Busting the Myths around Cloud Security

Posted by on Apr 4, 2017 in Cloud, Law in the Cloud, Microsoft | 0 comments

Cloud services: A view of legal sector guidance

I recently enjoyed a visit to one of the UK’s largest legal event specifically designed for lawyers and ambitious law firms seeking ground breaking innovations.  As you would expect the Cloud and Digital Transformation and Business Improvement were topics under discussion in every theatre.

I did hear one speaker say “There are too many questions relating to Safe Harbour for commercial law firms to trust Office 365”.  I’ll be fair to the speaker in case I heard the line out of context, and just say that, without said context, this is #fakenews. Spend some time listening to Brad Smith, Microsoft’s President and Chief Legal Officer to know that there may be questions around trusting the cloud, but there are answered in detail in his many conference speeches readily available online.

The Law Society of England and Wales and the Solicitors Regulation Authority have separately issued guidance setting out requirements and recommendations for solicitors using cloud computing solutions. Microsoft offers its approach to such guidance in this white paper. The paper articulates their view of how, as a cloud service provider, Microsoft enables firms to meet the standards and recommendations set out in such guidance and their compliance obligations.

I’ve listed some of the top #fakenews items and myths surrounding the use of Cloud for commercial law firms. For each myth I have written a response and is followed up with chapter and verse from the Microsoft material with links to the relevant sites for further reading.

But don’t just take my word for it.  If you want to speak to some of our customers who are already benefiting from a move to the cloud, email us and I will put you in touch.

Microsoft will use your cloud data for advertising to customers.

In fact… your data will never be used for anything other than the stated purpose defined by you. You are the data controller and you maintain ownership always.  Microsoft will not use your data for anything other than the purpose you define.

Microsoft obtain third party audits and certifications so you can trust that their services are designed and operated with stringent safeguards. To address the requirement for processing only to be undertaken in accordance with a written contract, a data processing agreement and the EU Model Clauses are included by default in Microsoft’s Online Service Terms.

The EU Model Clauses are prescribed by the European Commission for use when transferring personal data from within the EU to a country outside of the EU which does not have an “adequate” data protection regime. In their Online Services Terms, Microsoft expressly commit to process your data only pursuant to your instructions and not for any other purposes.

Microsoft and the EU Model Clauses                    Microsoft Online Services Terms

The Safe Harbour Regulations mean that foreign government and particularly the US authorities can access the data even though it is hosted in the UK.  

In fact… in terms of compliance, Microsoft Cloud Services already meet the requirements of the EU GDPR and did so long before the courts ruled on Safe Harbour. Office 365 and Azure are available today and already help you meet the requirements of the EU-US privacy shield. 

Microsoft is certified under the EU-US Privacy Shield framework which imposes stronger obligations on US companies to protect Europeans’ personal data and reflects the requirements of the European Court of Justice which ruled the previous Safe Harbour framework invalid. The Commission has formally adopted the EU-US Privacy Shield for transatlantic data transfers from the EU to the US.

The new EU General Data Protection Regulation will apply form May 2018 and will cover UK data protection.

Microsoft and the GDPR                            Microsoft and the EU-US Privacy Shield

Microsoft can see all our data and read client confidential documents

In fact… your data is encrypted at rest in the data centre and in transmission from the data centre to your PC.  Only if you give permission to a support engineer as part of a service request could they view data and that would be on your PC under your supervision.

Outcome 4.1 of the SRA Code of Conduct requires firms to keep the affairs of their clients confidential.

Microsoft provide comprehensive contractual commitments on their security measures, allowing you to rest assured that your data is adequately protected at all times, employing tools and strategies such as their “assume breach” stance, strong encryption both for data in transit and data at rest and identity and access management.

Microsoft will not use any your customer data for any purpose other than providing you with the service and other compatible purposes such as support and troubleshooting. They were the first major cloud provider to adopt ISO/IEC 27018, the international code of practice for cloud privacy, and they contractually commit to compliance with ISO/IEC 27018 in their Online Services Terms.

How we manage your data                   ISO 27018                   Government requests        

Microsoft are required to follow US law and turn over your data to the authorities if asked to do so. Even if your data isn’t stored in the US.

In fact… your data is safe and will not be handed over to law authorities in any country, not even the USA. If the authorities require legal access to your data, then you must provide that access on your own satisfaction of such a request.

In terms of requests by law enforcement or other third parties, Microsoft do not offer any such parties direct or unfettered access to customer data, except as you direct. They will always attempt to redirect such third parties to obtain the requested data directly from you and will notify you of any third-party request, unless legally prohibited from doing so.

They will not disclose customer data to such third parties except as you direct or where legally required to do so by law. Microsoft has taken a firm public stand on protecting customer data from inappropriate government access and, where necessary, has advanced its position through the courts. Microsoft also provides certain information on law enforcement requests through its Transparency Hub, broken down by country and year.

Handling government requests                              Digital Constitution

We can’t provide SRA access to audit data as we no longer host that data.


In fact… as you own the data you have full rights to download at any time. If you require an audit trail of access to the data in Office 365 there is one there ready for you to provide to the SRA at any time. True the SRA can’t physically access the data centre, but they don’t require that level of access anyway.

