Does Your Cloud Service Set the Highest, Global Standard for Security?

At Microsoft, we know that interactions between people bridge country and corporate borders thousands of times each day, and that for many businesses, transactions occur in-country only. Since business data is an asset which is sensitive to employees, business operations, customers, and partners, we ensure our customers’ data is secure wherever it is in the world. Through our work with governments and organizations, we understand the importance of adhering to a range of international standards, regulations and contractual clauses. Keeping current regarding the many laws, standards and requirements effecting cross-border data security and data transfer is challenging, and international regulations for data security are often more restrictive than those followed by US-based firms doing business domestically.

With a large, potential scope of considerations for both domestic and cross-border data protection and compliance, what certifications should you be aware of as you begin to leverage cloud productivity tools? Knowing that two standards are particularly important in addressing data transfer for businesses using cloud services, Microsoft became the first, major, cloud productivity service to 

• earn the ISO 27001, international standard certification for data security
• Sign the EU Model Clauses with customers

Google carries neither distinction for its cloud services.

ISO 27001 Certification
Recognizing its significance to customers as a security benchmark which is also important for data transfers, both cross-border and domestic, Microsoft built Office 365 to adhere to the International Standards Organization’s, (ISO’s), 27000 family of standards. ISO 27001’s broad scope and wide recognition combine to make it a very rigorous certification. The family of standards covers privacy, confidentiality and technical security issues, and addresses established guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization.

ISO 27001/27002 outlines hundreds of potential controls and control mechanisms. In addition, ISO 27001/27002 specifies a management system to bring information security under explicit controls. In certifying Office 365 for ISO 27001, Microsoft has implemented a high level of physical, logical, process and management security controls for the cloud suite, which the internationally-recognized ISO verifies independently, each year. 

European Union (EU) Model Clauses
The EU Model Clauses help customers certify compliance with the European Commission's Data Protection Directive. Microsoft incorporates the EU Model Clauses into individual agreements that it holds with its Office 365 customers. These clauses require that data transferred internationally meet a high security bar, and that data is safeguarded, even if it resides outside of Europe.

It is important for companies doing business in Europe to have these clauses in place, as European regulators have the option to block use of a service that potentially doesn’t meet the EU's Data Protection Directive, until regulators can determine if the service is compliant. Blocking access to a cloud productivity service that an organization uses daily could be catastrophic. Partly through compliance with the EU Model Clauses, Microsoft Office 365 has a more complete approach to European data protection and security laws than any other cloud services vendor.

US Health Insurance Portability and Accountability Act
Office 365 is compliant with the US-mandated Health Insurance Portability and Accountability Act (HIPAA). Due to this compliance, health organizations using Office 365 can more confidently implement document sharing, and technologies for tools such as paging, IM and video conferencing, while employees access information from any, secure device. At the same time, these organizations can substantially lower their IT operating costs.

US SAS/SSAE Audit
The American Institute of Certified Public Accountants (AICPA) designed SAS/SSAE as a way to audit and document the design and effectiveness of security control systems. SAS/SSAE includes a review of the organization’s own processes and an auditor’s opinion of how well they are working.

It can be confusing to follow this audit report. Regarding SAS/SSAE, a US firm specializing in regulatory requirements states: “The term ‘system’ and its description can carry a number of meanings and may well be interpreted slightly differently among service organizations having to comply with SSAE 16.”  SAS/SSAE doesn’t impose a checklist of security requirements to follow like the ISO 27001 does, and SAS does not point out that the enterprise’s security control system is important to review, as ISO not only points out, but audits.

While Microsoft also supports customers by adhering to the SSAE 16 Type 1 audit of Office 365,  Google actively touts an audit report which is not as directly relevant to cloud security as ISO 27001 is, misleading customers to perceive SSAE 16 as being a certification, or a standard, rather than an audit report. SSAE 16 is a list of an organization’s self-stated controls which incorporates how well the organization follows the list. Also, since conformance can vary, parts of an organization may choose to follow a low quality, short list of controls, with a lesser impact on the organization’s overall data security.

The Office 365 Trust Center
For businesses large and small, I know that

• It is important to rely on a privacy-protecting service which incorporates international standards governing how data is secured.
• Microsoft is committed to high standards in delivering cloud productivity services, and is committed to security, privacy and transparency in handling your data.

The Office 365 Trust Center describes how Microsoft manages Office 365 data, includes background information on the standards we’ve discussed, and cites additional certifications that Microsoft holds for both Office 365 and its data centers, such as EU Safe Harbor and FISMA. It is an excellent resource for customers in assessing the service’s compliance to standards important to their organization.

If you could choose Office 365 which meets

• Several standards plus the EU Model Clauses
• an international standard with strict guidelines for security, and with certification that they are both followed and audited;

Or select Google Apps, a service that

• Simply adheres to an SAE audit of how well the service provider followed their own, internal, security controls for the US, then which would you choose?