Informational Security White Paper
An Informational Security Whitepaper by Microsoft on Security and Privacy in a Multi-Tenant
Environment
Published: October 2010
For the latest information, see http://www.microsoft.com/online.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of
publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of
Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO
THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document
may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this
document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in
examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred.
®2010 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Exchange, Forefront, SharePoint, and Windows Server are trademarks of the Microsoft group of companies.
All other trademarks are property of their respective owners.
Abstract
Computing in the cloud raises questions about security, data protection, privacy and data ownership.
Microsoft Online Services are subscription based software services hosted by Microsoft and sold directly
or through partners to businesses all over the world. These services are designed to meet the
performance, scalability, security management capabilities, and service levels business customers
expect.
The Business Productivity Online Suite Standard enables customers to purchase always up-to-date, bestin-class software hosted on multi-tenant architecture. The services are physically hosted in Microsoft
data centers around the world, utilizing enterprise class technology to deliver performance, reliability
and security.
Microsoft Online has applied state-of-the-art technology, culture, and processes to help maintain or
support consistent and reliable access, security and privacy for every user. Microsoft Online has built-in
capabilities for compliance with a wide range of regulations and privacy mandates. These capabilities
and framework are regularly scrutinized, assessed and audited to assure the highest security and privacy
standards are maintained.
Microsoft has developed its offerings around the following core principles:




Microsoft tells you where your data is and you are the owner of your data
Microsoft will never perform data mining on your customer content housed in the Microsoft
cloud
Microsoft Online Services are built to support International Standards Organization (ISO)
requirements for an Information Security Management System, ISO 27001
Microsoft Online Services are certified to ISO 27001, SAS 70 and EU Safe Harbor Framework
This security whitepaper explores these and other topics in more detail.
Contents
Abstract ........................................................................................................................................................ 2
Introduction ................................................................................................................................................. 5
Microsoft Online Services Security Program ........................................................................................... 6
Corporate Security Policies ....................................................................................................................... 6
Organizational and Operational Security ................................................................................................. 6
Security Education .................................................................................................................................... 6
Security Development Lifecycle (SDL) ..................................................................................................... 7
Computing Community Participation ......................................................................................................... 7
Data Security Controls ............................................................................................................................... 7
Physical Security ....................................................................................................................................... 8
Carrier-Class Data Centers ................................................................................................................... 9
Security for Data Center Personnel ...................................................................................................... 9
Backup and Recovery ........................................................................................................................... 9
Logical Security ....................................................................................................................................... 10
Multi- Tenant Security ....................................................................................................................... 101
Administrative Access ........................................................................................................................ 12
Network Security and Segmentation .................................................................................................. 13
Data Storage, Retention and Ownership Rights ................................................................................ 13
Regulatory Compliance Framework ........................................................................................................ 13
Cloud Security Standards ....................................................................................................................... 14
Privacy Protection ..................................................................................................................................... 14
Conclusion ................................................................................................................................................. 15
Introduction
Business Productivity Online Suite (BPOS) Standard is a set of enterprise products delivered as a
subscription service, hosted by Microsoft and sold directly or through partners. The products are
designed for customers with managed IT needs. The suite includes Exchange Online, Office SharePoint
Online, Office Communications Online, Forefront Online Protection for Exchange, and Office Live
Meeting. Microsoft is committed to its responsibility to maintain the security of data entrusted to it by
millions of business users and strives to meet and exceed all levels of expected security.
One of the most important pieces of information to frame a discussion around Microsoft’s Security
program and the BPOS services is that the services are built to support ISO 27002 directives augmented
with requirements specific to online services. The Information Security Management System (ISMS), ISO
27001, is used and describes how information security is planned, implemented, monitored, reviewed
and improved. We have obtained our ISO 27001 certification though audits of our ISO framework and
according to the Cloud Security Alliance:
“Cloud providers seeking to provide mission critical services should embrace the ISO/IEC 27001
standard for information security management systems. If the provider has not achieved ISO/IEC
27001 certification, they should demonstrate alignment with ISO 27002 practices.”
Cloud Security Alliance, Security Guidance for Critical Areas of Focus in Cloud Computing v2.1, 2009
In addition to our services meeting the BPOS security standards, our Microsoft data centers and the
infrastructure layer in which our services rely upon are also audited and certified against a
comprehensive set of controls and management standards assessed in both SAS 70 and ISO 27001
audits. Audits and certifications are performed by recognized independent third parties at least
annually.
Key components of the Microsoft Online Services Security Program are:



