Microsoft: 'We don't provide governments with direct, unfettered access to your data'

Orlando --  Microsoft today pushed back once again against the idea that it's giving the National Security Agency (NSA) carte blanche access to its cloud-based services, an allegation that's cropped up in media reports since the revelations from former NSA contractor Edward Snowden began last June.

"We don't provide governments with direct, unfettered access to your data," said Adrienne Hall, general manager for trustworthy computing at Microsoft, the division that reviews and oversees security across Microsoft products and services. Speaking in a keynote address at the Cloud Security Alliance Congress, Hall sought to refute the notion that Microsoft does other than what it must under U.S. law when it gets a specific legal request related to customer data.

Hall noted that Microsoft is even suing the federal government to be able to publicly discuss just the number of requests it gets from the NSA, which today it's not allowed to do under law. Several news stories in the past few months based on the Snowden leaks have suggested that Microsoft operates hand-in-glove with the NSA, such as helping the NSA circumvent Microsoft's own encryption to hand over massive amounts of information.

The amount of data often mentioned in these news articles is "highly exaggerated," said Hall. "We don't assist government with efforts to break encryption keys. We don't engineer backdoors into our products. ... If there's a bigger surveillance program, we're not involved."

Background:U.S. high-tech industry feeling the heat from Edward Snowden leaks

"We have concerns as do our customers," Hall acknowledged, noting that Microsoft counts about 100 cloud-based services in 90 countries, ranging from Windows Azure, Office 365, Skype, MSN, Exchange Hosted Services and

There's no escaping the fact that the Snowden revelations about how the NSA collects massive amounts of data on the Internet, ostensibly aiming for non-U.S. citizens and systems in other countries in order to ferret out information about terrorism or spy-vs-spy intelligence, has had a bombshell effect, said Jon-Michael Brook, principal in security and privacy at consultancy CIPP Guide.

Speaking during a session at the CSA Congress, Brook said the Snowden revelations are having an impact, especially in places such as Europe, where U.S.-based cloud service providers face suspicions from customers asking whether the U.S. government, via the NSA, can see the data they consign to U.S. cloud providers.

The allegations about the NSA working to subvert crypto or trying to build backdoors is "astonishing," he said.

But Brook said the European Union itself is embarked on what he labelled a "protectionist" effort that would shut out non-European cloud service providers -- especially U.S.-based ones who dominate today -- through a new data-privacy law now being formulated.He said there's expectation that the EU will vote for a single law in the spring that would boost the role of cloud infrastructures in the EU region in order to boost Europe's economy. He said the relatively small number of cloud-service providers there, including Swisscom and Deutsche Telekom, are "fledging" competitors in comparison to U.S.-based companies.

Brook also asserted that the way that data  in many European countries, including the U.K., France, Germany and Spain, is collected for government-operated surveillance purposes and wiretaps is actually often less strict than in the U.S.

He said the European Union falls short of even the U.S. requirements in many respects, where in Germany, Deutsche Telekom can even be expected to report its own findings about customers to the German government. Brook said he finds much of the European stance on data privacy to be little more than a "marketing ploy."

But Brook did offer advice on securing data in the cloud, suggesting that enterprise customers using cloud services make use of specialized hardware security modules (HSM) for data encryption that allow the customer -- and only the customer -- know and retain the encryption key.

The theme of hardware-based encryption for cloud services was taken up by Teresa Carlson, vice president, worldwide public sector at Amazon Web Services, in her own keynote at the Cloud Security Alliance Congress today.

In touting some of the more recent AWS security advances, Carlson spoke about how hardware security modules for encryption are available as a service called "Cloud HSM" for encrypting customer data. Mark Ryland,  chief solutions architect at AWS, explained further that Cloud HSM, which has a monthly service change, works based on the SafeNet Luna devices, where the customer is the "administrator of the cryptography appliance." AWS itself cannot access the core cryptographic service on the device and only the customer retains the private key. "On HSM, we don't see anything," added Carlson.

Microsoft also recently announced its "Bring Your Own Key" initiative for Azure Rights Management Service that makes use of the Thales hardware security module for encryption. Brook said he expects other cloud providers to integrate HSM into service offerings in the future as well.

Still, cloud providers continue to face a barrage of questions about how transparent they are about what they do. After the AWS keynote, a member of the audience, saying he was an auditor with a bank, wanted Carlson and Ryland to explain why AWS isn't more open about how they share information about physical security at AWS. Carlson and Ryland indicated that the information is so sensitive, AWS is reluctant to simply make it public since attackers might exploit it, but it is shared when sales negotiations with customers are underway.

Ellen Messmer is senior editor at Network World, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags National Security AgencyMicrosoftsecurityCloudnsacloud security allianceWide Area Networkcloud computinginternet

More about Amazon Web ServicesAmazon Web ServicesCSADeutsche TelekomEUMicrosoftMSNNational Security AgencyNSASafeNetSkypeSwisscomThales Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts