Debunking cloud service rumours

We all love a good tech rumour, don’t we? It’s fun to speculate about new innovations and updates to our favourite products. But sometimes tech rumours have an ugly side, creating confusion or mistrust out of thin air. Rumours about cloud tools can be especially hard to debunk. You can’t just look at a cloud service and know if a rumour is true. You have to do a little bit of digging to get at the truth.

Still, it’s important to set the record straight when it comes to the cloud. Organisations see the most benefit from cloud services when they have confidence in their choices. That’s why we’ve assembled some resources to help your sort the good from the bad when it comes to cloud services rumours.

Rumour #1:I heard that [a cloud service] isn’t really compliant with the Data Protection Act.
If you’re using a Microsoft cloud service, you can be confident it will help you comply with the requirements set out in the Data Protection Act. We’ve demonstrated that repeatedly through our support of EU Model Clauses and the EU Safe Harbor Framework. We were also the first enterprise cloud service to comply with ISO/IEC 27018, the first internally recognised standard for the protection of personal information in public cloud services. No cloud service on the market in the UK today is more compliant than Microsoft’s cloud.

Rumour #2:I heard these cloud companies can say anything they like on security. There’s no proof.
It’s natural and prudent to be cautious of cloud security claims. It is essential suppliers are transparent on how their service operates, which is why Microsoft offers a wealth of information on its services. Even more importantly, it is why Microsoft submits its cloud services to an array of third-party authorities for independent verification of our security standards. Our cloud services are vetted against the ISO-27001 and SASE-16 standards and subject to rigorous, independent penetration tests. Our cloud services were submitted to the G-cloud framework and were accredited to OFFICIAL under previous versions of the framework. This level of verification shouldn’t just be our standard. Anyone claiming to offer a secure cloud service should be able to able to back up their claims with the same battery of independent tests.

Rumour #3: I heard that a former Microsoft employee doesn’t believe that EU-Safe Harbor Framework is secure.
Former employees are entitled to their opinions and we understand that some commentators have questioned the strength of the EU-Safe Harbor framework. We believe it remains a legitimate method for transferring data out of the EU, but we recognise customers are looking for the strongest protection available, which is why we comply with EU Model clauses ratified by the EU Data Commissioner and we’re constantly improving our systems to meet new and higher benchmarks. What’s more, our new Customer Lockbox feature gives organisations an unprecedented amount of control over how their data is handled, even during customer service resolutions.

Rumour #4:I heard that all kinds of government representatives can just ask for your cloud data whenever they want.
Microsoft is proud to lead the industry on transparency when it comes to lawful government data requests. We even fight for the tech industry’s privacy rights in key court cases. No company does more to ensure that no person or organisation ever has a secret back door to your data.

Between January and June of 2014, we received 34,000 law enforcement request from around the world, the overwhelming majority of which related to our free consumer services such as outlook.com. In about three-quarters of those cases, we’ve responded to official requests for information on who owns a particular set of data, but that isn’t the same as disclosing the content of that data. It’s more like disclosing a house number than it is letting someone read your mail.

Government requests to actually access the content of enterprise customer data are exceptionally rare and when they do occur, they’re handled in an extremely transparent fashion. In the second half of 2014, Microsoft received just 3 requests from law enforcement for access to data stored by users associated with an enterprise customer. In two of those cases, the requests were rejected or law enforcement was successfully redirected to the customer. In the third case, the customer was notified of the legal demand and the customer directed Microsoft to provide responsive information to law enforcement.