I remember climbing up on stage a few years ago with a bunch of security folks at Microsoft TechEd event debating cloud security. At that point Office 365 and Windows Azure were relatively newish and I must confess that like many of my esteemed colleagues, I was a little sceptical over Microsoft’s bold privacy claims.
Of course I, like many stand up on stage or teach in classrooms with lots of pretty slides and demos and tell you that, “It’s okay, you have nothing to worry about” or “Of course not. Don’t be silly the NSA are not spying on you.” But the harsh reality is that we are simply basing that assumption on trust. Ah yes there’s that word again “trust”, because at the end of the day we’d like to think that hey this is Microsoft. They are a well established company with a good reputation for quality products and services. Therefore when they say that they will store my data securely in their datacentre’s, you have to take them at their word.
So you can imagine my thrill, when last year I was offered an opportunity to visit the Microsoft Datacentre in Dublin. Now when I say thrill, I wasn’t just thinking, hey this is a great geeky thing to do. For me a a security guy it was an opportunity to see for myself if the information on all those slides were accurate. Although this happened last year, Microsoft enforce a strict NDA (Non Disclosure Agreement), which places an embargo on any articles that you may right for 3 months after your visit. So in this article, be rest assured my aim is not to divulge secrets but merely give you, the reader an insight into what security is like within a datacentre.
Firstly, like many of the big providers you can’t simply walk up to a datacentre and say, “Can I come in and have a look around?” They will of course say “no.” So the first step is the application for entry. Once approved you turn up. Once you navigate through the layers of physical security, gates, turnstiles, cameras and guards. You eventually end up in the reception area. Of course Government Issued Photo ID is required along with the signing of multiple NDA agreements. Which by the way, they keep along with your cell phone for the duration of your visit. Once satisfied, your visit can begin.
Now when they say these datacentres are big, you have to think BIG! Multiple floors and buildings filled with literally thousands upon thousands of boxes which blink, bleep and whir 24 hours a day, seven days a week, 365 days a year. All with the sole purpose of ensuring you can continue to search the web, access your data, and play games. Now this get’s me on to what Microsoft calls its cloud principles (For Office 365 anyway). In all they have 8 golden rules. These are as follows
- Services are highly configurable and scalable without customization.
- Services are under the Microsoft Security Policy.
- We provide transparency in data location and transfers.
- We audit on your behalf and provide certification reports
- Microsoft’s liability is capped, consistent with industry standards.
- Office 365 is an evergreen service. Customers need to stay current.
- Our solution evolves rapidly with a documented roadmap.
- We provide services offers to help you migrate to the cloud efficiently
Sounds good so far, but how do you keep my stuff safe. Well upon account creation your data is matched with a datacentre in your region. For me here in the UK, it’s Dublin. Within the datacentre your encrypted data and logs are replicated to another volume at regular intervals and then to other racks and finally to a sister datacentre, which in my case is Amsterdam. This meets the compliancy issue. Data must stay within the European Union.
Ah but what if there’s a power cut? Well each datacentre (when I say each, in all Dublin has 6, soon to be 7 buildings) is equipped two independent power supplies each, so if one fails the other automatically kicks in. Then there are the battery backups, which is enormous by the way. It’s the only place where you can actually walk inside a battery. If that isn’t enough each of the 7 datacentres are equipped with 2 enormous CAT engines each. You know the kind that power ocean liners. Then if all else fails the datacentres have it within their software to switch service to a sister datacentre. When I asked “what could actually bring down a datacentre, the answer was an EMP – An Electromagnetic Pulse).” Too be frank, I don’t think anything could prepare you for the overall size and complexity of these facilities. In fact the only way to get around is by bicycle. It’s interesting to note that the European staff rejected the option to use Segway’s.
In terms of personnel Microsoft’s security policies and procedures are some of the strictest in the industry, any violation of these will lead to dismissal.
So my might ask who’s data is store within one of these vast repositories. The answer is simple, you never know. That’s all part of the security policy, separation of duties. All that the datacentre staff are aware of, is that they only look after Microsoft data (no mingling). That is data from Microsoft’s vast array over 200 services. This includes services such as Windows Azure, Office 365, Bing Search, Xbox Live, Microsoft IT and many more. So it’s impossible for a staff member to snoop on your data, as it would be difficult for them to find. This is left to the operations team who are located elsewhere.
Another important issue of course is how disks are reused. Disks containing general data, i.e. disks that do not contain any sensitive or personal information may be wiped and reused. However any disk containing personally Identifiable information or PII are NEVER reused and are destroyed by a giant crushing machine, all under the watchful eyes of at least two members of staff.
By the time we came out from within the bowels of the datacentre I was suitably impressed with the way Microsoft co-ordinated it’s security efforts in respect to ensuring my data remained private. They also answered a question that I just had to ask. “How do I know that the NSA or GCHQ are hacking into my data?” The answer was simple Microsoft NEVER divulge customer data to any authority unless through correct judicial procedures, i.e. a subpoena. Lets face it by the time you hear about this you’ll know that you’ve been a bad guy anyway. I was told that they do try and contact you up to 7 days prior to the hand over in order for you to take legal advice.
So there you have it just a taste of what it’s like inside the walls. It’s big and very secure to ensure that Microsoft meets its compliance requirements. If you’d like to know more about Microsoft datacentre operations take a look here http://www.microsoft.com/en-gb/server-cloud/cloud-os/global-datacenters.aspx If you are a Microsoft Partner and would like to visit a datacentre, this may be possible, but you would need to speak with your Microsoft partner contact. More details on Microsoft Security & Trust policy can also be found here http://azure.microsoft.com/en-gb/support/trust-center/security/ for you
About the author
Andy Malone – Author, Speaker, Trainer (UK)
With a prestigious international career spanning 20 years, Andy is not only a world class technology instructor and consultant. But is also a Microsoft Most Valuable Professional and multi award winning international conference speaker at such prestigious events as Microsoft TechEd, Dev Connections, TechMentor – Live 360 and the Cybercrime Security Forum. His passionate style of delivery, combined with a sense of fun has become his trademark and won him great acclaim.
Although his primary focus is security, Andy loves to talk about the Windows platform, Exchange and Office technologies. And with knowledge dating back to the MS-DOS 2 and Windows 2.0 era there is often an interesting story to be told. But technology never sleeps and Andy continues to work with the Microsoft product teams to create and deliver ground breaking material on Microsoft Azure and Office 365. For 2015 Andy is scheduled to deliver content in Europe, the Middle East and the US to name but a few. Andy has also just published his first book. A SC-Fi Thriller “The Seventh Day.” Follow Andy on Twitter @AndyMalone or visit his website at www.AndyMalone.org