Data is today’s currency. Cloud computing and the Internet of Things are driving a business transformation that measures value in billions of petabytes. The cloud is a powerful game-changer for businesses all over the world, but with that power comes great responsibility. Managing the volume, variety, and disparate sources of data generated through mobile devices and other activities is a global challenge for enterprise.
Unsurprisingly, businesses have many questions about how customer and enterprise data is managed, used, and protected in the cloud. According to a recent Intralinks survey of over 300 IT decision makers, less than half of companies surveyed “monitor user activities and provide alerts to data policy violations,” while only 53 percent “classify information to align with access controls.” And here’s the kicker: a little under half of the surveyed companies have no policies or controls in place to govern access.
Data privacy and access control must be taken together because it’s impossible to meaningfully achieve the one without robustly addressing the other. An organization may set up its cloud with the world’s best security to keep data private, but then fail to use access control policies effectively to prevent data leaks or unauthorized access. From both a technological and a privacy perspective, CIOs and IT leaders must pay attention to how, when, where, and by whom their company’s petabytes may be legitimately accessed. Moreover, they need to manage access control to ensure compliance from legal, risk management, and regulatory standpoints.
The issue has become more urgent since the invalidation of the EU – US Safe Harbor Framework impelled nations as well as businesses and individual citizens to examine the meaning of privacy in data residency regulations around the globe. How government surveillance and law enforcement relate to the access control policies governing private data is a current, evolving concern for enterprise.
This is why we’ve put all of our engineering expertise as well as our industry leadership into the privacy and control commitment that underpins the Microsoft cloud. When you entrust your data to our cloud services, you retain control of the data as well as access to it.
What privacy and control mean in the Trusted Cloud
Our Trusted Cloud principles drive our commitment to use customers’ data responsibly, be transparent about our privacy practices, and offer meaningful privacy and control choices to our customers.
You own your data, not us. When you use a Microsoft cloud service, you keep the ability to take your data with you when you terminate an agreement. When a subscription expires or you terminate your contract, Microsoft follows a 90-day retention policy and strict standards for overwriting storage before reuse.
Your data is not used for marketing. Our enterprise business model is not based on exploiting customer data. We do not use your data for purposes such as advertising that are unrelated to providing the cloud service.
We don’t use standing access. We’ve engineered our cloud services so that the majority of operations are fully automated. Only a small set of activities require human involvement; access to your data by Microsoft personnel is granted only when necessary for support or operations, then revoked when no longer needed.
You can choose your datacenter location. Depending on which Microsoft cloud services you have, you may have flexibility in choosing where your data physically resides. Your data may be replicated for redundancy within the geographic area, but not transmitted outside it.
We protect data from government surveillance. Over several years, we’ve expanded encryption across all our services and reinforced legal protections for customer data. And we’ve enhanced transparency so that you can be assured that Microsoft does not build “back doors” into our products and services, nor do we provide any government with direct or unfettered access to customer data.
Law enforcement requests must go through you. Microsoft will not disclose your data to a third party except as you direct or as required by law. We’ll attempt to redirect third parties to request customer data directly from the data owner.
