37

I have sensitive data stored in both Azure DB and Azure SQL VM.
An authorised DBA can log on and query the database, but in theory could a random Microsoft employee do the same without asking permission?

I found this online which suggests the answer is 'no', but is it really?

Customer data ownership: Microsoft does not inspect, approve, or monitor applications that customers deploy to Azure. Moreover, Microsoft does not know what kind of data customers choose to store in Azure. Microsoft does not claim data ownership over the customer information that's entered into Azure.

Also found this on a site discussing the negatives of using a SQL Developer Licence:

Microsoft gets access to your data: it is mandatory with any non-commercial installation of SQL Server that all your usage data covering performance, errors, feature use, IP addresses, device identifiers and more, is sent to Microsoft. There are no exceptions. This will likely rule it out for any company that deals with particularly sensitive data.

I'm not proposing using a developer licence on Azure, but which is it - can Microsoft inspect my data or not, either legitimately or a rogue employee?

T.J.L.
  • 107
  • 2
userSteve
  • 1,503
  • 4
  • 20
  • 32
  • 3
    Would be good to attribute (link) these quotes... – ETL Oct 10 '19 at 14:03
  • 15
    Most likely a random MS employee could not, but some could do so if they had the (at a technical level) permissions to do so, or physical access to hardware. You are really asking "if I host my stuff on someone else's computer, do I have to trust that entity not to look at the data" – davidgo Oct 10 '19 at 17:14
  • 3
    [Related](https://docs.microsoft.com/en-us/azure/sql-database/transparent-data-encryption-azure-sql). You could also encrypt your data *before* uploading it and decrypt it application-side – Mars Oct 11 '19 at 04:52
  • 1
    Only answer here is no. A RANDOM employee would MOST likely hit support, administrative (paperwork) personell or windows developers. NONE of those would have access and the rights necessary to access the azure level hardware. THere will be VERY few people (as percent of microsott with the proper permissions simply because RUNNING (not planning) the hardware is not a lot of people to start with. So, RANDOM microsoft employees can NOT see the data. – TomTom Oct 11 '19 at 07:59
  • Don't forget that pretty much every Azure service holding data offers the option to encrypt data and you may use your own keys to do this. – Neil P Oct 11 '19 at 11:02
  • There's a big difference between DOES NOT and CAN NOT. The question should really be about the practicality, not the possiblity of a Microsoft employee seeing your data. Of course there's a possibility of a Microsoft employee seeing your data. A Microsoft employee could get a second job working at your company and see your data legitimately, for example. Or a criminal could threaten violence, and so forth. The real question is how practical is it. – barbecue Oct 11 '19 at 15:49

7 Answers7

44

Legally speaking, they can't read your data or send your data to law enforcement without a correct court order.

Requests for customer data

Government requests for customer data must comply with applicable laws. A subpoena or its local equivalent is required to request non-content data, and a warrant, court order, or its local equivalent, is required for content data.

Per transparency from Microsoft, to see the current state of how many laws subpoena they answered on there.

enter image description here

You have to choose wisely your Azure region for that reason. In example HIPAA enterprise in Canada would have to be hosted in Canada in example for their data.

A rogue Microsoft employee could maybe see your data. The process there is unknown, but that risk is the same from any hoster or rogue employee inside your corporation.

yagmoth555
  • 16,300
  • 4
  • 26
  • 48
  • 6
    While you cover government requests for data well, I see nothing in your answer that indicates that _Microsoft itself_ or its employees have any restrictions in place on accessing the data. (I'm sure they do, internally, I just see no evidence of it here.) – cjs Oct 11 '19 at 00:09
  • 4
    @CurtJ.Sampson It's a hypothetical question, as any backup they do, from your VM, or database to store inside another storage, use a account that can actually read your data. If they do snapshot on the backend storage, such can read the data too. So the ethical question is, what process do Microsoft put in place to be sure no user data get leaked ? It's hypothetical as we don't know the process, but HIPAA, like medical file exist on the cloud, as such yes, I can assure Microsoft will not read your data for the fun of it, just if asked by a court order, it's why I went my answer on that. – yagmoth555 Oct 11 '19 at 01:56
  • My comment was intended to address _exactly_ that "ethical" question and cases like the ones you mentioned. This is not at all a hypothetical question; as you can see from my answer below MS does have at least some processes in place about this, and other cloud providers do put these processes in place and document them better. The OP was specifically asking not about government access, but "in theory could a random Microsoft employee do the same without asking permission?" and "can Microsoft inspect my data or not, either legitimately or a rogue employee?" – cjs Oct 11 '19 at 02:50
  • 1
    @CurtJ.Sampson at the very least they will have contractual obligations to not access your data unless required for the execution of their duties (which means in case of customer support needing access to analyse problems or in case of court orders basically). It's the same with any hosting provider, nothing specific to Microsoft. E.g. I have access to customer data, but I'm not supposed to actually make use of that access unless the customer has a problem that requires me to access that data in order to resolve that problem. – jwenting Oct 11 '19 at 06:27
  • @jwenting "At the very least" they only have those contractual obligations that are in the contract you've signed with them. And that you "have access to customer data but [you're] not supposed to actually make use of that access" is _exactly_ what we're worried about. Please tell us who you work for so I can make sure that I never, ever, store any data with them. – cjs Oct 11 '19 at 19:29
  • How about if the VM is seamlessly migrated in and out of the US? Still need a court order? – Konrad Gajewski Oct 11 '19 at 23:27
30