Corporate Security Policies
Microsoft’s security policies stem from building security into its software and systems, enabling
customers to meet regulatory, industry and legal obligations.
Organizational and Operational Security
Microsoft employs some of the best and brightest people in the security community, and
ensures that robust security principles, policies and procedures are woven into design and
implemented operations.
Data Security Controls
Customer data is handled and stored in highly secured carrier-class facilities with physical and
environmental controls that are continually monitored, reviewed and scrutinized. The
prevention of unauthorized and unintended information transfer via shared system resources is
controlled through Logical Security controls leveraging the mature structure of Active Directory.


Regulatory Compliance Framework
ISO 27001 certification, SAS 70 audits, EU Safe Harbor Framework certification, and
implementation of Cloud Security Alliance guidance make up some of Microsoft Online’s
compliance programs and foundation.
Privacy Protection
Microsoft Online Services has been built to adhere to MS Online’s privacy standards, focusing on
transparency, allowing customer’s control over their data, and enabling them to adhere to
recognized privacy principles. For general information on our collection, use and sharing of
personal information please read the Microsoft Online Services privacy statement at:
http://www.microsoft.com/online/legal/
Microsoft Online Services Security Program
Corporate Security Policies
Security at Microsoft starts with people, processes, and a shared goal. This shared goal is to enable
customers to ensure the confidentiality, integrity, and availability of their data while complying with
legal, regulatory, and contractual requirements. To achieve such a secure hosted infrastructure,
Microsoft subscribes to the following principles:

Ensure the security and privacy of Microsoft Online Services for all customers and users by
providing a robust and evolving security practice that is designed to exceed industry best
practices based on the ISO 27001 framework.

Meet customer expectations by ensuring that Microsoft Online Services have a breadth of
offerings with the flexibility to meet unique security and compliance obligations and to
accommodate regulatory or legal obligations.

Continually mature and enhance Microsoft Online Services by contributing to product and
service innovations, getting customer feedback into the product release cycle, and working with
security expertise to ensure past, current, and future threats are being considered.
These principles provide a basis for security policies throughout Microsoft Online Services.
Organizational and Operational Security
Microsoft’s people in combination with well-defined and implemented policies make the Microsoft
Security Team uniquely suited to set the bar for industry leading education and software development.
Through continuous improvement programs applicable staff remains qualified with security and privacy
knowledge.
Security Education
The security education program at Microsoft consists of many components including:




Formal training for all engineers, test, and program managers including design and coding
standards.
Extensive documentation for software developers and testers through its publicly available
Threats and Countermeasures Guidance. For further details please read information available at
the Guidance Explorer Tool at: http://guidanceexplorer.codeplex.com/.
Regularly scheduled security tech-talks from academic and professional researchers both
internal and external to Microsoft.
Recurring Microsoft BlueHat conferences which bring together security professionals and
researchers from across the world for in-depth technical presentations and discussions on
security vulnerabilities, code analysis, and testing techniques. For more information see the
BlueHat Security Briefing at: http://technet.microsoft.com/en-us/security/cc261637.aspx.
Security Development Lifecycle (SDL)
As an early pioneer for integrated security development, Microsoft has proven with quantifiable results,
such as the reduction in security bulletins, that its products have set new standards in the software
development industry.
Creating and adopting the Security Development Lifecycle has also demonstrated global leadership
around information and security practices in commercial software. Microsoft develops its SDL processes
and tools internally and has maintained a dedicated research effort leading to internal code analysis and
testing tools developed by the Microsoft Security Engineering Center (MSEC) and the Center for
Software Excellence (http://www.microsoft.com/windows/cse/default.mspx).
Knowing that Internet and system security depends on the entire ecosystem, Microsoft has made much
of its internal resources publicly available at http://www.microsoft.com/security/sdl/default.aspx.
Microsoft has released its own internal process guidance for each stage of the SDL, as well as
assessment tools to help companies determine their own maturity levels within the SDL framework.
Some of Microsoft’s own tools for assessment and security testing have also been made available,
including:




Threat modeling tool for software design
Code analysis tools including banned.h, PREFast, and CAT.NET
Binary analysis tools such as BinScope and FxCop
Process templates for Agile and traditional software development methods
Microsoft’s SDL Pro Network was also developed to assist the public and our customers in deciding on
training, consulting, and tooling companies to meet their security objectives.
Computing Community Participation
The Microsoft Security Response Center (MSRC) (http://www.microsoft.com/security/msrc) was
founded as a way for Microsoft to reach out to its customers and the security research
community. MSRC has since established policies for consistent monthly security bulletins and out-of-
band announcements for its customers, and practices for responsible vulnerability disclosure with the
security research community. The benefits are to provide customers with timely security updates and
detailed information to help in their security management decisions. The benefits have also included
setting up a mutually beneficial relationship with the external people and companies who find and
report vulnerabilities.
For many years Microsoft has opened its doors to the security research community through efforts of
the MSRC and events such as the Microsoft BlueHat security conference and the Microsoft Active
Protections Program (MAPP) (http://www.microsoft.com/security/msrc/collaboration/mapp.aspx).
Microsoft intends to provide its customers with accurate and timely information through its blogs on
MSDN and other social networking sites.
Data Security Controls
Microsoft houses critical and sensitive data for millions of customers throughout the world. A secure
multi-tenant environment must prevent any data exposure between users and across tenants. The data
security model starts by considering access and authorization controls for data in transit, data at rest,
and data available to applications. Connections established over the Internet to the services are
encrypted using industry standard Transport Layer Security (TLS) / Secure Sockets Layer (SSL). The term
data-at-rest refers to data as it exists on a physical storage medium. Data-at-rest is not encrypted by
Microsoft or many of the leading competitors as it would impact service functionality (e.g. search), but
for sensitive data, customers may implement Active Directory Rights Management to provide the layer
of control and security. Backups are performed every day and data restore is available per customer
request. Redundancy is built into the fabric of our program, from the application, to the network,
servers, and data centers.
Physical Security
Physical security controls applied to our data centers include, but are not limited to, perimeter fences,
biometric scanners, smart-cards, identification badges, delivery and loading area isolation, video
surveillance and on premise security officers 24/7. Visit http://www.globalfoundationservices.com for
video tours of our data centers and to get an inside view.
Only authorized staff has access to the hardware on which you run your business. Power outages, staff
vacation, or physical relocation servers will not affect your operations or expose your data to
unmanaged risks.
Data centers are distributed around the world, offering geographically dispersed hosting with global
availability. Data centers have been engineered to meet the most demanding requirements for
reliability, performance and security. Microsoft has implemented a set of policies and procedures to
provide for catastrophic physical and environmental threats.
Carrier-Class Data Centers
Microsoft enforces physical security controls as part of a broad set of carrier-class data center
operations. “Carrier-class” means very high availability, allowing for very little downtime per year. The
data centers in which Microsoft Online Services are operated, achieve carrier-class performance starts
with the engineering of the data center to be protected from environmental risks such as theft, fire,
explosives, water, smoke, earthquake, and electronic interference.
All cabling has been secured inside facilities, and cables traversing outside areas have been secured
where necessary. State of the art technology is used to constantly monitor the health and security of
each facility, both onsite and remotely.
The data centers in which Business Productivity Online Suite services are operated achieve carrier-class
performance through controls such as:








