Understanding Data Privacy in the Microsoft Cloud

By John Bath

In recent years, the public cloud has offered businesses new ways to host and scale businesses more efficiently. There are, however, a number of common concerns that come up when addressing the public cloud, namely privacy. It’s an issue that makes sense, given that migrating to the cloud does involve relinquishing some level of control over one’s data. So naturally, some questions do arise: does the cloud provider have access to the data? How is it secured? Do I still own the data even though it’s hosted off-site?

In this post, we’d like to address these concerns as they relate to the Microsoft cloud, our platform of choice when it comes to building out our solutions.

Who Owns the Data?

When hosting in Azure, you are the sole owner of the data stored there. Similar to a physical storage unit, you rent out space in a larger facility that is yours alone to place and manage your property. Besides the actual content of data, metadata is not accessed by Microsoft. This policy follows the guidelines set forth in ISO/IEC 27018, a global standard for data privacy among cloud providers. The code states that data of all kinds cannot be used for, among other things, the purpose of directing advertising and marketing.

Does Microsoft Have Access?

By default, no employee of Microsoft has standing access to customer data. In providing support to customers, most changes required to resolve any given issue can be made in the backend of the platform without in interacting with sensitive data. And because data within Azure is logically separated through datacenters, other Azure customers have no way of accessing data that is not their own.

There may, however, be circumstances that require an engineer to access customer content when working on certain issues, such as emails. In this case there is a rigid set of guidelines Microsoft support must follow when troubleshooting. A formal request must be approved by a senior supervisor after being checked against several prerequisites. Once approved, the engineer has a limited window into the frontend environment, which is then logged for auditing purposes.

lockbox2

Visualizing the support access process

Furthermore, in the newly released Office 365 E5 plan, this approval is extended to the customer as part of the Customer Lockbox feature. With this add-on, Office 365 administrators are sent the final approval request after Microsoft has completed its standard vetting. Thus, it is the customer that gets final say over data access.

But what to data if you want to leave the service? Standard policy is to only retain data for a period of 90 days, allowing the customer to retrieve it for hosting elsewhere. After this window has closed, the data and all copies are erased from Azure storage.

What About the Government?

In the case of a data request from law enforcement or a government entity, Microsoft policy is to redirect the request to the customer who owns the data. As the data belongs to the customer, Microsoft makes effort to be transparent when it comes to their property and those who request access to it. Ultimately, it is the customer’s decision on whether or not to allow the search.

Additionally, Microsoft has historically sought challenges to search warrants that it believed to be an overstepping legal bounds. For example, on July 14th 2016, the company successfully challenged a U.S. search warrant for emails located in an Irish datacenter. Every case such as this serves to solidify a precedent regarding data ownership and protection in public datacenters.

How is it Protected?

To protect data, Microsoft employs a two types of control methodologies for its data centers: physical and digital.

Microsoft’s datacenters are protected by 24/7 security personnel, as well as a series of technological barriers to block off access, such as varying levels of security clearance and biometric scanning. In fact, the location of each individual datacenter is left purposefully vague as a deterrent for any would be saboteurs.

Microsoft also uses a wide array of leading cybersecurity practices to keep unauthorized individuals out. One such measure is encryption both at rest and transit, meaning that if data isn’t actively used or is sent between the datacenter and user site, it is scrambled to prevent any meaningful interpretation. The keys to the encryption, it should be noted, are held by the customer.

Meanwhile, administrators may also implement data control policies that manage how individual users or groups may access data to prevent accidental or purposeful leakage of data from the cloud.

The newly released Azure Security Center also offers a number of tools offering administrators a detailed view into their environments. This includes a complete log of how data is accessed down to the file level, allowing administrators to identify misuse cases. With monitoring and reporting services built in as well, dangerous behaviors can be isolated much quicker.

Will I keep my compliance?

Even with all of the security measures in place, there is still a question of whether or not the controls are enough to maintain compliance with various industry regulations. Individual industries have their own set of guidelines for how data must be handled, and in most cases, the Microsoft cloud remains compliant.

To ensure each statute is Microsoft contracts independent third-parties to verify its services for compliance in each vertical. Among many other regulations on data control and privacy, Azure and Office 365 have been verified for compliance against both HIPAA and SSAE16 SOC1 Type II for healthcare and investment respectively. More on compliance can be viewed here.

Overall

Today, the public cloud has made great strides as a viable option for business to use for hosting their workloads. And with questions of data privacy on the minds of prospective buyers, Microsoft in particular has made security a primary focus through the development of its platform. Through a combination of using sophisticated security tools and policies for how data can be handled,

For more on Microsoft’s Data Privacy policies take a look at their Trust Center site, which provides a great deal of information on the company works to protect data and the rights of customers. And if you have any additional questions please feel free to reach out to us! We would be happy to hear from you.


Office 365 Migration Preparedness Checklist

Interested in more articles like this?

Sign up for our blog and get all our latest posts sent directly to your inbox!

  • This field is for validation purposes and should be left unchanged.

Share this:

One Comment

  1. Jerald Elmore November 21, 2019 at 4:42 am - Reply

    If some one needs expert view regarding blogging after that i recommend him/her
    to visit this webpage, Keep up the nice work.

Leave A Comment