Bekker's Blog

Blog archive

Annotating Microsoft's Trusted Cloud Principles

Microsoft's statements about its philosophy around the data held in its cloud matter.

As one of the two or three largest hyperscale cloud operators in the world, and one that is always angling to store more of its customers' data in Azure and its other services, Microsoft has an outsized influence on global perceptions of the cloud and on how closely technology companies and governments should work together.

For partners trying to sell their business customers on moving data to the cloud, those statements are important as a resource to present to concerned customers and as a key piece of evidence to weigh as partners evaluate whether the cloud is the right solution for a particular customer.

In a Monday blog post attributed to the Cyber Trust Blog Staff, Microsoft published an important list of its six "Trusted Cloud principles." Below are Microsoft's verbatim principles, with my comments following each:

You own your data, not us. When you use a Microsoft cloud service, you keep the ability to take your data with you when you terminate an agreement. When a subscription expires or you terminate your contract, Microsoft follows a 90-day retention policy and strict standards for overwriting storage before reuse.

The 90-day policy is key here for two reasons. One, it's important to understand that data is irretrievable, by policy at least, after 90 days. The other is that a constant standard makes for a de facto statute of limitations on government requests for data. If this works as advertised, government agencies can't go fishing through Microsoft data stores for evidence on old cases.

Your data is not used for marketing. Our enterprise business model is not based on exploiting customer data. We do not use your data for purposes such as advertising that are unrelated to providing the cloud service.

I read this as a dig at Google.

We don't use standing access. We've engineered our cloud services so that the majority of operations are fully automated. Only a small set of activities require human involvement; access to your data by Microsoft personnel is granted only when necessary for support or operations, then revoked when no longer needed.

This could reduce, but won't eliminate, concerns about rogue administrators inside Microsoft accessing customer data. At least the attention to the issue suggests vigilance on Microsoft's part, which may extend to steps like checking employees' backgrounds and monitoring access logs.

You can choose your datacenter location. Depending on which Microsoft cloud services you have, you may have flexibility in choosing where your data physically resides. Your data may be replicated for redundancy within the geographic area, but not transmitted outside it.

The intended audience for many of these policies, especially this one, are companies based in countries other than the United States, where concerns about U.S. government access to the data of a U.S.-based company run very high.

We protect data from government surveillance. Over several years, we've expanded encryption across all our services and reinforced legal protections for customer data. And we've enhanced transparency so that you can be assured that Microsoft does not build "back doors" into our products and services, nor do we provide any government with direct or unfettered access to customer data.

Microsoft's backbone about fighting government requests seems to be getting stiffer with each passing month.

Law enforcement requests must go through you. Microsoft will not disclose your data to a third party except as you direct or as required by law. We'll attempt to redirect third parties to request customer data directly from the data owner.

This is an important principle. However, the "required by law" caveat is big enough to drive a truck through. As long as governments require Microsoft to provide them the data, Microsoft will have to comply and is sometimes prevented by law from reporting that fact to the data owner. This is what makes using third-party encryption tools, in which the customer controls the keys, especially important for certain types of data and customers.

Microsoft is setting strong privacy and customer control principles here for customers of its cloud. The list is a slight evolution of what Microsoft has been saying publicly over the last few months. In all, the principles lay significant groundwork for the future of the cloud. How strictly Microsoft can adhere to these principles depends on legislation, court orders and executive orders in thousands of jurisdictions, but at least we know what Microsoft says it will try to do.

Posted by Scott Bekker on March 21, 2016