Starting in 2016 Microsoft will offer their cloud services Microsoft Azure, Office 365 and Dynamics CRM Online from within German datacenters – in addition to the more than 100 worldwide datacenters. That alone wouldn’t be really surprising or innovative, but the unique thing about this is that the keys (physical and logical) that control access to customer data in this cloud are held by a German company, Deutsche Telekom’s subsidiary, T-Systems, which will act as a Data Trustee. So Microsoft will have no access to customer data without approval and supervision by the Data Trustee. How this works? Well, let’s have a closer look at this…
All access rights are handled by a role based access model, better known as RBAC. Those roles are based on functions (Reader, Owner etc.) and/or on realms (server, mailboxes, resource groups etc.). Let’s say you have defined a resource group in Azure and filled with 2 VMs, some storage, a network and an external IP, you can assign a user the administrator role for that particular resource group. These rights will only affect the resources inside the group, not your whole subscription or other resource groups, servers or even mailboxes.
Microsoft has – in this new model – no rights at all to access customer data. Only for special purpose like a support call from a customer a temporary access will be granted by the Data Trustee to the Microsoft engineer, and only for the specified area. After that time (using a technology similar to what you might know as JIT) all access is revoked automatically. So to repeat: Access is granted to the Microsoft engineer only by the Data Trustee. Microsoft has no way to grant that access to itself. And of course there is a logging of this process to an area where Microsoft has no access, too. In addition the Data Trustee is escorting the session and watching the engineer at work.
That RBAC is also in place for physical access to the datacenters. The Data Trustee has to approve the visit and will escort Microsoft or any of its subcontractors at any time during the visit.
For all those cases where Microsoft could come in contact with customer data, it needs a reason related to operation of the services (incident, support case etc.), a well-defined area of access, and a well-defined time period, and only then the trustee will grant access.
So to wrap it up in two simple questions:
- Does Microsoft have access to customer data? Yes, but only with a valid reason like incident, support call etc., only to specified areas and only for a limited timeframe. And it’s the German Data Trustee that makes the decision.
- Can Microsoft access customer data without approval by the German Data Trustee or the customer? No!
So much for that. Now to the more technical questions you might have, for example: Where is customer data stored? Well, this is a simple question, and the answer is: Only in the German datacenters. Data exchange between those two datacenters (or better start talking of regions instead of datacenters, so Germany Central and Germany Northeast) is handled by a dedicated network line leased from a German provider, just to make sure that no data is accidently routed outside of Germany. There is no additional replication or backup to other datacenters (ah, sorry, I mean regions), even the AAD is only replicated between those two German datacenters. Only a small kind of index table is replicated through all regions to make sure that the German regions are not a standalone solution but still part of the global Microsoft Azure cloud platform. This index table is there for Azure to find the region your subscription lives (based on the domain part of your login), and to redirect your browser etc. to the corresponding datacenter. No user data, no passwords, not even hashes or hashhashes. For example: A login with “firstname.lastname@example.org” finds “contoso.de” in the index and the region “Germany Central”, and will redirect the browser (even before the user enters the password) to a German datacenter in that region. Only there can the user data inside AAD be accessed, and of course this portal is already inside the German cloud and therefore under the custody of the German Data Trustee. By the way, this scenario makes it clear why a domain like contoso.de can currently only exist inside the Microsoft Cloud in Germany or outside, but not in both at the same time.
Certificates? Well, that would be a way to grant access, but we even thought about that. To explain: all communication inside Azure cloud infrastructure is encrypted with SSL/TLS based on certificates. So who can prevent Microsoft from simply creating a certificate and access data? Well, here we go: For all SSL certificates issued in the Microsoft Cloud in Germany the Certification Authority (CA) was handed over to an external Certification Authority. That means: Whenever Microsoft requests a new SSL certificate, let’s say for a new service, the external CA has to approve it.
Sounds good? Right. Sounds really good!