How Microsoft ensures privacy, security in the cloud

19 December 2012 | Kellie Ann Chainier, Director of Office Regulatory and Policy Strategy, Worldwide Public Sector

Despite the excitement around cloud computing for its potential to spur growth, innovation and cost savings, we also understand that, especially for our government customers, a cloud solution is only as good as its promise of security and data privacy.

In fact, it’s often one of the first questions we’re asked by government organizations: “What will cloud services mean for the security and privacy of our information?” That, quickly followed by the question: “How do we validate the confidentiality, integrity and availability of our service provider to ensure that we are meeting regulatory requirements?”

The good news is that, although government regulatory and compliance requirements are always evolving, more than ever before we’re able to address these questions in an easy, straightforward manner. First and foremost, through our Microsoft Trust Centers. These public websites, or Trust Centers, were launched for each of our commercial online services where organizations can easily find information and resolve questions regarding the privacy, regulatory compliance, security, and transparency of these services. Take, for example, our Office 365 Trust Center.

We also make clear via our Trust Centers Microsoft’s unique approach to data privacy compared to other competitors. Most notably, our services such as Office 365, Windows Azure and Dynamics CRM Online don’t use customer data to build services such as search or advertising. We respect the privacy of data and believe that the customer should maintain ownership of the data they store with us.

The second effort we’ve undertaken to help organizations evaluate our cloud services is through an in-depth analysis of the controls that manage our online services and a synchronization of that information with the Cloud Security Alliance (CSA). The CSA, whose mission is to, among other focuses, “promote the use of best practice for providing security assurance within cloud computing”, helps reduce the effort and time organizations need to spend in order to get detailed information on the security and privacy practices of online service providers.

A hallmark of the CSA is its Security, Trust and Assurance Registry (STAR) program, which is open to all cloud providers and includes the STAR Cloud Control Matrix (CCM), which is comprised of a list of 100 questions that a provider responds to and then registers with the CSA to host the responses. This matrix helps an organization immediately see how a cloud service stacks up in terms of security and privacy practices, and often takes care of mapping work related to frameworks such as COBIT, HIPAA/HITECH, ISO/ISE 27001, NIST 800-53, and PCI DSS.

At Microsoft, we aim to make our cloud security and privacy practices as transparent as possible for our government customers. We also pride ourselves in the well-established trustworthy computing principles that are embodied within our world-class software and services, which government organizations have relied upon for decades. Be sure to visit our dedicated website for more on our cloud solutions for government.

Have a comment or opinion on this post? Let me know @Microsoft_Gov. Have a question for the author? Please e-mail us at

Kellie Ann Chainier
Director of Office Regulatory and Policy Strategy, Worldwide Public Sector

About the Author

Kellie Ann Chainier | Director of Office Regulatory and Policy Strategy, Worldwide Public Sector

Kellie Ann leads global cloud strategy for worldwide public sector. She specializes in risk management (privacy, security, compliance, and business continuity) and supports policy makers worldwide with developing frameworks for cloud consumption.