Microsoft Commercial Support security
Protecting your data is our top priority
The Microsoft Commercial Support organization brings together a diverse group of dedicated technical architects, engineers, consultants, and support professionals to provide hands-on assistance and strategic advice. Team members deliver proactive advisory services, rapid response to unplanned events, and a managed customer experience tailored to each customer’s unique IT environment.
Security is built into Commercial Support services, and is designed to help give customers the protection that they expect. Rigorous control and careful handling of your data is fundamental to every part of the process—at the physical, network, host, application, and data layers. Continuous monitoring, penetration testing, and the application of strict security guidelines and robust operational processes help make Microsoft online services more resilient and resistant to attack.
Identity is one of the main keys to security. Microsoft uses stringent identity management and access controls to limit data and system access. The Commercial Support organization’s case-management system can be accessed only by individuals who are supporting customers, such as agents, support engineers, and their supervisors.
Identity-based access controls
The Commercial Support organization conducts user-access reviews on an ongoing basis. Our account password controls enforce password complexity rules, periodic rotation, and suspension when they detect periods of user inactivity. We restrict data and system access to individuals who have a genuine business need (least-privileged). Employees and contingent staff who have access to customer data, or are in a role that could impact customer information, have privacy and security requirements embedded in their roles and responsibilities.
Security policies set the standards and define procedures for network and data protection. Commercial Support organization maintains a framework of over 150 controls to ensure testing and compliance with standards, and adheres to the Microsoft Information Security Policy. Implementation of the principles in this security policy is driven by 19 standards specific to Commercial Support organization, and covers areas ranging from access control to data handling to privacy and business continuity
Auditing and logging
The Commercial Support organization takes a risk-based approach to system logging and auditing. We assess and implement a baseline set of log requirements during the system development process. Systems that present a moderate or high risk, as assessed through sensitivity, volume, and other criteria, have data access and alteration logged. Logs generated for each system must enable the detection of security incidents if they have occurred or are in progress, and must also enable investigators to have sufficient information to fully understand the events, activities, and circumstances around a security incident.
Incident response is an important element in a data security strategy. The Commercial Support organization has developed a robust process to facilitate a coordinated response to incidents, consisting of identification, containment, eradication, recovery, lessons learned, and communication. Upon becoming aware of a security incident, Microsoft uses the security incident response process, including forensic investigation, to track exactly what happened, which data was accessed, and by whom.
Commercial Support data is stored in the network of datacenters run by Microsoft Global Foundation Services. Because physical security is the first line of defense, these datacenters are designed, built, and managed using a “defense-in-depth” strategy to protect services and data from natural disaster or unauthorized access.
Secure apps and data
Microsoft employees are required to sign agreements that commit them to confidentiality regarding customer data. Internal tools contain data protection notices to remind employees and data handlers of their responsibility for any sensitive data that the tool may contain. Microsoft holds all third parties, including contractors and subcontractors, to the same security standards as full-time employees. Subcontractors who work in facilities or on equipment controlled by Microsoft must follow Microsoft data protection standards, and all other subcontractors must follow equivalent data protection standards. Microsoft subcontractor agreements are designed to ensure the safeguarding of customer information, including regular monitoring of the subcontractors’ work.
Encryption and rights management
Technological safeguards, such as encryption, enhance the security of customer data. For data in transit, the Commercial Support organization uses industry-standard encrypted transport protocols between user devices and Microsoft datacenters, and within the datacenters.
The Commercial Support organization has developed requirements and designed systems to prevent personnel who have authorized access to customer data from using it for purposes beyond those identified for their roles. Systems have limited export functionality, and often employ field-level security (for example, a system may not display data fields that are not relevant to an individual’s role, even though the individual has authorized access to the system). These controls also help prevent customer data from being read, copied, altered, or removed without authorization.