Relentless on Security
Protecting customer data is a primary focus of Microsoft Customer Support & Services (CSS).
We have developed our practices and policies as a result of over thirty five years of experience in securing data through innovative information technology solutions.
Security Development Lifecycle
Microsoft’s Security Development Lifecycle ensures security and privacy is incorporated by design from software development through service operations.
Access to customer data is restricted to only authorized users.
Layered Security Approach
Data is secured in multiple layers – including network, system, application, and physical. This layered approach provides safeguards across many tiers for maximum data protection.
Protecting customer data is a fundamental focus of Microsoft CSS. We recognize that customers expect their data to be rigorously controlled and carefully handled. To help protect customer data, we offer a comprehensive security program utilizing a “defense in depth” approach. Our security program covers critical areas such as:
Physical Security - including 24-hour monitoring of data centers.
Logical Security – including logical isolation of data between customers.
Encryption - including the encryption of customer data-in-transit and transmitted across the network, using SSL/TLS encryption, Secure-FTP and similar technologies.
Identity and Vendor Management - including restricted access to your data, controlled by a rigorous access control process.
Network Security - including segregation of the internal data center network from the external network.
Security Development Lifecycle – including applications used by our Contact Center Engineers being built by following the Microsoft Security Development Lifecycle, which helps to ensure that security and privacy are incorporated by design, from software development to service operation.
We review our requirements regularly to refresh our approach to protecting your data, and to help ensure that we are investing in the appropriate technology and controls that contribute to the protection of your data.
Frequently asked questions
- How does Microsoft CSS manage compliance with its security commitments?
We have service offerings and customer contracts that contain a specific set of responsibilities regarding customer data protection. In addition to setting a standard for security and privacy, the CSS Data Protection Program sets standards and drives compliance with CSS’s commitments. To take one example, we will, upon request, contractually agree to protect customer data through implementation of appropriate technical and organizational safeguards. For example, to meet this obligation we have incorporated specific password requirements into our Security Development Lifecycle to help ensure that applications are developed using robust password complexity requirements.
- How does Microsoft CSS limit access to customer data?
We employ both logical and physical safeguards to limit access to critical systems and customer data. Among them:
The principles of least-privilege access are employed to restrict data access to those with a genuine business need.
Physical security safeguards at data center locations, including CCTV, dual-factor authentication for entry, and logging of entry and exit.
Deactivation or suspension of access to key systems for employees that change roles, leave Microsoft, or who haven’t accessed a system for a defined period of time.
We also prohibit secondary use of customer data, such as use for advertising. For example, our sales and marketing personnel are not allowed to access CSS case management tools to assist with marketing efforts. We help to ensure that customer data is used only for the purposes for which it was collected by enforcing policy and implementing training and access controls.
- How does Microsoft CSS ensure customer data is only accessed and used by authorized resources?
We have developed requirements and systems designed to prevent personnel who have authorized access to customer data from using it for purposes beyond those identified for their roles. Systems have limited export functionality and often employ field-level security (e.g., inability to see data fields that are not relevant to an individual’s role even though the individual has authorized access to the system). These controls also help prevent customer data from being read, copied, altered, or removed without authorization. Additionally, we log critical activities and protect these logs against tampering and deletion.
- How does Microsoft CSS help protect my data from accidental destruction/loss or tampering?
We have implemented a robust business continuity management program intended to provide uninterrupted access to customer data. As part of this program, policies are in place to help ensure business continuity measures have been implemented, such as regular data backups or failover. We also maintain an active training and awareness program designed to reinforce our policies on the access, use, and safeguarding of customer data. These requirements also help ensure that customer data is protected in accordance with our contractual commitments.
- Does Microsoft CSS have a layered defense program to help keep my data safe?
We employ security across many layers. These include the network layer, the system layer, the application layer, and the facilities layer, among others. This layered approach provides safeguards across many tiers for improved data protection.
- Is my data protected from malware?
We employ comprehensive antimalware protection on MSFT systems used as part of Services and Support.