The Microsoft Cloud and Data Protection
Since the GDPR / DSVGO introduction, the topic of data protection, privacy and compliance is still a topic with which many lawyers still earn money. The problem, in my opinion, the technical reality distance with that the whole was designed. Not to be kept silent of the fact that the exceptions to the law were not delivered equally. But all this does not help us, we have to follow it. But I would not like to hold up you too much with my personal opinion to the GDPR. We look at ourselves what Microsoft offers us at tools.
Important note on legal subjects
The paper position
Microsoft provides many documents on data protection, security, compliance and GDPR/DSVGO. Microsoft has also implemented the “EU Model Clauses”, which are part of the “Online Services Terms (OST)“. This document has also been adapted to comply with the DSVGO.
For more information on Office365, there is also a good overview page on the DSVGO, alternatively in German.
Besides the Compliance Manager, there are also other areas in the Microsoft Trust Center. For example the Regional Compliance Dashboard. Here you can download the documents about the German and other local laws. This includes not only the ISO certificates of the Microsoft environment but also documents on IT-Grundschutz and white papers.
The Microsoft Compliance Manager
At the URL https://servicetrust.microsoft.com/ComplianceManager Microsoft provides a tool for customers of the Microsoft cloud services where you can check how well certain standards and norms are implemented. Now some may think “How this isn’t all done already”, but there are also tasks on your side to be done. The Compliance Manager is there to identify and document them.
The first time you register the picture is still very disillusioning for your environment. Besides the GDPR for Office365, there are evaluations based on ISO 27001:2013 for Office365 and Azure and also ISO 27018:2014 for Azure. The NIST800-53 for Office 365 displayed in the standard is only interesting for the US area. NIST are specifications for US authorities, similar to the German IT-Grundschutz, only with “US glasses” of the world.
As of today, ratings are available for the following products:
- Office 365: CSA CCM301, FFIEC, FedRAMP Moderate, GDPR, HIPAA, ISO 27001:2013, ISO 27018:2014, NIST 800-171, NIST 800-53, NIST CSF
- Azure: FedRAMP Moderate – IaaS, FedRAMP Moderate PaaS, GDPR, ISO 27001:2013, ISO 27018:2014, UK NHS
- Intune: FFIEC, GDPR
- Dynamics: GDPR, NIST 800-53
- Professional Services: GDPR
Some of it is relevant for the US market, but there is also something relevant for us Europeans. It is important that Microsoft only gives recommendations and a framework for editing. The responsibility for the customer share lies with you.
Working with the Microsoft Compliance Manager
The measures can be reviewed in the individual evaluations. This also explains which checks are involved and for which part of the assessment basis this check is relevant. Here is an example from the DSVGO measures relating to Article 28 of the DSVGO.
You can maintain the actions for which you are responsible directly in the list in the Compliance Manager. You can also delegate tasks to your own employees here.
Not only assignments can be made here, but also the status of the implementation can be documented, as well as the test date and test result. You can also store other documents here, such as attachments that describe the implementation type.
For internal and external testing, the result can simply be exported to Excel. This means that access to the portal is not absolutely necessary and you have a defined status for “filing”.
Yeah, it’s not really ideal for printing, but it works.
You can find more information about the Microsoft Compliance Manager in the Microsoft documentation at docs.microsoft.com.
The Office365 GDPR Dashboard
Also within Office 365, there is a dashboard to the GDPR, how it should be also otherwise … But here it is rather about the data and less about the processes around it. Here the Office365 environment can be searched for relevant data and these can be administered. Just like the data, here also requests for information can be worked on and protective measures for the environment can be activated. For example “Data-Lost-Prevention (DLP)” rules or data classifications.
Further information on Office365 Security & Compliance and the GDPR Dashboard can also be found at docs.microsoft.com.
Microsoft provides many tools. In this article, I’ll show you the most important ones to get started. The good thing is, the whole thing is structured in such a way that it pulls you deeper and deeper into it. But there is also the problem that the more you want to implement, the more complicated it becomes. The challenge here is to find the right balance. All tools shown are accessible from the Trust Center.
This article first appeared on Infrastrukturhelden.de in German.