Outcome 7.10 of the SRA Code of Conduct provides that firms must ensure they have appropriate terms in their agreements with providers to allow the SRA to have access to inspect their data.

SRA guidance makes clear that this obligation does not require a right for the SRA to physically enter the premises of a cloud services provider. Rather, the Code of Conduct provides that firms must ensure that outsourcing is subject to contractual arrangements that either enable the SRA to enter the premises of the third party, or alternatively enable the SRA to obtain information from or inspect the records of the third party that relate to the outsourced actions or functions. When you store data with Microsoft’s cloud services, you will always own your data and retain all rights, title, and interest in it. You can download a copy of your data at any time and for any reason, without any assistance from Microsoft. Subsequently, you can provide this data to the SRA or any other regulatory body as required.

In relation to records of outsourced actions or functions, Microsoft offers you audit trail functionality that you can use to inspect access logs and make audit logs available on request. For example, Office 365 users can log events, including viewing, editing and deleting content such as email messages, documents, task lists, issues lists and calendars. When auditing is enabled as part of information management policy, your administrators can view the audit data and summarize current usage. Your administrators can access these reports to determine how information is being used within your firm and manage compliance.

Who owns the data?                             

We don’t know how are data is stored or backed up and won’t know what to do in the event of disaster recovery.

In fact… the location where your data is stored for each Microsoft Cloud service is 100% transparent. It will live in either of the two UK data centres or in Dublin, within the EU.  Your data is backed up to one of the other data centres just to be sure. Of course back up is only good if you know how to get it back.  Its your data, so you can retrieve the backup at any time. 24/7

Firms should also ensure that they are aware of, and satisfied with, the arrangements for: (i) frequency of back up of data; and (ii) continuity and portability of the data in the event that the provider’s business fails or they wish to switch to another provider.
Microsoft’s contractual commitments in relation to data recovery and data portability are clearly set out in their Online Services Terms.
Data Recovery: On an ongoing basis, but in no case less frequently than once a week (unless your data has not been updated during that period), Microsoft maintain multiple copies of your data from which your data can be recovered. Microsoft store copies of your data and data recovery procedures in a different location from that of the primary computer equipment processing your data is located. They also review their data recovery procedures every six months.
Data Portability: You own your data and retain all rights, title, and interest in the data you store with Office 365. You can download a copy of your data at any time and for any reason, without needing any assistance from Microsoft . In addition, they retain your data stored in the Online Service in a limited function account for 90 days after expiry or termination of your subscription for Online Services (for example, in the event that you wish to switch to another provider) so that you may extract the data. After the 90-day retention period ends, Microsoft will disable your account and delete your data.

The SRA guidance also notes that one way to mitigate against these risks is to use established and reputable cloud providers. Microsoft has more than 20 years of experience building enterprise software and running some of the world’s largest online services. This experience has allowed them to create among the most robust security technologies and practices in the industry. Over that time, Microsoft has earned a strong reputation as a trusted data steward and Microsoft’s cloud services have the most comprehensive set of certifications and attestations of compliance with global standards.

What happens to your data if you leave the service                              Microsoft Online Services Terms

We won’t know for sure that our data is used and stored in accordance with the SRA code of conduct?

In fact… Microsoft make contractual commitments to you that they will follow strict guidance of the information security policy frameworks including ISO 27001 and 27018. Within these policy frameworks there are clear requirements to track and audit how data is accessed and used.  With the Microsoft Cloud and the right tools your data is safer in the cloud than it is sitting in your own building.

The provider should offer audited information security that at a minimum is compliant with, or equivalent to, IS0 27001.

Certification to ISO/IEC 27001 helps organisations comply with numerous regulatory and legal requirements that relate to the security of information. Microsoft’s compliance with the ISO/IEC 27001 certification provides independent validation from a third party accredited auditor that Microsoft has implemented guidelines, principles and controls for initiating, implementing, maintaining and improving the management of information security, and that these are operating effectively. The ISO/IEC 27001 audit reports and scope statements can be obtained by you directly through the Service Trust Portal so that your auditors can compare Microsoft’s cloud services results with your own legal and regulatory requirements. The Service Trust Portal also provides you with access to a deep set of security, privacy and compliance resources to help you perform your own risk assessment.
Microsoft makes contractual commitments to you in its Online Services Terms that Microsoft’s Online Services will follow an information security policy that complies with certain control standards and frameworks including ISO 27001, as well as the ISO 27002 (Information Security Controls) and ISO 27018 (Cloud Privacy) Codes of Practices. Microsoft commits to make such information security policies available to you along with other information reasonably requested by them regarding Microsoft security practices and policies.

ISO 27001 Information Security Management                            ISO 27018 Protecting Personal Data in the Cloud                             Microsoft Service Trust Portal

So if you have read this far, you must be interested in the cloud and you want to find out how it can help your business.  If you want to find out more get in touch with AspiraCloud and we can help you head to the cloud.

I’ve had enough of fake news

 Read the Microsoft White Paper

Leave a Reply

Your email address will not be published. Required fields are marked *