Microsoft Commercial Support security

Protecting your data is our top priority

The Microsoft Commercial Support organization brings together a diverse group of dedicated technical architects, engineers, consultants, and support professionals to provide hands-on assistance and strategic advice. Team members deliver proactive advisory services, rapid response to unplanned events, and a managed customer experience tailored to each customer’s unique IT environment.

Security is built into Commercial Support services, and is designed to help give customers the protection that they expect. Rigorous control and careful handling of your data is fundamental to every part of the process—at the physical, network, host, application, and data layers. Continuous monitoring, penetration testing, and the application of strict security guidelines and robust operational processes help make Microsoft online services more resilient and resistant to attack.

Secure identity

Identity is one of the main keys to security. Microsoft uses stringent identity management and access controls to limit data and system access. The Commercial Support organization’s case-management system can be accessed only by individuals who are supporting customers, such as agents, support engineers, and their supervisors.

Identity-based access controls

The Commercial Support organization conducts user-access reviews on an ongoing basis. Our account password controls enforce password complexity rules, periodic rotation, and suspension when they detect periods of user inactivity. We restrict data and system access to individuals who have a genuine business need (least-privileged). Employees and contingent staff who have access to customer data, or are in a role that could impact customer information, have privacy and security requirements embedded in their roles and responsibilities.

Secure infrastructure

Security policies set the standards and define procedures for network and data protection. Commercial Support organization maintains a framework of over 150 controls to ensure testing and compliance with standards, and adheres to the Microsoft Information Security Policy. Implementation of the principles in this security policy is driven by 19 standards specific to Commercial Support organization, and covers areas ranging from access control to data handling to privacy and business continuity

Auditing and logging

The Commercial Support organization takes a risk-based approach to system logging and auditing. We assess and implement a baseline set of log requirements during the system development process. Systems that present a moderate or high risk, as assessed through sensitivity, volume, and other criteria, have data access and alteration logged. Logs generated for each system must enable the detection of security incidents if they have occurred or are in progress, and must also enable investigators to have sufficient information to fully understand the events, activities, and circumstances around a security incident.

Incident response

Incident response is an important element in a data security strategy. The Commercial Support organization has developed a robust process to facilitate a coordinated response to incidents, consisting of identification, containment, eradication, recovery, lessons learned, and communication. Upon becoming aware of a security incident, Microsoft uses the security incident response process, including forensic investigation, to track exactly what happened, which data was accessed, and by whom.

Physical security

Commercial Support data is stored in the network of datacenters run by Microsoft Global Foundation Services. Because physical security is the first line of defense, these datacenters are designed, built, and managed using a “defense-in-depth” strategy to protect services and data from natural disaster or unauthorized access.

Secure apps and data

Microsoft employees are required to sign agreements that commit them to confidentiality regarding customer data. Internal tools contain data protection notices to remind employees and data handlers of their responsibility for any sensitive data that the tool may contain. Microsoft holds all third parties, including contractors and subcontractors, to the same security standards as full-time employees. Subcontractors who work in facilities or on equipment controlled by Microsoft must follow Microsoft data protection standards, and all other subcontractors must follow equivalent data protection standards. Microsoft subcontractor agreements are designed to ensure the safeguarding of customer information, including regular monitoring of the subcontractors’ work.

Encryption and rights management

Technological safeguards, such as encryption, enhance the security of customer data. For data in transit, the Commercial Support organization uses industry-standard encrypted transport protocols between user devices and Microsoft datacenters, and within the datacenters.

The Commercial Support organization has developed requirements and designed systems to prevent personnel who have authorized access to customer data from using it for purposes beyond those identified for their roles. Systems have limited export functionality, and often employ field-level security (for example, a system may not display data fields that are not relevant to an individual’s role, even though the individual has authorized access to the system). These controls also help prevent customer data from being read, copied, altered, or removed without authorization.

Contact Trust Center

Need help evaluating our products? Can’t find the information you need?

Looking for general technical support?

Contact Microsoft support