cloud security law firmsIn the cloud-first, mobile-first era, companies in every industry around the globe are using cloud computing to power their transformation into digital businesses. Organisations are turning to the cloud due to the business benefits that the technology unlocks and enables including cost savings, greater business agility, reduced IT complexity and gaining a competitive edge on rivals. 

Even within South Africa, organisations of all sizes are utilising cloud-based services to get more work done from anywhere, anytime, using almost any device. The latest report from market research company Ipsos Mori, entitled SMB IT Research 2015, states that employees from 57% of South African small to medium businesses who do not need to work from the office, access their work remotely through a mobile device or PC by using a cloud service. Almost half (49%) of staff at SMBs also access their work by way of a remote desktop connection.

One of the main stumbling blocks towards greater and faster cloud adoption in the country is the concern over how secure cloud based services are. This is not a surprise given that adopting cloud services a lot of the time goes hand in hand with a company storing its highly sensitive business data remotely, where this info is physically under the control of a third party. This translates into customer trust becoming a core aspect of the relationship between cloud service providers and their clients.

A productive business relationship is built on the foundation of trust
Trust is at the forefront of Microsoft’s platforms and services, be it through privacy by design or the security development life-cycle that is core to the company’s products and services. The company has also recently established a Digital Crimes Unit, which combines big data analysis, cutting-edge forensics, partnerships and the law to keep customers and people safe online from cybercrime.

Microsoft’s commitments to trust are evidenced not only by its internal processes and systems, but also by its numerous certifications relating to privacy and security including its Safe Harbor Certification, HIIPA Certification, EU Model Clauses and ISO 27001 Certification. Through its Trust Center websites, Microsoft also makes the latest information available spanning a range of topics that include security, privacy and transparency.

Cloud security’s golden new standard - ISO/IEC 27018
The International Organisation for Standards has published ISO/IEC 27018, which is aimed at providing a global benchmark for the handling of personally identifiable information by cloud service providers (CSPs). In particular, this standard deals with cases where the cloud service provider process your data, but do not control it.

ISO/IEC 27018 provides specific guidance to CSPs for the assessment of risks and the implementation of state-of-the-art controls for the protection of personally identifiable information (PII) stored and processed in the cloud.
Six key principles define what ISO/IEC 27018 standard means to users of cloud services that comply with the standard, with the first of these being consent. CSPs may not process personal data for purposes independent of the instructions they receive from the customer. In addition, CSP’s are not allowed to use personal data for advertising and marketing, unless expressly instructed to do so.

The second aspect is control, with customers having explicit control of how their information is used. Next up is transparency, since CSPs must inform customers where their data resides and make clear commitments about how that data is handled. This is followed by accountability, with any breach of information security having to be immediately followed by a review by the CSP to determine if there was any loss, disclosure, or alteration of the customer’s PII.

The fifth principle of ISO/IEC 27018 is communication and in the case of a breach, CSPs must notify customers and keep clear records about the incident and their responses to it. Finally, CSP must subject themselves to yearly third party reviews in order to remain ISO/IEC 27018 compliant.

Leading where other CSPs fear to tread
Microsoft, as the first major CSP to achieve compliance and establish controls that meet the ISO/IEC 27018 standard is a company that customers can trust with their valuable data. Customers in South Africa who utilise a Microsoft cloud service, now have a tangible and definitive manner through which to structure and deliver on their compliance obligations under the Protection of Personal Information Act (POPI).

Users can rest secure in the knowledge that using a cloud service that complies with the ISO/IEC 27018 standard represents the strongest commitment by a CSP to support a customer’s compliance with POPI and simultaneously, builds trust in the use of such services when it comes to the privacy of users and their data.

Contributed by: 
Theo Watson, Microsoft Corporate Attorney

FacebookTwitterLinkedInRSS Feed