to an extent necessary to provide and maintain services to you.

 

 

So What’s Next?

If you want to know more about Microsoft’s Privacy and Security Commitments,

AspiraCloud_Final_Full Color_TALL_2 color version on white

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *