ContentsIntroduction........................................................................................................................................1Privacy at Microsoft.............................................................................................................................2The Microsoft Dynamics CRM Online Privacy Opportunity ......................................................................2Responsibility .................................................................................................................................3Transparency..................................................................................................................................7Choice............................................................................................................................................8Conclusion..........................................................................................................................................9
1Privacy in the Public Cloud: Microsoft Dynamics CRM Online1IntroductionSince our 2010 whitepaper “Privacy in the Cloud,” awareness and adoption of cloud computing have continuedto increase. Global enterprises and entrepreneurs alike are turning to the cloud to accelerate innovation, launchnew businesses, and cut costs. Government agencies, public service providers, and educational institutions aremigrating to the cloud to better serve constituents and reduce IT spending, particularly in response toshrinking budgets.But not all the news has been positive. Hacking attacks, theft, and misuse of data managed by online serviceproviders have raised questions about the privacy and security of cloud computing.For some large enterprises with highly sensitive data, such incidents have increased the appeal of private cloudsolutions. Indeed, a one-size-fits-all approach may not be appropriate for governments or large organizationswith many different classes of data, and private or hybrid cloud solutions that allow customers to keep selecteddata on premises can make good sense for those with specialized data protection requirements. Microsoftoffers a full menu of private cloud solutions, and we recently published a whitepaper titled “Microsoft PrivateCloud: A Comparative Look at Functionality, Benefits, and Economics.”But private clouds dedicate significant computing resources to just one or a handful of customers, so they canbe cost-prohibitive for many businesses and public-sector agencies that are anxious to reap the benefits ofcloud computing.Consequently, we expect public cloud services—which use advanced, multi-tenant data centers1to providehighly scalable and affordable computing services to thousands of customers simultaneously—to be the mostpopular cloud computing model for theforeseeable future.2Still, the growth of public cloud services isnot inevitable. Microsoft understands thatunless we are responsive to customers’ andregulators’ questions about data protectionin public clouds, we will not earn the trustthat is necessary for our cloud services tosatisfy our customers’ needs.This is why data protection figuresprominently in Microsoft Dynamics CRMOnline, Microsoft’s cloud-based customerrelationship management service.1“Microsoft Expands Cloud Computing Capabilities & Services in Europe.” Microsoft press release, Sept. 2009.2“The Economics of the Cloud.” Microsoft whitepaper, Nov. 2010.
2Privacy in the Public Cloud: Microsoft Dynamics CRM Online2Reflecting Microsoft’s approach to privacy by design, Microsoft Dynamics CRM Online was built from the groundup with strong data protection in mind.In the following pages, we will discuss Microsoft’s philosophical and practical approach to safeguardinginformation in the cloud, as well as several of the tangible benefits that have resulted for Microsoft DynamicsCRM Online customers.Privacy at MicrosoftAs part of our long-term commitment to Trustworthy Computing, Microsoft strives to earn and strengthen trustby building robust privacy and data protections into our products and services. We work to responsibly manageand protect the data we store, be transparent about our privacy practices, and offer meaningful privacychoices. These three tenets—responsibility, transparency, and choice—are the foundation of Microsoft’sapproach to privacy.Our privacy principles and our internal privacy standards guide the collection and use of customer and partnerinformation at Microsoft and give our employees a clear framework to help ensure that we manage dataresponsibly.To put our principles and standards into practice, we have invested heavily to build a comprehensive privacygovernance program. Microsoft employs more than 40 full-time privacy professionals, with several hundredother employees helping to ensure that privacy policies, procedures, and technologies are applied across ourproducts and services.When it comes to cloud computing, Microsoft has been addressing privacy issues associated with onlineservices since the launch of the MSN network in 1994. Today we manage a cloud-based infrastructure thatsupports more than 200 online services and websites that attract more than 600 million unique usersworldwide each month.We recognize that cloud services often raise unique security and privacy questions for business, education, andgovernment customers, so we have adapted our policies and governance programs to address customerconcerns, facilitate regulatory compliance, and build greater trust in cloud computing.For example, we contractually commit to specific data handling processes as part of our agreements forpopular cloud services such as Microsoft Dynamics CRM Online, Microsoft Exchange Online, SharePoint Online,and Lync Online. We also provide customers with flexible management tools that help protect sensitive dataand support compliance with government privacy and security guidelines.Such transparent policies and strong tools are essential for our customers as they deal with the privacy andsecurity questions that arise from their use of cloud services.The Microsoft Dynamics CRM Online Privacy OpportunityMicrosoft helped usher in the era of enterprise cloud computing in 2008 when Bill Gates announced that thecompany would offer online versions of its popular Exchange Server and SharePoint Server software for
3Privacy in the Public Cloud: Microsoft Dynamics CRM Online3businesses. Since then, the company has not only expanded its software-as-a-service offerings but hasoptimized those offerings to take full advantage of the flexibility, responsiveness, and efficiency of the cloudand of Microsoft’s global network of technologically advanced data centers. Among the major releases in 2011were online versions of Microsoft Office and Microsoft Dynamics CRM, an easy-to-use relationship managementapplication that delivers access to customer information throughthe familiar Microsoft Outlook experience.Microsoft Dynamics CRM Online was built with an emphasis onstrong data protection. Reflecting Microsoft’s approach to privacyby design, a team of privacy professionals was dedicated to theservice early in the development cycle and worked in closepartnership with engineers, business planners, and marketers.Consequently, privacy has been an integral part of MicrosoftDynamics CRM Online from the beginning, not an afterthought.In addition, employees distributed throughout the organizationare accountable for managing the service’s privacy and securityrisks.The result is an enterprise cloud service with robust dataprotections that reflect Microsoft’s core privacy tenets ofresponsibility, transparency, and choice.ResponsibilityWe understand that managing customer information is a responsibility that includes important security andprivacy obligations. This is particularly true for cloud-based services such as Microsoft Dynamics CRM Online.We have a broad network of people and processes that implement our privacy standards and provide privacyguidance and training. If a privacy incident occurs, we have rigorous procedures to address the problem,diagnose the cause, and update customers in a timely manner.A few highlights of our approach to privacy governance in Microsoft Dynamics CRM Online are outlined below.Standing the Test of TimeCriteria for determining appropriate levels of privacy and security in the cloud are changing rapidly. Whatmatters most today may be a low priority tomorrow. As a result, when evaluating a cloud provider,organizations would be wise to consider the depth and breadth of the provider’s governance model and itsability to quickly adapt to changing privacy priorities.With Microsoft Dynamics CRM Online, we have employed a variety of risk management mechanisms toappropriately manage regulatory change, organizational change, personnel change, and technological change.Before the service was launched to the public, subject-matter experts conducted privacy, security, andbusiness continuity risk assessments on each part of the service and worked to remediate any identified risks.Since the launch of the service, we have used a process of continuous monitoring that we call the TrustworthyServices Lifecycle to ensure that our data protection systems are functioning properly. We test requiredMicrosoft Dynamics CRM is aflexible business application thathelps organizations maximizemarketing dollars, amplify sales,and more effectively managecustomer relationships. With thecloud-based version, MicrosoftDynamics CRM Online,organizations get the samepowerful software delivered as acloud service, as well as anywhereaccess, predictable pay-as-you-gopricing, and a financially backedservice-level agreement (SLA).
4Privacy in the Public Cloud: Microsoft Dynamics CRM Online4functionality annually, semi-annually, quarterly, monthly, or at the time of each new release, depending on thelevel of risk associated with the particular privacy or security control.We conduct regular risk assessments to refresh the control framework and, if necessary, to reset priorities ifnew aspects of the service emerge as high risk.This multi-layered and continuous approach to monitoring the Microsoft Dynamics CRM Online data protectionenvironment helps us quickly diagnose and remedy problems that occur and helps our customers respondquickly to shifting regulatory or industry requirements.Enabling Regulatory ComplianceJust as Microsoft has a responsibility to process our enterprise customers’ information in a trustworthy manner,many of our customers have a responsibility to comply with national, regional, and industry-specificrequirements governing the collection and use of individuals’ data.As a provider of global cloud services, we must run our services with common operational practices andfeatures that span multiple customers and jurisdictions. To fulfill our privacy responsibility to our customers aswell as help our diverse customer base fulfill its regulatory obligations, we set the bar high and then build ourservices to meet that bar using common privacy and security controls.While it is ultimately up to our customers to determine whether our services satisfy their specific regulatoryneeds, we are committed to providing detailed information about our cloud services to help them in theirassessments.One tool we have developed to facilitatecustomers’ assessments of Microsoft DynamicsCRM Online is the Trust Center, an onlinerepository of detailed information about theservice’s approach to privacy and security. Forexample, the Regulatory Compliance page of theTrust Center explains how Microsoft DynamicsCRM Online and our other cloud services helpfacilitate compliance with a range of majorstatutes, from European Union data protectionlaws to the U.S. Gramm-Leach-Bliley Act, whichincludes provisions on the protection ofconsumers’ financial information.On the Security, Audits, and Certifications page of the Trust Center, customers can locate information aboutthe certifications held by both Microsoft Dynamics CRM Online and the Microsoft data centers that host theservice. By making this information readily available, we empower customers to validate that what we sayabout our security and privacy practices has been affirmed by an accredited third party.One compliance framework in particular—the highly regarded ISO/IEC 27001 standard for information securitymanagement systems—forms the foundation of our security and privacy approach with Microsoft Dynamics
5Privacy in the Public Cloud: Microsoft Dynamics CRM Online5CRM Online and its supporting infrastructure. ISO/IEC 27001 is one of the most widely recognized certificationsfor a cloud service, and thus one of themost valued by our customers.In addition to having our independentauditor, the British Standards Institute(BSI), verify the compliance of MicrosoftDynamics CRM Online with ISO/IEC 27001,we have asked BSI to review additionalprivacy controls that we built into theservice to better align it with comprehensiveEuropean data protection regulations. Wehave taken this unique approach to help ourEuropean customers understand theprotections we have put in place to helpthem satisfy the specific expectations ofboth European citizens and Europeanregulators.The full results of BSI’s findings areincluded in its ISO/IEC 27001 audit reporton Microsoft Dynamics CRM Online, asummary of which is available to customers upon request.Support for EU Model ClausesIn another effort to accommodate the data protection demands of European entities, starting in April 2012Microsoft Dynamics CRM Online will offer customers who have European users and who manage their onlineservices through the Microsoft Online Services Portal the opportunity to sign data processing agreements withthe standard contractual clauses published by the European Commission.European law prohibits companies from transferring personal data from the EU except under specificconditions. One way to transfer such data is to procure cloud services from companies that abide by theU.S.-EU Safe Harbor Framework. However, EU companies may want the more stringent protections of adetailed data processing agreement and the standard contractual clauses published by the EuropeanCommission, which are known as the EU Model Clauses. Our willingness to sign these agreements means thatMicrosoft contractually guarantees that Microsoft Dynamics CRM Online will follow the stringent privacy andsecurity standards detailed in the EU Model Clauses.Using Customer Data Only for the Customers’ PurposesResponsible cloud providers must have strong internal policies in place that clearly delineate what the providerand its partners can and cannot do with customer information.At Microsoft, we understand that your data is your business. As part of providing a quality cloud service, wewill troubleshoot to prevent, identify, or repair problems with Microsoft Dynamics CRM Online and to improve
6Privacy in the Public Cloud: Microsoft Dynamics CRM Online6features in the application that help protect our customers. But we do not build advertising products out of ourcustomers’ data. We also don’t scan the content of our customers’ documents or files for the purpose ofbuilding analytics, mining data, or advertising without our customers’ permission. In addition, MicrosoftDynamics CRM Online allows customers to keep their data separate from other customers’ data.Controlling Access to Customer DataMicrosoft applies strict controls over who is granted access to information stored in a customer’s MicrosoftDynamics CRM Online database. Microsoft and vendor support personnel are required to have a legitimatebusiness justification to request access to Microsoft Dynamics CRM Online data, and the request must beapproved by the person’s manager. Access levels are also reviewed periodically to ensure that only Microsoftemployees or support personnel with an appropriate business justification have access to the systems.Further, all Microsoft Dynamics CRM Online support personnel are accountable for their handling of customerdata. Accountability is enforced through a set of system controls, including the use of unique user names, dataaccess controls, and auditing. Unlike generic user names such as “Guest” or “Administrator,” unique namesconnect the use of customer data to specific individuals.For a detailed breakdown of how we handle specific classes of data stored and generated by users of MicrosoftDynamics CRM Online, see the Data Use Limits page of the Microsoft Dynamics CRM Online Trust Center.Securing Customer InformationAccording to a popular maxim in IT circles, “You can have security without privacy, but you can’t have privacywithout security.” This statement certainly applies to public cloud computing, where customers rely on onlineservice providers such as Microsoft not only to securely store their data but also to keep it safe from loss, theft,or misuse by third parties, other customers, or even the provider’s employees.We understand that robust physical and logical security is a prerequisite for any successful privacy program,and we protect Microsoft Dynamics CRM Online using a comprehensive security regimen that is monitored 24/7and updated regularly.Microsoft Dynamics CRM Online provides features such as customizable security roles, business data auditing,field-level security, and role-based forms that allow customers to ensure the appropriate level of security fortheir implementation. The security features and services associated with Microsoft Dynamics CRM Online arebuilt in, reducing customers’ time and cost associated with securing their systems. At the same time, MicrosoftDynamics CRM Online enables customers to easily control permissions, policies, and features through onlineadministration and management consoles.Microsoft Dynamics CRM Online is a multi-tenant, public cloud service. That means one customer’s data maybe stored on the same hardware as several other customers’ data. This is one reason Microsoft Dynamics CRMOnline can provide the cost and scalability benefits it does. Microsoft goes to great lengths to ensure that themulti-tenant architecture of Microsoft Dynamics CRM Online supports enterprise privacy and securityrequirements, and we logically segregate data storage and processing for different customers throughspecialized technology engineered specifically for that purpose.
7Privacy in the Public Cloud: Microsoft Dynamics CRM Online7Our data centers are designed, built, and managed using a “defense-in-depth” strategy at both the physicaland logical layers, and our services are engineered to be secure using Microsoft’s Security DevelopmentLifecycle.All Microsoft Dynamics CRM Online data centers have biometric access controls, and most require palm printsto gain entry. In addition, physical access to most data centers is controlled by two-tier authentication thatincludes both proxy card access readers and hand geometry biometric readers.For more on security in Microsoft Dynamics CRM Online and the Microsoft data centers that host the service,please see the Microsoft Dynamics CRM Online Security and Service Continuity Guide and our GlobalFoundation Services website.TransparencyAlthough many organizations cite privacy and security concerns as major obstacles to their adoption of cloudservices, information about the privacy and security practices of many cloud providers is either difficult to findor indecipherable to all but the most astute IT professionals.To help our customers find answers to their privacy and security questions about Microsoft Dynamics CRMOnline, we strive to be as transparent as possible about our data protection policies and procedures. TheMicrosoft Dynamics CRM Online Trust Center explains, in plain language, exactly how we handle and use datagathered in customers’ interactions with Microsoft Dynamics CRM Online. Customers can find details about ourcommitments in key privacy areas, including data use limits; administrative access; geographic boundaries;third parties; security, audits, and certifications; and regulatory compliance.Just as Microsoft Dynamics CRM Online will be a continuously evolving and improving service, the Trust Centerwill be a living resource that customers can use to stay abreast of the most current and accurate informationavailable about privacy and security practices in Microsoft Dynamics CRM Online.Geographic BoundariesOne of the most common questions asked of cloud providers is also one of the simplest: “Where is my data?”We provide a thorough summary of our data location strategy for Microsoft Dynamics CRM Online on theGeographic Boundaries page of the Trust Center.This page describes where we store and access customer data in the course of providing the MicrosoftDynamics CRM Online service. Microsoft has a regionalized data center strategy. The specific details of wheredata is located or accessed from depend on the customer’s ship-to address, which the customer provides whenpurchasing the service. The three regions are the Americas, Asia, and Europe.The Geographic Boundaries page also outlines the steps we take to ensure that information is not lost if thepower fails in one data center. All such data is backed up in one or more data centers in the same region.Third PartiesAnother frequent topic of concern is third-party access to cloud data. Many customers worry that beyond thecloud service provider they purchase services from directly, an unseen web of subcontractors, vendors, andother third parties may be improperly accessing, reviewing, and using their information.
8Privacy in the Public Cloud: Microsoft Dynamics CRM Online8Microsoft readily acknowledges that it relies on partners and subcontractors to ensure that Microsoft DynamicsCRM Online performs optimally for all of our customers, no matter where they are located. We think ourcustomers should be able to know not only what kinds of privacy and security minimums we expect of suchthird parties but also who the third parties are.We publish such information on the Third Parties page of the Microsoft Dynamics CRM Online Trust Center.This page links to a current list of subcontractors and provides information about how we work to help ensurethat subcontractors comply with Microsoft’s privacy requirements. Subcontractors that work in facilities or onequipment controlled by Microsoft must follow our privacy standards, and all other subcontractors must followprivacy standards equivalent to our own.Comparing Cloud Provider Controls and PoliciesTo help potential customers evaluate different cloud service providers, the not-for-profit Cloud Security Alliance(CSA) has developed a set of security and privacy criteria called the Cloud Controls Matrix that customers canuse to compare different providers’ data protection controls and policies across 13 domains.To help enable such comparisons with Microsoft Dynamics CRM Online, Microsoft developed a whitepaper thatdetails how Microsoft Dynamics CRM Online fulfills the security, privacy, compliance, and risk managementrequirements defined in the Cloud Controls Matrix.The paper is available in the Microsoft Dynamics CRM Online Trust Center and can also be downloaded fromthe CSA’s searchable Security, Trust & Assurance Registry, which allows potential cloud customers to quicklyaccess information about a variety of cloud providers.ChoiceWe believe that customers want clear opportunities to choose whether their information will be collected,shared, or made public. This includes the flexibility to limit or eliminate information sharing or to set differentlevels of access.For business, government, and education customers, choice means having tools to maintain and control accessto the information stored in their cloud accounts. Microsoft has developed a number of tools for administratorswithin customer organizations to control access to Microsoft Dynamics CRM Online.Administrative AccessIn formulating our strategy for administrative access to data managed by Microsoft Dynamics CRM Online, wekept two priorities in mind: We always give customers access to their own data. Access to customer data is strictly limited, and sample audits are performed by both Microsoft andthird parties to verify that access is only for appropriate business purposes.With Microsoft Dynamics CRM Online, customers have complete control over their data, business processes,security policies, and user accounts. Administrators can enforce their organization’s privacy and securitypolicies and manage users by using a web-based management console.
9Privacy in the Public Cloud: Microsoft Dynamics CRM Online9Identity ManagementMicrosoft Dynamics CRM Online provides customers who manage their online services through the MicrosoftOnline Services Portal two options for user identification: user IDs and federated IDs. In the first case,administrators create user IDs for each of their organization’s individual users. Users sign in to all of theirMicrosoft online services using a single login and password.Alternatively, customers can choose federated identification, which uses on-premises Active DirectoryFederation Services (a service of Microsoft Windows Server 2008) to authenticate users on Microsoft DynamicsCRM Online using their existing corporate ID and password. In this scenario, identities are administered onlyon premises. This enables organizations to use two-factor authentication (such as smart cards or biometrics inaddition to passwords) for maximum security.Microsoft PartnersLastly, Microsoft provides customers and their administrators with a number of ways to initiate, maintain, orterminate relationships with Microsoft partners who are part of the Microsoft Dynamics CRM Online ecosystem.We recognize that one compelling aspect of Microsoft Dynamics CRM Online is the number of partners who canprovide additional services that our customers may want. For instance, some customers may hire a Microsoftsupport partner to administer their Microsoft Dynamics CRM Online service for them. To assist in maintainingsecurity and privacy while taking advantage of our network of partners, we provide tools that enable MicrosoftDynamics CRM Online customers to monitor and quickly disable partners’ access to their information at anytime, without having to disable the underlying Microsoft Dynamics CRM Online account.ConclusionMany public and private organizations around the world are already enjoying the efficiency, flexibility, and costsavings that cloud computing can provide. But others are waiting to move to the cloud until they have greatertrust that their information will remain private and secure. Because Microsoft recognizes that privacy andsecurity are major concerns for cloud customers, we developed the Microsoft Dynamics CRM Online servicefrom the ground up with strong data protection in mind. Additional information about Microsoft Dynamics CRMOnline can be found at http://crm.dynamics.com, and additional information about Microsoft’s approach toprivacy is available at www.microsoft.com/privacy.Additional Information“Privacy in the Cloud,” Microsoft whitepaper“The Economics of the Cloud,” Microsoft whitepaperMicrosoft Dynamics CRM Online Security and Service Continuity GuideMicrosoft Dynamics CRM Online Trust Center websiteMicrosoft Global Foundation Services websiteWhitepaper on security and privacy in Microsoft Dynamics CRM Online