This article is intended for the legal and professional audience who want details of security and legal compliance built into Microsoft's cloud services. 


Corporate, External, & Legal Affairs (CELA) group

The fact that Microsoft have an entire group dedicated to this matter demonstrates from the outset how serious they are about security and compliance. A specialist compliance sub-team continuously tracks standards and regulations, developing common control sets for our product team to build into the service - at present over 900 controls are in place! This framework is continuously verified, independently, to meet the requirements specified in ISO 27001, European Union (EU) Model Clauses, the Health Insurance Portability and Accountability Act Business Associate Agreement (HIPAA BAA), and the Federal Information Security Management Act (FISMA). Microsoft is the first major cloud service provider to be independently verified as complying with ISO 27018. View the top 10 compliance achievements here...



The UK Crown Commercial Service has renewed the classification of Microsoft in-scope cloud services to Government Cloud (G-Cloud) v6, covering all four of its offerings at the OFFICIAL level. Dropbox, iCloud, Amazon and other cloud providers have not attained this accreditation. Only Microsoft is currently providing this level of compliance with customer data. Read more...

Once you're using one of the Microsoft cloud services, such as Office 365, then you can view all of the independently audited reports as they become available here: https://servicetrust.microsoft.com/Documents/ComplianceReports 

Download and read the official UK Government report for Office 365 at the end of this article.


Geo Location of your Data

As reported by the BBC [here], Microsoft are the first in the UK to provide reliability and performance combined with data residency in the UK. This provides customers with trusted cloud services that help them meet local compliance and policy requirements. By ensuring that data is held on-shore, all of the data is protected by UK law. Currently data is replicated at the Microsoft datacentres in Cardiff and London, providing redundancy in the event of a major incident. View map...

Physical access control uses multiple authentication and security processes, including badges and smart cards, biometric scanners, on-premises security officers, continuous video surveillance, and two-factor authentication. The datacenters are monitored using motion sensors, video surveillance, and security breach alarms. Would your office computer ever be able to match this level of security?


Behind the scenes - working for you

Some of the 24/7 systems working behind the scenes not only protect, but proactively monitor patterns - providing multiple layers of security. Here's some of the security features employed under the Operational Security Assurance (OSA) framework: Download the Security whitepaper at the end of this article

  • Data Encryption Technologies
  • Advanced Threat Protection
  • Multi-factor authentication
    • Text code to my mobile phone | Call my office phone
  • Single Sign-on
    • Remote wipe of stolen/lost computers/phones/tablets
  • Role-based access control (RBAC)
  • Rights Management in Office 365
  • Privacy controls for sites, libraries and folders
  • Privacy controls for communications
    • Skype for Business | Exchange Email
  • Data loss prevention (DLP) technology
  • Auditing and Retention Policies
    • Files | Email



Learn how Microsoft stay ahead of the game in this insider interview: