In mid-November, Microsoft announced a plan which company officials said would offer customers in Germany an extra layer of cloud protection. This week, a new Microsoft blog post provided some more specifics on that plan.
Microsoft officials previously said that they will be operating in the second half of 2016 two new German datacenters, located in Magdeburg and Frankfurt. These datacenters, which will offer users Azure, Office 365 and Dynamics CRM Online, will offer users the option to have their data-access controlled by a trusted third party, not Microsoft. Officials said that access to customer data stored in these new datacenters would be under the control of T-Systems, a Deutsche Telekom subsidiary, that would act as a data trustee.
A December 8 blog post by Ralf Wigand, a Senior Program Manager for Global Ecosystem with Microsoft Germany put a bit more meat on the bare bones outlined in November.
All access rights to data stored in the coming Microsoft German datacenters will be handled by a role based access model (RBAC), Wigand explained. These roles are based on functions, such as "Reader," "Owner," etc., and/or on realms, such as server, mailboxes, resources groups, etc. Users will be able to assign a user the administrator role for a particular resource group, and the rights will only affect resources inside the group, not a whole subscription or other resources.
"Microsoft has - in this new model - no rights at all to access customer data. Only for special purpose like a support call from a customer a temporary access will be granted by the Data Trustee to the Microsoft engineer, and only for the specified area. After that time (using a technology similar to what you might know as JIT) all access is revoked automatically. So to repeat: Access is granted to the Microsoft engineer only by the Data Trustee. Microsoft has no way to grant that access to itself. And of course there is a logging of this process to an area where Microsoft has no access, too. In addition the Data Trustee is escorting the session and watching the engineer at work."
For any cases where Microsoft could potentially come in contact with customer data, there needs to be a reason related to the operation of the services, a well-defined area of access and a well-defined time period before the trustee will grant access, he said. So while Microsoft can have access to customer data in particular cases, it's the German Data Trustee that will make the decision as to whether access is granted. Microsoft can't access customer data stored in those datacenters without the German Data Trustee or customer's approval.
Data will be stored only in the German datacenters (Germany Central and Germany Northeast). Communication between those two centers is handled by a dedicated network line leased from a German provider in an attempt to ensure no data is accidentally routed outside of Germany. There's no additional replication or backup to other regions outside Germany, Wigand said.
"Only a small kind of index table is replicated through all regions to make sure that the German regions are not a standalone solution but still part of the global Microsoft Azure cloud platform," Wigand said.
Additionally, all SSL certificates issued in the Microsoft cloud in Germany will be handled by an external Certification Authority, he added.
"Sounds good? Right. Sounds really good, and since I've been part of the team that builds this solution for the last half year I can tell you that it does not only sound good, but it is good," Wigand said.
Microsoft has been offering some of its U.S. government customers locked-down versions of Azure, Office 365 and CRM Online via its Azure Government Cloud (codenamed "Fairfax"), Office 365 Government Cloud and CRM Government Cloud. But the coming German data-access guarantees are meant to go even further and are an attempt to appease increasingly uneasy privacy advocates worried about U.S. policies around data access.
Will this new plan be enough to convince customers that Microsoft's cloud is trustworthy -- or at least more trustworthy than its competitors'? I guess we'll find out more next year once the new regions are up and running....