Trusted Cloud Frequently Asked Questions

Find answers to common questions about cloud computing.

Where is customer cloud data located?

Microsoft uses a regionalized data center strategy with data centers located in the U.S., Europe and Asia. The company does not disclose all data center locations to help protect privacy and security.

Can governments access customer cloud data?

Microsoft only responds to government requests for customer data when legally required. Understanding general customer concerns in this area, Microsoft tries to redirect the requesting entity to the customer to afford them the opportunity to determine how to respond. Unless prohibited from doing so, Microsoft tries to notify affected customers prior to disclosing their data in response to a legal government request. In all such matters, Microsoft limits the disclosure to only the legally required information.

How does Microsoft ensure disaster preparedness to preserve continuity of online services?

Microsoft employs an ongoing management and governance process—the Business Continuity Management Plan Development Lifecycle—for its cloud-based offerings. This process ensures that the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and plans, and ensure continuity of products and services.

What industry audit and security certifications cover the Microsoft platform? Microsoft online services environments must meet numerous government-mandated and industry-specific security requirements in addition to Microsoft’s own business-driven specifications. As Microsoft online businesses continue to grow and change and new online services are introduced into the Microsoft cloud, additional requirements are expected that could include regional and country-specific data security standards. Microsoft Global Foundation Services (GFS) works across operations, product, and service delivery teams and with internal and external auditors to ensure Microsoft is in compliance with relevant standards and regulatory obligations.

One of the successes of Microsoft’s efforts in this regard is that the Microsoft cloud infrastructure has achieved both SAS 70 Type I and Type II attestations (moving to SSAE 16 and ISAE 3402 in 2012) and ISO/IEC 27001:2005 certification.

How is the Microsoft compliance framework actually structured?

Microsoft has a series of domains, based on the ISO 27001 standard and informed by other obligations as well, such as the Payment Card Industry Data Security Standard and the FISMA NIST 80053 standard. Microsoft has essentially taken those domains and built them into our compliance framework.

If I run my service in your cloud, can I meet my compliance needs? Microsoft cannot answer that question for our customers, because it's ultimately their responsibility to ensure their own compliance with all their local statutory and regulatory obligations. Microsoft can help them by being transparent about how we run the cloud and the security and privacy measures that we have in place, and they can use that to ensure that they are meeting their own compliance obligations.

How should an enterprise evaluate cloud providers when it comes to security, privacy, and reliability?

Microsoft aligns its efforts with independent industry organizations such as the Cloud Security Alliance (CSA), which is developing an emerging set of best practices and standards that can be used to compare cloud service offerings. The CSA recommends that cloud service providers should have ISO 27001, 2005 certifications.