On Wednesday, Microsoft announced the opening of a new Transparency Center in Brussels where government agencies can "review the source code of Microsoft products, access information on cybersecurity threats and vulnerabilities, and benefit from the expertise and insight of Microsoft security professionals".
It said "important security documentation" for its Azure and Office365 cloud services will be made available to government agencies that visit the centre. Microsoft said the European Commission has joined its "government security program".
"Today’s opening in Brussels will give governments in Europe, the Middle East and Africa a convenient location to experience our commitment to transparency and delivering products and services that are secure by principle and by design," Matt Thomlinson, vice president of security at Microsoft said in a blog.
IT contracts specialist Iain Monaghan of Pinsent Masons, the law firm behind Out-Law.com, said cloud providers face a challenge to convince businesses to adopt cloud services because of information security concerns.
He said, though, that by being more open about how it keeps data secure, Microsoft will be hoping to win support from government and regulators and that this could help persuade other organisations to take up cloud services it offers.
"The two big concerns for businesses and governments moving to the cloud are security and data protection," Monaghan said. "The standard contractual protections against these concerns available in non-public cloud projects are, firstly, an obligation on the supplier to comply with the customer’s policies, and, if relevant, the customer’s regulator’s requirements. They also include a requirement that the supplier must obtain the customer’s consent to any departure from those policies; and a right to audit the supplier’s compliance with those provisions."
Monaghan said that none of those contractual protections are "easy to apply in a public-cloud environment". Microsoft is therefore "taking the route of seeking to persuade customers and influencers – governments and regulators – that its own security policies are as good as, or better than, any that a customer is likely to require; and that it can be trusted to comply with those policies because it is an open organisation that, where necessary, will provide a right of inspection", he said.
"I suspect Microsoft's goal is to allow regulators, or auditors appointed by regulators, to certify that their policies and procedures comply with recognised international standards or, at any rate, to get regulators to accept that where a customer obtains Microsoft's covenant to comply with Microsoft's policies and procedures it will be an acceptable substitute, in the eyes of the regulator, for a covenant that Microsoft will comply with the customer’s policies, with the same being said for audit rights," Monaghan said.