Woman looking at phone in front of elevators

Microsoft Professional Services

Discover Professional Services that provide enterprise services, consulting, and support solutions while protecting the data you entrust to us.

Protecting your data is our top priority

Get hands-on assistance and strategic advice when you need it, Microsoft Professional Services brings together a diverse team of dedicated technical architects, engineers, consultants, and support professionals who deliver proactive advisory services and rapid response to unplanned events. The team provides a managed customer experience tailored to each customer’s unique IT environment.

Security is built into Microsoft Professional Services and is designed to help give you the protection that you expect. Rigorous control and careful handling of your data is fundamental to every part of the process—at the physical, network, host, application, and data layers. Continuous monitoring, penetration testing, and the application of strict security guidelines and robust operational processes help make Microsoft Professional Services more resilient and resistant to attack.

Get an overview of Microsoft Professional Services

Identity is one of the main keys to security. Microsoft uses stringent identity management and access controls to limit data and system access. The Professional Services organization’s case management system can be accessed only by individuals who are supporting customers, such as agents, support engineers, and their supervisors.

Identity-based access controls

The Professional Services organization conducts user access reviews on an ongoing basis. Our account password controls enforce password complexity rules, periodic rotation, and suspension when they detect periods of user inactivity. We restrict data and system access to individuals who have a genuine business need (least-privileged). Employees and contingent staff who have access to support and consulting data or are in a role that could impact customer information have privacy and security requirements embedded in their roles and responsibilities.

Learn more about secure identity

Security policies set the standards and define procedures for network and data protection. The Professional Services organization maintains a framework of more than 150 controls to ensure testing and compliance with standards and adheres to the Microsoft Information Security Policy. Implementation of the principles in this security policy is driven by 19 standards specific to the Professional Services organization and covers areas such as access control, data handling, privacy, and business continuity.

Auditing and logging

The Professional Services organization takes a risk-based approach to system logging and auditing. We assess and implement a baseline set of log requirements during the system development process. Systems that present a moderate or high risk, as assessed through sensitivity, volume, and other criteria, have data access and alteration logged. Logs generated for each system must enable the detection of security incidents if they have occurred or are in progress and must also enable investigators to have sufficient information to fully understand the events, activities, and circumstances around a security incident.

Physical security

We store Professional Services data in the network of datacenters run by Microsoft Azure Global Infrastructure. Because physical security is the first line of defense, these datacenters are designed, built, and managed using a defense-in-depth strategy to protect services and data from natural disasters or unauthorized access.

Learn more about Microsoft datacenter security

Microsoft employees are required to sign agreements that commit them to confidentiality regarding support and consulting data. Internal tools contain data protection notices to remind employees and data handlers of their responsibility for any sensitive data that the tool may contain. Microsoft holds all third parties, including contractors and subcontractors, to the same security standards as full-time employees. Subcontractors who work in facilities or on equipment controlled by Microsoft must follow Microsoft data protection standards, and all other subcontractors must follow equivalent data protection standards. Microsoft subcontractor agreements are designed to ensure the safeguarding of customer information, including regular monitoring of the subcontractors’ work.

Encryption and rights management

Technological safeguards, such as encryption, enhance the security of support and consulting data. For data in transit, Professional Services uses industry-standard encrypted transport protocols between user devices and Microsoft datacenters as well as within the datacenters.

The Professional Services organization has developed requirements and designed systems to prevent personnel who have authorized access to support and consulting data from using it for purposes beyond those identified for their roles. Systems have limited export functionality and often employ field-level security (for example, a system may not display data fields that are not relevant to an individual’s role, even though the individual has authorized access to the system). These controls also help prevent support and consulting data from being read, copied, altered, or removed without authorization.

Learn more about encryption

Incident response

Incident response is an important element in a data security strategy. The Professional Services organization has developed a robust process to facilitate a coordinated response to incidents consisting of identification, containment, eradication, recovery, lessons learned, and communication. Upon becoming aware of a security incident, Microsoft uses the security incident response process, including forensic investigation, to track exactly what happened, which data was accessed, and by whom.