The Microsoft Cloud and Data Protection

Since the GDPR / DSVGO introduction, the topic of data protection, privacy and compliance is still a topic with which many lawyers still earn money. The problem, in my opinion, the technical reality distance with that the whole was designed. Not to be kept silent of the fact that the exceptions to the law were not delivered equally. But all this does not help us, we have to follow it. But I would not like to hold up you too much with my personal opinion to the GDPR. We look at ourselves what Microsoft offers us at tools.

Important note on legal subjects

I am not a lawyer and this article is not legal advice. My intention is to introduce tools that might be relevant to legal issues. For the question whether the tools described here meet your legal requirements, please ask your lawyer.

All information mentioned is without guarantee, but was checked at the time of publication within the framework of the existing possibilities.

The paper position

Microsoft provides many documents on data protection, security, compliance and GDPR/DSVGO. Microsoft has also implemented the “EU Model Clauses”, which are part of the “Online Services Terms (OST)“. This document has also been adapted to comply with the DSVGO.

Advertisements

For more information on Office365, there is also a good overview page on the DSVGO, alternatively in German.

Regional Compliance

Besides the Compliance Manager, there are also other areas in the Microsoft Trust Center. For example the Regional Compliance Dashboard. Here you can download the documents about the German and other local laws. This includes not only the ISO certificates of the Microsoft environment but also documents on IT-Grundschutz and white papers.

Overview of documents in Reginal Compliance Dashboard for Germany. Source: Screenshot Microsoft.com
Overview of documents in Reginal Compliance Dashboard for Germany. Source: Screenshot Microsoft.com

The Microsoft Compliance Manager

At the URL https://servicetrust.microsoft.com/ComplianceManager Microsoft provides a tool for customers of the Microsoft cloud services where you can check how well certain standards and norms are implemented. Now some may think “How this isn’t all done already”, but there are also tasks on your side to be done. The Compliance Manager is there to identify and document them.

Overview of the Compliance Manager. Source: Screenshot Microsoft.com

Overview of the Compliance Manager. Source: Screenshot Microsoft.com

The first time you register the picture is still very disillusioning for your environment. Besides the GDPR for Office365, there are evaluations based on ISO 27001:2013 for Office365 and Azure and also ISO 27018:2014 for Azure. The NIST800-53 for Office 365 displayed in the standard is only interesting for the US area. NIST are specifications for US authorities, similar to the German IT-Grundschutz, only with “US glasses” of the world.

As of today, ratings are available for the following products:

  • Office 365: CSA CCM301, FFIEC, FedRAMP Moderate, GDPR, HIPAA, ISO 27001:2013, ISO 27018:2014, NIST 800-171, NIST 800-53, NIST CSF
  • Azure: FedRAMP Moderate – IaaS, FedRAMP Moderate PaaS, GDPR, ISO 27001:2013, ISO 27018:2014, UK NHS
  • Intune: FFIEC, GDPR
  • Dynamics: GDPR, NIST 800-53
  • Professional Services: GDPR

Some of it is relevant for the US market, but there is also something relevant for us Europeans. It is important that Microsoft only gives recommendations and a framework for editing. The responsibility for the customer share lies with you.

Working with the Microsoft Compliance Manager

The measures can be reviewed in the individual evaluations. This also explains which checks are involved and for which part of the assessment basis this check is relevant. Here is an example from the DSVGO measures relating to Article 28 of the DSVGO.

Actions taken under Microsoft's responsibility are documented in the Compliance Manager. Source: Screenshot Microsoft.com
Actions taken under Microsoft’s responsibility are documented in the Compliance Manager. Source: Screenshot Microsoft.com

You can maintain the actions for which you are responsible directly in the list in the Compliance Manager. You can also delegate tasks to your own employees here.

Assignment of customer responsible tasks for documentation in the Compliance Manager. Source: Screenshot Microsoft.com

Assignment of customer responsible tasks for documentation in the Compliance Manager. Source: Screenshot Microsoft.com

Not only assignments can be made here, but also the status of the implementation can be documented, as well as the test date and test result. You can also store other documents here, such as attachments that describe the implementation type.

Extract from the customer responsible tasks with documentation in the Compliance Manager. Source: Screenshot Microsoft.com

Extract from the customer responsible tasks with documentation in the Compliance Manager. Source: Screenshot Microsoft.com

For internal and external testing, the result can simply be exported to Excel. This means that access to the portal is not absolutely necessary and you have a defined status for “filing”.

Export to Excel in the Compliance Manager. Source: Screenshot Microsoft.com

Export to Excel in the Compliance Manager. Source: Screenshot Microsoft.com

Yeah, it’s not really ideal for printing, but it works.

Excel export from the Compliance Manager. Source: Screenshot

Excel export from the Compliance Manager. Source: Screenshot

You can find more information about the Microsoft Compliance Manager in the Microsoft documentation at docs.microsoft.com.

The Office365 GDPR Dashboard

Also within Office 365, there is a dashboard to the GDPR, how it should be also otherwise … But here it is rather about the data and less about the processes around it. Here the Office365 environment can be searched for relevant data and these can be administered. Just like the data, here also requests for information can be worked on and protective measures for the environment can be activated. For example “Data-Lost-Prevention (DLP)” rules or data classifications.

Office365 GDPR Dashboard Source: Screenshot Microsoft

Office365 GDPR Dashboard Source: Screenshot Microsoft

Further information on Office365 Security & Compliance and the GDPR Dashboard can also be found at docs.microsoft.com.

Conclusion

Microsoft provides many tools. In this article, I’ll show you the most important ones to get started. The good thing is, the whole thing is structured in such a way that it pulls you deeper and deeper into it. But there is also the problem that the more you want to implement, the more complicated it becomes. The challenge here is to find the right balance. All tools shown are accessible from the Trust Center.

This article first appeared on Infrastrukturhelden.de in German.

This article is a translation of the Infrastrukturhelden.de article “Die Microsoft Cloud und der Datenschutz” (Published – 2019-05-14). Links may refer to other Infrastrukturhelden.de articles, these may also be available in English language.

Also it can be, that I still use screenshots of German systems. However, where it is possible for me with little effort, I insert screenshots of English systems.

Advertisements

Author: Fabian Niesen

Fabian Niesen has been working as an IT consultant for years. Here he writes privately and independently of his employer. Among others he is certified as MCSA Windows Server 2008 / 2012, MCSA Office 365, MCSA Windows 10, MCSE Messaging, MCT and Novell Certified Linux Administrator. Since 2016 he is also MCT Regional Lead for Germany. His hobbies are social media, blogging, medieval markets, historical songs and house building.

Leave a Reply

Your email address will not be published. Required fields are marked *