Our global national security customers sometimes feel they are in a quandary. They maintain sensitive data that requires the highest levels of security, yet their missions can require access to that data at any time and from any place, from the headquarters to the battlefield. Cloud services offer the scalability, reliability, and economy needed for this mission, but they find themselves asking, “Can I trust someone else with my data?”
The answer is simple: it’s your data and your choice. Microsoft’s Cloud Services provide a trusted platform with the flexibility and the control you need from on premise to public cloud for every classification of data. You make the choices about what happens to your data and the services used to manage and protect it. Do you want to implement federated identity management? Multifactor authentication? It’s your data; it’s your choice. And if you terminate a service, your data goes with you. It’s up to you as the customer.
Microsoft’s commitment to you and your data is consistent with our Microsoft Cloud Services business model. We sell you the services. Your enterprise data won’t be used for advertising or advertising related purposes. That approach remains consistent with our longstanding core values of privacy, security, compliance, and transparency, which guide why we do what we do to give you control over your data.
For example, Microsoft is the first Cloud Services Provider to incorporate the related customer commitments found in ISO/IEC 27018, the world’s first international standard for cloud privacy adoption. Our adherence to the related code of practice was independently verified by the British Standards Institute.
Our principled approach not only allows national security customers to trust that their data remains private and under their control, but also allows them to verify it themselves through programs such as Government Security Program. This makes the cloud a practical and efficient solution for all levels of classification.
The ability to accommodate different classifications of data is an important consideration in taking full advantage of cloud computing. Because of the geographical, technical, and functional flexibility offered by the cloud, there is no “one size fits all” solution. This puts an emphasis on the customers’ understanding of their data. Classification is a basic way to determine and assign relative values to data. By categorizing it according to sensitivity and organizational impact, they can determine the risks associated with each category and then manage it in ways that reflect that value, applying appropriate security controls to each category. This is a conscious approach to data management that allows organizations to take full advantage of available technology.
There is no single process for data classification, and organizations should consider risks specific to their own organizations in developing a classification process. Some governments impose uniform requirements on the handling of all types of government information regardless of its nature, but that can limit their ability to take full advantage of new technologies such as the cloud. Although customers should expect that all cloud-based resources are secure and properly managed, information on public-facing websites do not require the same level of protection as personally identifiable information, sensitive operational data, or classified military intelligence. Local requirements that all government data must reside geographically within a certain jurisdiction can remove important choices to achieve key organizational benefits in the cloud without necessarily managing the perceived security risks.
The more agencies, departments, and ministries understand their own data, their own needs, and the business models of their cloud partners, the more easily they can make the best choice for themselves.