Physical building security
Secure physical access for authorized personnel only
Redundant power supplies:
o Two separate power feeds into each data center
o Battery backup
o Diesel generators (with alternative fuel delivery contracts in place)
Multiple fiber trunks connecting the data centers for redundancy
Climate control to ensure that equipment runs at optimal temperature and humidity
Seismically braced racks where required
Fire prevention and extinguishing systems with minimal disruption to computer equipment
24-hour secured access, as well as video camera surveillance and security breach alarms
Security for Data Center Personnel
An additional layer of security within the data center is applied to personnel that operate the facility.
Access is restricted by job function so that only essential personnel are authorized to manage
customers’ applications and services. Authorization requires:




Badge, and card reader restricted access
Biometric scanners
On-premises security officers
Continuous video surveillance
In addition, authorized personnel must have prior approval for all operations and actions within the data
center. Changes in permissions are logged and when employees change job functions within the
company access is revoked or altered in accordance with new responsibilities. Any operations that are
not already part of established process and procedures are reviewed before they can be executed.
Backup and Recovery
BPOS implements robust data backup and recovery mechanisms to enable availability, business
continuity, and rapid recovery. Multiple levels of data redundancy are implemented, ranging from
redundant disks to guard against local disk failure to continuous, full data replication to a geographically
diverse data center.
At the system hardware level, servers are deployed on hardware equipped with a combination of RAID 1
(mirrored) and RAID 5 (distributed parity) disk arrays. RAID allows for the complete loss of one disk
without any loss of data or server downtime. A hot spare disk automatically replaces any failed drive in
the array, allowing for quick restoration of the array to a non-degraded state without manual
intervention or downtime.
Microsoft System Center Data Protection Manager (DPM) is used to perform system data backup and
recovery within each data center. All backup data is stored on fixed disk arrays to help ensure rapid,
error-free recovery and eliminate the speed, inventory, and reliability challenges posed by traditional
tape backup mechanisms. For these reasons, tapes are not used as a backup mechanism. DPM provides
byte-level data replication and automatically validates replicated data against known-good production
servers to maintain data integrity. Data protection is near-continuous for most services , and performed
every 12 hours for those that don’t support continuous replication (e.g., SharePoint). Real-time
monitoring provides Microsoft operations with current backup status. Further, production data is
routinely restored using DPM to fulfill customer data restoration requests and Microsoft operational
needs.
DPM stores backups of the following classes of data:



Application Data
File data from volumes, shares, and folders
On-System State
The primary data center DPM backup repository is itself replicated to the alternate data center.
In the event that system and/or data recovery is needed, Microsoft operations use a combination of the
Microsoft System Recovery Tool to perform a “bare metal” system installation and then use DPM to
restore the server to its pre-failure state.
Logical Security
Through Internet-computing the logical access to information can be considered as critical if not more
important than physical access. Access controls are integrated into the perimeter network and every
application. Customer access to services provided over the Internet originates from the user’s Internetenabled location and terminates at a Microsoft data centers. Connections established over the Internet
to the services are encrypted using industry standard Transport Layer Security (TLS) Secure Sockets
Layer (SSL). The use of TLS/SSL effectively establishes an ad-hoc, browser-to-server secured connection
to help provide data confidentiality and integrity from the desktop to the data center. Data storage and
processing is logically segregated between customers of the same service through the use of Active
Directory structure and Active Directory capabilities specifically developed to help build, manage, and
secure multi-tenant environments.
Multi-Tenant Security
Security-focused engineering efforts have been expanded to create specialized products which support
the multi-tenant security requirements of Microsoft Online Service. Tenants are isolated from one
another based in part on security boundaries, or silos, enforced logically through Microsoft’s Active
Directory technology. Through its industrial-strength protocols and organizational unit isolation the
foundation of Active Directory provides trusted data-protection for each company hosting with
Microsoft Online Services.
The prevention of unauthorized and unintended information transfer via shared system resources is
controlled using Organizational Units (OUs) which are containers that logically store directory
information and provide a method of addressing Active Directory through Lightweight Directory Access
Protocol (LDAP). In Active Directory, OUs are the primary method for organizing user, computer, and
other object information into a more easily understandable layout. As shown below, there is a root
organizational unit where nested organizational units are placed within. This nesting enables
distribution of customers and users across multiple containers. OUs can be further subdivided into
resource OUs for organization and delegation of administration.
Through the use of OUs, customers are configured with specific resources and Access Control Entries
(ACEs) to isolate the organization and prevent users from different organizations from viewing the data
outside appropriate containers.
Logical security in Microsoft Online Services means securing the software that is already running on
physically secure hardware, in secured data centers.
Administrative Access
Microsoft Online administrators are qualified systems and security experts with a tremendous
responsibility for maintaining the technical aspects and security of Microsoft Online. Segregation of
duties is maintained and enforced through quarterly access reviews. All system management functions
are performed over private, controlled, and encrypted communication channels. Routers are managed
over secure SSH protocols, and Windows systems are managed using secure Remote Desktop
connections over SSL and TLS. In addition to the network security layer, Microsoft Online administration
requires two-factor authentication (via smart card access) by any administrator. This enables strong
access control and personal identifiable information is logged in the event that a forensic investigation is
ever required.
Network Security and Segmentation
The Microsoft Online network consists of a centralized Active Directory management forest called the
Joint Management Environment (JME) and a number of service forests representing the different service
environments. The service forests and the JME forest exist in different network virtual routing and
forwarding instances separated logically by a network firewall. Each service forest has a two-way trust
with selective authentication to the JME to enable the restriction on what resources can be accessed by
what security principals.
All traffic originating from networks outside of the service or the JME are considered untrusted and are
treated as equivalent to traffic originating from Internet. This includes traffic originating from other
Microsoft Online services within the same data center, or connections originating from Microsoft
corporate connections. BPOS can, in a sense, be considered an island accessed via one well understood
and managed bridge.
The network Access Control Lists (ACLs) allow all traffic to go from the JME to the individual service
forests. Service forest traffic into the JME forest is denied by default, with restricted access available to
authenticated sessions from authorized administrators.
Connections from the Internet are allowed via specific ACL entries to Internet-facing Virtual Internet
Protocols (VIP) on the network. Only the specific protocols and ports required for the service are open
from the Internet. Connections originated by BPOS to the Internet are restricted by either fine-grained
ACL or by proxy server. Outbound proxy servers require user authentication prior to allowing outbound
connections to be established.
Data Storage, Retention and Ownership Rights
Microsoft does not own your data, you do. Microsoft prides itself on transparency for privacy and data
handling. Not only can Microsoft tell customers where their data is located, but can also provide
transparency on how customer data is handled and customer data rights through the Microsoft Online
Privacy Statement at http://www.microsoft.com/online/legal/?langid=en-us&docid=7.
Where competitors might treat enterprise data as consumer data and data mine it for their own
purposes, Microsoft understands the difference. Microsoft does not mix enterprise and consumer data,
and will never mine customer data for our own purposes.
At the end of a customer’s subscription or use of the service, the customer may always export their
data. On most services, the customer may access and remove its customer data for a minimum of ninety
(90) days after the date of termination of the service. This is described in the use rights portion of the
service agreement. Microsoft also provides multiple notices prior to deletion of customer data so that
customers have ample time to extract their data.
Regulatory Compliance Framework
Microsoft has obtained prominent certifications including ISO 27001, SAS70, and EU Safe Harbor.
Microsoft Online engineers build compliance into Microsoft Online Services from the ground up.
Microsoft software engineers do this through the Security Development Lifecycle and the Trustworthy
Services Lifecycle (TSL). The TSL is a process designed to drive security, privacy and continuity
requirements across Microsoft Online through multiple structured risk assessments, formal processes
used to identify, determine severity and priority, and appropriately address risks associated with a
particular Microsoft Online Service.
To support customer compliance with regulations such as HIPAA, GLBA, SOX, and laws based on the
European Union Data Protection Directive (EUDPD) or United States legislation covering the protection
and reporting requirements of personally identifiable information (PII) Microsoft management
established procedures and controls that assure user accounts are handled in a controlled manner.




