Relentless on Security
Protecting customer data is a primary focus of Microsoft
Customer Support & Services (CSS).
We have developed our practices and policies as a result
of over thirty five years of experience in securing
data through innovative information technology solutions.
Security Development Lifecycle
Microsoft’s Security Development Lifecycle ensures security
and privacy is incorporated by design from software
development through service operations.
Access to customer data is restricted via role based
security to only authorized users.
Layered Security Approach
Data is secured in multiple layers – including network,
system, application, and physical. This layered approach
provides safeguards across many tiers for maximum
Protecting customer data is a fundamental focus of Microsoft
Customer Service and Support (“CSS”). We recognize
that customers expect their data to be tightly controlled
and carefully handled. To help protect customer data,
we offer a comprehensive security program utilizing
a “defense in depth” approach. Our security program
covers critical areas such as:
Physical Security - including
24-hour monitoring of data centers.
Logical Security – including
logical isolation of data between customers.
Encryption - including the
encryption of customer data-in-transit
and transmitted across the network, using
SSL/TLS encryption, Secure-FTP and similar
Identity and Vendor Management - including restricted access to your
data, controlled by a role-based access
Network Security - including
segregation of the internal data center
network from the external network.
Security Development Lifecycle – including applications used by our
Contact Center Engineers being built
by following the Microsoft Security Development
Lifecycle, which helps to ensure that
security and privacy are incorporated
by design, from software development
to service operation.
We review our requirements regularly to refresh our approach
to protecting your data, and to help ensure that
we are investing in the appropriate technology and
controls that contribute to the protection of your
Frequently asked questions
- How does Microsoft CSS manage compliance with its security commitments?
We have service offerings and customer contracts
that contain a specific set of responsibilities
regarding customer data protection. In
addition to setting a standard for security
and privacy, the CSS Data Protection
Program sets standards and drives compliance
with CSS’s commitments. To take one example,
we will, upon request, contractually
agree to protect customer data through
implementation of appropriate technical
and organizational safeguards. To meet
this obligation, we have incorporated,
for example, specific password requirements
into our Security Development Lifecycle
to help ensure that all our applications
are developed to the relevant password
- How does Microsoft CSS limit access to customer data?
We employ both logical and physical safeguards
to limit access to critical systems and
customer data. Among them:
Stringent role-based access control
to limit access to systems.
The principles of least-privilege
access are employed to restrict
data access to those with
a genuine business need.
Physical security safeguards
at data storage locations,
including CCTV, dual-factor
authentication for entry,
and logging of entry and
Deactivation or suspension of
access to key systems for
employees that change roles,
leave Microsoft, or who haven’t
accessed a system for a certain
period of time.
We also prohibit secondary use of customer data, such
as use for advertising. For example, our sales and
marketing personnel are not allowed to access CSS
case management tools to assist with marketing efforts.
We help to ensure that customer data is used only
for the purposes for which it was collected by enforcing
policy and implementing training and access controls.
- How does Microsoft CSS ensure customer data is only accessed and used by authorized resources?
We have developed requirements and systems designed
to prevent personnel who have authorized access
to customer data from using it for purposes beyond
those identified for their roles. Systems have
limited export functionality and often employ
field-level security (e.g., inability to see
data fields that are not relevant to an individual’s
role even though the individual has authorized
access to the system). These controls also help
prevent customer data from being read, copied,
altered, or removed without authorization.
Additionally, we log critical activities and protect
these logs against tampering and deletion.
- How does Microsoft CSS help protect my data from accidental destruction/loss or tampering?
We have implemented a robust business continuity
management program intended to provide uninterrupted
access to customer data. As part of this program,
policies are in place to help ensure business
continuity measures have been implemented, such
as regular data backups or failover. We also
maintain an active training and awareness program
designed to reinforce our policies on the access,
use, and safeguarding of customer data. These
requirements also help make sure ensure that
customer data is protected in accordance with
our contractual commitments.
- Does Microsoft CSS have a layered defense program to help keep my data safe?
We employ security across many layers. These include
the network layer, the system layer, the application
layer, and the facilities layer, among others.
This layered approach provides safeguards across
many tiers for improved data protection.
- Is my data protected from malware?
We employ comprehensive antimalware software to protect