Microsoft is quickly growing its public cloud business to be one of the top two or three largest worldwide, battling it out with Amazon Web Services and Google. As more companies look to take advantage of cloud storage, it’s important that it is secure. Unsurprisingly, many questions have been raised about secure cloud storage.  

In a recent blog post attributed to Microsoft’s Cyber Trust Blog Staff, it published a list of its six trusted cloud principles. The principles are outlined below, along with important points you need to consider when evaluating vendors for secure cloud storage.   

1. You own your data, not Microsoft. When you use a Microsoft cloud service, you keep the ability to take your data with you when you terminate an agreement. When a subscription expires or you terminate your contract, Microsoft follows a 90-day retention policy and strict standards for overwriting storage before reuse. 

What does this mean for your cybersecurity strategy? It’s very important for you to know that if you decide to leave Microsoft, after 90 days your data is essentially irretrievable. If you are a regulated business, you know you need to keep data for much longer than that. Keep that in mind as you craft a holistic strategy for how your data will be stored – you may decide to only keep non-essential data in the cloud and your most sensitive data on-premises. It all depends on your specific business needs.   

2. Your data is not used for marketing. Microsoft’s enterprise business model is not based on exploiting customer data. Consequently, it does not use your data for purposes unrelated to providing the cloud service (such as advertising).  

What does this mean for your cybersecurity strategy? Some cloud providers are known for using customer data for marketing and trying to sell you additional services. What’s more important to consider is how these public cloud storage providers are mining your data for intelligence on your company’s customers. For example, Delve in Microsoft Office 365 is an excellent example of a big data / business intelligence platform that can be used to map your accounts. Make sure you know exactly how your provider will use your information.  

3. Microsoft doesn’t use standing access. Microsoft states that it engineered its cloud services so the majority of operations are fully automated. Only a small set of activities require human involvement: Access to your data by Microsoft personnel is granted only when necessary for support or operations – that access is revoked when it is no longer needed to complete those tasks.  

What does this mean for your cybersecurity strategy? When you decide to put any data in a cloud operated by a company other than your own, you are opening yourself up to the chance for individuals to access your data. Whether intentionally or by mistake, it could lead to a data breach. While the instances of this have been small from the larger cloud storage providers, you can never rule out the possibility of it happening to you. You must know exactly what types of activities will require human involvement, and the type of personnel that will be used (as well as their qualifications) when handling your sensitive data. On the flip side, the more these services are automated, the greater the potential that your data will be accessed and you won’t even know it – no logging, no audit trail, no notice. It’ll be as though it never happened, and it will be virtually impossible for you to prove anything legally as a result. Tread with caution.  

4. You can choose your datacenter location. Depending on the particular Microsoft cloud services you leverage, you may have flexibility in choosing where your data physically resides. Your data can only be replicated for redundancy within the geographic area.  

What does this mean for your cybersecurity strategy? Many organizations are now global in nature. There are many laws governing the transfer of data between states / nations, as well as the storage of that data. Make sure you are aware of the local data sovereignty laws that apply specifically to your business before deciding to store any data outside your company’s four walls. While many providers will allow you to choose where your production environment lives, you may not have as much control (or knowledge) as to where your data backups live. Think what could happen if a breach happens in a country where your biggest competitor is based – the results could be disastrous. Make sure you ask where your production environment and backup data will reside.  

5. Microsoft protects data from government surveillance. Over several years, Microsoft expanded encryption across all its services and reinforced legal protections for customer data. Microsoft claims it does not build “back doors” into its products and services, nor does it provide any government with direct or unfettered access to customer data.  

What does this mean for your cybersecurity strategy? The fight over what the federal government should have access to continues evolving by the day, as evidenced by the recent legal battles between the FBI and Apple. What we do know is that the Federal government can (and will) regularly take data from Apple iCloud because the encryption keys sit in the same cloud where your data is stored. Essentially, if you backup your phone to iCloud, the Federal government doesn’t need Apple’s intervention at all. The government gets what it wants and cloud providers can plausibly say they didn’t hand over the data. It’s important to know what your cloud provider’s policy is on providing information to government entities, but if you don’t encrypt your data before sending it to a public cloud, it won’t matter.   

6. Law enforcement requests must go through you. Microsoft will not disclose your data to a third party except as you direct or as required by law. Microsoft will attempt to redirect third parties to request customer data directly from the data owner.  

What does this mean for your cybersecurity strategy? Our advice here is the same as for the fifth principle – “required by law” can be interpreted many different ways. If you want to fully protect yourself against semantics and interpretations, you must encrypt your data before you send it to the cloud.  


Microsoft understands the concerns around secure cloud storage – publicly stating these principles is an attempt to assuage these common fears. How strictly Microsoft can adhere to these principles depends on legislation, court orders, and executive orders in thousands of jurisdictions. 

Don’t trust just anyone with your secure cloud storage. US Cyber Vault protects your assets with hardened security implemented at every layer, from hardware to application. Military-grade encryption is applied to all your data and communications by default and the speed of our threat detection is unparalleled: less than 24 hours, not the industry standard of 7 months. If an unplanned event should occur, countermeasures trap the attacker and mitigate damage while our intelligence team responds immediately.   

Sign up for a free trial of our secure cloud today so you can see the difference first-hand.   


Written by Rob LaMear, CEO, US Cyber Vault

Once a month we share where we will be speaking in the world as well as expert opinions on cyber security, data loss prevention, and information security that we like from the larger community.  Receive our next issue by signing up here.