Microsoft Online Services has obtained an ISO 27001 certification on its Information Security
Management Systems (ISMS). ISO has been the foundation of the BPOS Services and its
supporting infrastructure since 2009 and has been certified by the British Standards Institute
(BSI). Customers are encouraged to review the ISO standard (publically available)
http://shop.bsigroup.com/en/ProductDetail/?pid=000000000030126472.
BPOS Certification details please visit: http://www.bsigroup.com/en/Assessment-andcertification-services/Client-directory/CertificateClient-Directory-SearchResults/?pg=1&licencenumber=IS+552878&searchkey=licenceXeqX552878
FOPE Certification details please visit: http://www.bsigroup.com/en/Assessment-andcertification-services/Client-directory/CertificateClient-Directory-SearchResults/?pg=1&licencenumber=IS+560057&searchkey=companyXeqXMicrosoft
Global Foundation Services Certification details visit:http://www.bsiamerica.com/enus/Assessment-and-Certification-services/Management-systems/Certificate-and-Client-
Directory-search/Search/SearchResults/?pg=1&licencenumber=IS+533913&searchkey=licenceXeqX533913XandXcompanyXeqX
Microsoft
While ISO 27001 provides assurance that Microsoft has Information Security Management Systems and
is aligned to ISO 27002 control standards, the SAS 70 provides detailed information on the design (Type
I) and effectiveness (Type II only) of controls. Regular SAS 70 Type I audits are performed to validate
control design for BPOS, the application layer of the service. Microsoft data centers and the
infrastructure layer in which our services rely upon are also audited and certified against a
comprehensive set of controls and the implemented management system covering both SAS 70 Type II
and ISO 27001. Audits and certifications are performed by credible independent third parties at least
annually. SAS 70 is a comprehensive audit complete with operational tests. In today's market, it is a
widely accepted attestation and combined with an independent audit shows transparency to the
businesses that a service organization works with. These independent audits are shared with customers
in lieu of individual customer audits as we feel these certifications and attestations are scalable and
accurately represent how we obtain and meet our security and compliance objectives.
Cloud Security Standards
To aid both cloud customers and cloud providers, the Cloud Security Alliance (CSA) developed “Security
Guidance for Critical Areas in Cloud Computing”, initially released in April 2009, and revised in December
2009. This guidance has quickly become the industry standard catalogue of best practices to secure
Cloud Computing, consistently lauded for its comprehensive approach to the problem, across 13
domains of concern. Numerous organizations around the world are incorporating the guidance to
manage their cloud strategies. Microsoft is an active member of CSA and has contributed to this
guidance document which can be downloaded at www.cloudsecurityalliance.org/guidance.
Privacy Protection
Data privacy is just as critical as data security, which is why the concept of privacy is one of the four
pillars of the Microsoft Trustworthy Computing Initiative. Microsoft’s customers have the highest
expectations about how their data is collected, stored and used by all applications at Microsoft Online.
Microsoft commits a significant amount of resources to privacy protection. Customer data is treated
with the highest regard. As a result, privacy has been woven into the culture at Microsoft as an
automatic priority in every area of the company.
Microsoft Online’s privacy policy can be viewed at http://www.microsoft.com/online/legal/. The
requirements for privacy have been integrated into every product at Microsoft just as security has. In
this way, all products are required to go through a rigorous privacy examination before they can be
released. By being integrated into the highly successful Microsoft SDL, Microsoft understands the
importance of privacy and integrates privacy into the foundation of all software and services.
To further comply with customer markets, Microsoft privacy applies to unique sectors such as
governmental sales, healthcare, and Finance, each of which may have additional requirements in certain
countries.
Conclusion
When you place your company’s information in the hands of Microsoft, you can do so with confidence
that Microsoft Online Services are built to support International Standards Organization (ISO)
requirements for an Information Security Management System, ISO 27001. We use the independent
third party audits to validate the effectiveness of our framework for our customers. These efforts are
implemented to effectively manage the confidentiality, integrity and availability of the cloud data to
which we are entrusted.