Recently, I hosted a Chief Information Security Officer roundtable in Washington, DC. Executives from several US government agencies and systems integrators attended to share cloud security concerns and challenges, such as balancing collaboration and productivity against data protection needs, cyber threat detection, and compliance. Toward the end of the day, one CISO reminded me he needed assurance. He asked, “How can we trust Microsoft to protect our data? And, how can I believe what you say?”
This post provides an opportunity to share important updates and assurances about practices and resources that Microsoft uses to protect data and user privacy in the Cloud. It also offers information on resources available to CISOs and others, that demonstrate our continuing investments in transparency.
Security at scale
Increasingly, government officials as well as industry analysts and executives are recognizing and evangelizing the security benefits of moving to hyper-scale cloud service providers. Microsoft works at this scale, investing $15B in the public cloud. The internet user maps below provide useful insight into why and where we are making these investments. Figure 1 represents internet usage in 2015. The size of the boxes reflect numbers of users. The colors indicate the percentage of people with access to the internet.
Figure 1, source “Cyberspace 2025: Today’s Decisions, Tomorrow’s Terrain”
Now look at Figure 2, showing expected internet usage in 2025. As you can see, global internet use and accompanying economic activity will continue to grow.
In addition to serving millions of people around the world, we are also moving Microsoft’s 100,000+ employees and our corporate infrastructure and data to the Cloud. We must therefore be confident that we can protect our resources as well as our users’.
How do we do it? Microsoft invests over $1B per year in cybersecurity and data protection. We start by ensuring that the software powering our data centers is designed, built and maintained as securely as possible. This video illustrates the world-class security Microsoft applies to data center protection. We also continue to improve on years of development investments in the Security Development Lifecycle (SDL), to ensure that security is addressed at the very beginning stages of any product or service. In the Cloud, the Operational Security Assurance framework capitalizes on the SDL and on Microsoft’s deep insights into the cybersecurity threat landscape.
One way that Microsoft detects cybersecurity activity in our data centers is the Intelligent Security Graph. Microsoft has incredible breadth and depth of signal and information we analyze from 450B authentications per month across our cloud services, 400B emails scanned for spam and malware, over a billion enterprise and consumer devices updated monthly, and 18B+ Bing scans per month. This intelligence, enhanced by rich expertise of Microsoft’s world class talent of security researchers, analysts, hunters, and engineers, is built into our products and our platform – enabling customers, and Microsoft, to detect and respond to threats more quickly. (Figures 3 & 4). Microsoft security teams use the graph to correlate large-scale critical security events, using innovative cloud-first machine learning and behavior and anomaly-based search queries, to surface actionable intelligence. The graph enables teams to collaborate internally and apply preventive measures or mitigations in near real-time to counter cyber threats. This supports protection for users around the world, and assures CISOs that Microsoft has the breadth and scale to monitor and protect users’ identities, devices, apps and data, and infrastructure.
Access to data
Technology is critical for advancing security at hyper-scale, therefore Microsoft continues to evolve the ways in which administrators access corporate assets. The role of network administrators is significant. In our cloud services, we employ Just Enough and Just Enough Administration access, under which admins are provided the bare minimum window of time and physical and logical access to carry out a validated task. No admin may create or approve their own ticket, either. Further, Windows Server 2016 clients can implement these policies internally. Security and managing data centers at scale is an ever evolving process based on the needs of our customers, the changing threat landscape, regulatory environments and more.
Microsoft works with auditors and regulators around the world to ensure that we operate data centers at the highest levels of security and operational excellence. We maintain the largest compliance portfolio in the industry, for example against the ISO 22301 privacy standard. In addition, Microsoft maintains certifications such as CSA STAR Certification, HITRUST, FACT and CDSA which many of our cloud competitors do not. For more about Microsoft certifications, visit the Microsoft Trust Center Compliance page.
Being compliant with local, industry, and international standards establishes that Microsoft is trustworthy, but our goal is to be trusted. Toward that end—and to ensure we address the needs of CISOs, Microsoft provides a wealth of information about cloud services, designed to provide direct and customer self-service opportunities to answer three key questions:
- How is may data secured and protected?
- How does Microsoft Cloud help me be compliant with my regulatory needs?
- How does Microsoft manage privacy around my data?
The comments at our roundtable that prompted this blog show that our cloud security and compliance resources can be difficult to find, so while we double down on our efforts to raise awareness, bookmark this update and read below. We operate the following portals, designed to facilitate self-service access to security and compliance information, FAQs and white papers, in convenient formats, and tailored to an organization’s geography, industry and subscription(s):
- The Microsoft Trust Center, a centralized resource for enterprise customers to find answers about what Microsoft is doing to protect data, comply with regulatory requirements, and verify that we are doing what we say.
- The Service Trust Portal (STP) is available for organizations under nondisclosure to current and potential Microsoft customers. It includes hundreds of important third-party audit reports, information on certifications, and internal security documents, for Azure, O365, Dynamics CRM Online, and Yammer. Examples include SOC and ISO audits reports.
- The Service Assurance Portal, available to current O365 users, offers the same level of access but directly through the O365 subscription. This is a unique “transparency window” to provide customers with in-depth understanding in how we implement and test controls to manage confidentiality, integrity, availability, reliability, and privacy around customer data. Not only do we share the “what” about controls, but also the “how” about testing and implementation.
Government Security Program
Microsoft also participates in the Government Security Program as another key transparency initiative. Through the GSP, national governments (including regulators) may access deep architecture details about our products and services, up to and including source code. The GSP also provides participants with opportunities to visit Microsoft headquarters in Redmond to meet face to face with the teams that operate, monitor, and defend our company and products and services—including data centers—from cyber threats. They can also visit any of our Transparency Centers in Redmond, Brussels, Brasilia, and Singapore. Several dozen governments around the world use the GSP to obtain greater insight into how Microsoft builds, operates and defends its data centers, and by extension, how we protect users.
Microsoft stands ready to work with CISOs to raise awareness and ensure access to the resources discussed above. Visit the following sites to learn more. Microsoft has also created a dedicated team of cybersecurity professionals to help move you securely to the Cloud and protect your data. Learn more about the Enterprise Cybersecurity Group, or contact your local Microsoft representative.