- What we do
- Who we work with
- Who we are
During a number of conversations recently, I have been intrigued to discover that many people still mix up the issues of privacy and security when discussing the public cloud. Using dictionary definitions this should not really be the case as both words have clear differentiation in their meanings. Perhaps one theory is that when thinking of data, it is still strongly associated with technology. Additionally, losing data because of an IT issue has been the most prominent issue leading to a huge focus on backing up, redundancy, co-location and so on.
Since the formation of the huge on-line public cloud data centres that Amazon, Microsoft and others have developed, the fact is that the security of data has long since ceased to be a problem. Many CIO’s have bought into the fact that their enterprise data is actually more secure in the cloud than their own in house data rooms, due to the massive investment in redundancy that the big cloud providers have delivered.
Having successfully dealt with the security of data, another much more problematic challenge has arisen, that of the “Sovereignty and Privacy” of the enterprise data. Risk and Compliance departments are struggling with the concept of allowing enterprise, public sector, and customer data to be hosted in a public cloud. Fuelled by horrendous exposure of activity by Sovereign States, such as the US, to access data without seeking permission. Over the last few years this has had a very negative impact on the perception that our data is safe; not from loss through infrastructure failure but from prying eyes.
Long before the Public Cloud initiative Microsoft has been investing in Trustworthy Computing, actively infusing trust into each of their products.
Brendon Lynch , Microsoft’s chief privacy officer, says: “We come at privacy from the standpoint that trust is the foundation of the customer relationship. We also believe it is in our strategic interest to ensure that our customers’ information is protected. We don’t just approach privacy from a legal compliance perspective. For us, it’s about building, earning and retaining the trust of our customers.”
So, how does that trust aspiration begin to be delivered against the fallout from Edward Snowden’s revelations of NSA activity, whereby it is alleged that this US Government agency is accessing raw data streams, and taking other measures to intercept private information, without seeking judicial approval or otherwise going through normal channels?
Well firstly, for me, bring on Brad Smith Microsoft’s Senior VP and General Counsel who has been very publicly taking on the US government agencies of late. His method has been to challenge the US courts every time Microsoft receive a demand from a government agency to supply private data held by Microsoft on behalf of a company. These demands have come attached with a further requirement for Microsoft not to be allowed to contact the enterprise concerned, something which Smith has successfully challenged a number of times by arguing Microsoft’s constitutional rights are being ignored. I believe this activity is crucial and fundamental to re-enforcing the trust that we must be allowed to develop that public cloud providers are proving that the trust placed in them is not just paper-thin or PR words.
Secondly, certainly for EU residents, Microsoft has successfully gained approval under the Article 29 Working Party of the EU Data Protection Directive. Essentially a working party form all 28 member states of the EU, investigated Microsoft’s contractual obligations towards customers for Data Privacy and transmission outside the EU and found them to be meeting EU requirements.
According to Bloomberg, “Under the EU Data Protection Directive (95/46/EC), personal data may be lawfully transmitted out of the European Economic Area only under limited circumstances, including where the European Commission finds a non-EU country’s law adequate to protect privacy. The U.S. hasn’t been found by the commission to have adequate privacy protections; therefore U.S. companies such as Seattle-based Microsoft must utilize alternatives, such as the U.S.-EU “Safe Harbor” Program or binding corporate rules to move data out of the EEA.”
Brad Smith, again, was quick to announce the EU approval for Article 29: “This is an important week for the protection of our customers’ privacy. The European Union’s data protection authorities have found that Microsoft’s enterprise cloud contracts meet the high standards of EU privacy law. This ensures that our customers can use Microsoft services to move data freely through our cloud from Europe to the rest of the world.
However, again according to Bloomberg, “The Working Party took the opportunity of the Microsoft announcement, to “remind all cloud computing providers” that they have an obligation to ensure that their contracts comply with EU privacy law. It pointed companies to the group’s cloud computing guidance released in July 2012.
This was an important step forward and something that allows Microsoft a degree of protection from any threat to remove or amend the existing Safe Harbour agreement between the EU and the USA which has increasingly become under pressure due in part to the NSA revelations.
In summary, for now I see the following key points:
This is a fascinating issue, and one that is currently of huge interest to us at CompanyNet, look out for further blogs on, and around this issue.
Microsoft Cloud Future thinking Office 365 Collective intelligence Intranets Business intelligence Digital Transformation Business Transformation Office Technical Change Management 20th Anniversary Gold Partner Microsoft Inspire CRM Privacy Partners Director's Briefing Public Sector Training Websites