Cookies on Pinsent Masons website

This website uses cookies to allow us to see how the site is used. The cookies cannot identify you. If you continue to use this site we will assume that you are happy with this

If you want to use the sites without cookies or would like to know more, you can do that here.

Microsoft looking for cloud security endorsement with new EU Transparency Center, says expert

Microsoft's decision to allow EU government agencies access to information security policies for its cloud computing services is aimed at alleviating concerns organisations have about adopting cloud services, an expert has said.04 Jun 2015

On Wednesday, Microsoft announced the opening of a new Transparency Center in Brussels where government agencies can "review the source code of Microsoft products, access information on cybersecurity threats and vulnerabilities, and benefit from the expertise and insight of Microsoft security professionals".

It said "important security documentation" for its Azure and Office365 cloud services will be made available to government agencies that visit the centre. Microsoft said the European Commission has joined its "government security program".

"Today’s opening in Brussels will give governments in Europe, the Middle East and Africa a convenient location to experience our commitment to transparency and delivering products and services that are secure by principle and by design," Matt Thomlinson, vice president of security at Microsoft said in a blog.

IT contracts specialist Iain Monaghan of Pinsent Masons, the law firm behind, said cloud providers face a challenge to convince businesses to adopt cloud services because of information security concerns.

He said, though, that by being more open about how it keeps data secure, Microsoft will be hoping to win support from government and regulators and that this could help persuade other organisations to take up cloud services it offers.

"The two big concerns for businesses and governments moving to the cloud are security and data protection," Monaghan said. "The standard contractual protections against these concerns available in non-public cloud projects are, firstly, an obligation on the supplier to comply with the customer’s policies, and, if relevant, the customer’s regulator’s requirements. They also include a requirement that the supplier must obtain the customer’s consent to any departure from those policies; and a right to audit the supplier’s compliance with those provisions."

Monaghan said that none of those contractual protections are "easy to apply in a public-cloud environment". Microsoft is therefore "taking the route of seeking to persuade customers and influencers – governments and regulators – that its own security policies are as good as, or better than, any that a customer is likely to require; and that it can be trusted to comply with those policies because it is an open organisation that, where necessary, will provide a right of inspection", he said.

"I suspect Microsoft's goal is to allow regulators, or auditors appointed by regulators, to certify that their policies and procedures comply with recognised international standards or, at any rate, to get regulators to accept that where a customer obtains Microsoft's covenant to comply with Microsoft's policies and procedures it will be an acceptable substitute, in the eyes of the regulator, for a covenant that Microsoft will comply with the customer’s policies, with the same being said for audit rights," Monaghan said.