Microsoft Unveils Single, Unified Trust Center for the Microsoft Cloud – MSDynamicsWorld.com
As part of CEO Satya Nadella’s stump speech concerning Microsoft’s new “Operational Security Posture,” the company promised greater transparency into its cloud security. Reading between the lines, Nadella promised a “plain-English” explanation of security offerings, both new and old, surrounding the company’s cloud portfolio.
Microsoft delivered that with its just-announced Microsoft Trust Center “which unifies the trust centers of our enterprise cloud services-Microsoft Azure, Microsoft Dynamics CRM Online, Microsoft Intune, and Microsoft Office 365.”
What was the need? As the company’s General Manager of National Cloud Programs Doug Hauger described in a Cyber Trust Blog post:
“Increasingly, our customers deploy multiple Microsoft cloud services, and many expressed a desire for a single point of reference for cloud trust resources. They have come to rely on the trust centers to document the adherence of our cloud services to international and regional standards, describe privacy and data protection policies and processes, and inform them about data transfer and location policies, as well as security features and functionality.”
The Microsoft Trust Center offers a single page documenting which Microsoft services comply with such standards as ISO 27018 or HIPAA, or Microsoft’s data location policies across services.
Information in the Trust Center is organized by the four underlying principles that Nadella described, being security, privacy and control, compliance and transparency:
- Security: The Trust Center offers an overview of how security is built into the Microsoft Cloud from the ground up, with protection at the physical, network, host, application, and data layers so that its online services are resilient to attack. Sections describe the individual security features of Azure, CRM Online, Office 365, and Intune.
- Privacy and Control: Here the company outlines Microsoft Cloud privacy principles:
- “You own your own data describes Microsoft Cloud policies for data ownership; we will use your customer data only to provide the services we have agreed upon.”
- “You are in control of your customer data provides datacenter maps for each service, and policies for data portability, retention, and access.”
- “Responding to government and law enforcement requests to access customer data outlines our processes for responding, including our commitment to transparency and limits in what we will disclose.”
- “We set and adhere to stringent privacy standards describes how privacy in the Microsoft Cloud is grounded in the Microsoft Privacy Standard and the Microsoft Secure Development Lifecycle, and backed with strong contractual commitments to safeguard customer data in the Microsoft Online Services Terms.”
- Compliance: The combined compliance site contains comprehensive information on Microsoft Cloud certifications and attestations such as EU Model Clauses, FedRAMP, HIPAA, ISO/IEC 27001 and 27018, PCI-DSS, and SOC 1 and SOC 2. Each compliance page provides background on the certification, a list of compliant services, and detailed information such as implementation guides and best practices.
- Transparency: The Microsoft Cloud is built on the premise that for you to control your customer data in the cloud, you need to understand as much as possible about how that data is handled. A summary of those policies and procedures is available in the Microsoft Trust Center.
As Hauger describes, “We are committed to providing you the most trusted cloud on the planet though our foundational principles of security, privacy & control, compliance, and transparency.”
Trust and Dynamics in the Cloud
Thus far, only Microsoft Dynamics CRM Online is covered in the Microsoft Trust Center, but presumably, the new Dynamics AX on Azure, Dynamics NAV Managed Service, and similar offerings will be included over time as dictated by market demand.
But, Dynamics CRM Online has achieved compliance with a range of international and industry-specific compliance standards (see illustration). Microsoft Cloud offerings also meet regional and country-specific standards and contractual commitments, including the EU Model Clauses, UK G-Cloud, Singapore MTCS, and Australia CCSL (IRAP). On top of that, rigorous third-party audits, such as by the British Standards Institution and Deloitte, validate the adherence of Microsoft cloud services to the strict requirements these standards mandate.
Microsoft promises “Privacy by Design” with Dynamics CRM Online, including:
- Data Ownership. “You own your data. Your data is not mined for advertising purposes. You can remove your data at any time from Dynamics CRM Online by cancelling your subscription and requesting that your data be deleted.”
- Microsoft’s role as Data Processor. “Microsoft is the only processor of your data. We only use your data for the services mutually agreed upon. Learn here how we use your data. We are constantly taking steps to protect customer data from government snooping.”
- Data Privacy Controls. “Dynamics CRM Online keeps your customer data separate from other customers’ data. We provision you with your own database to maximize the security and integrity of your data.”