You are putting your data on Somebody Else's Computer, and the data can be accessed in some way. In other words, the answer to your exact question is almost surely: Yes, some Microsoft employees can see your data but make an active choice not to perform the tasks that would let them do so.

A wider question is how large the risk actually is for leaks of such data. My opinion is that the risk is considerably lower that a Microsoft employee would attempt to access your data (and leak it) than that a configuration or software error made by you as a tenant would make such data available to third-parties. The latter is what we usually see when it comes to data leaks that make it to the news.

Mikael H
  • 4,868
  • 2
  • 8
  • 15
  • 2
    " but make an active choice not to" - I would suggest you have that backwards. I can't imagine the day-to-day work of any appropriately authorised MS employee would take them anywhere near looking directly at customer data. – Michael Frank Oct 11 '19 at 00:13
  • 3
    MichaelFrank, I agree, but it's still a matter of "can, but won't" rather than "can't". – Mikael H Oct 11 '19 at 06:30
  • 3
    @MichaelFrank yes, they would have to actively decide to seek such access if it's at all like any of the multiple positions I've had over the years where I had direct access to customer data (including in one case production data about an entire nation's phone network including billing data for all phone calls, all phone numbers and address data from all customers). We were simply told that accessing that data without a request from the customer would get us fired on the spot. – jwenting Oct 11 '19 at 06:30
16

I state this from experience because I used to work there.

Internally Microsoft is very strict about protecting the data of users and customers, and unlike some other big well-known WEB outfits, Microsoft explicitly does NOT scan the contents of user's private files (eg your Hotmail.com Email, your VM's data files) to be used for marketing or advertising.

Any employee who breaks internal rules to access user data would be shown the door PDQ, and would likely face legal consequences. And only a restricted cadre even have the technical ability/access to do that.

Note that "meta data" falls under different rules, which Microsoft is upfront about, but is strict about who might actually see even that. Usually it gets anonymized en-mass and sorted into some internal company database so the operations folks can keep the systems running. Those folks care only about the overall statistics, not the actual user data (which they can't normally see).

The SQL developers license data you mention is meta-data (eg "usage data") not the customer's SQL data.

In short, no human is going to read your files sitting on a Microsoft server unless there is a court order or some dire system repair problem requiring inspection of a specific file (extremely unlikely). And in either case it will be a limited number of eyeballs, and only after internal approvals are granted.

True story: in the very old days (1980s) two of the technicians would periodically take bunches of old hard drives out to the parking lot and drive a railroad spike through each with a sledge hammer. Very therapeutic. How's that for deleting files?

  • 1
    And most of that meta data will have been anonymised to remove information that can identify individual customers. – jwenting Oct 11 '19 at 06:32
6

Can they? Yes, the data is on their servers, which they control.

Will they? Probably not, except if they have a reason (usually legal and you have nice answer about that - also keep in mind that there are legal cases they cannot disclose). The probability depends on how your data is interesting or problematic.

Is what they get usable? That part depends on you: if you send them cleartext data then yes, if you encrypt it before sending then no

WoJ
  • 3,365
  • 8
  • 46
  • 75
4

I've not found exact details about Microsoft's internal access policies, but they do give general information in their brochure "Privacy Considerations in the Cloud" (PDF download, linked from their Privacy at Microsoft page:

Microsoft adheres to stringent policies and procedures when it comes to accessing your data. We have automated a majority of our service operations so that only a small set require human interaction. Microsoft operates on a “need-to-know-basis”, which means that access to your data by Microsoft personnel is restricted and can only be accessed when it is necessary for these operation. After that access rights are immediately revoked.

Further, data appears to be properly deleted and/or destroyed when you request deletion. ("Request" here appears to include things like releasing virtual hard drives and similar actions.)

What is your policy for deleting data? Can you assure me it will be completely removed? Microsoft follows strict standards for overwriting storage before reuse. If you delete your data or terminate your contract, we will ensure your data is deleted in accordance with your contract with us. In the event a hard drive fails, it will be physically destroyed in a way that makes data recovery impossible.

That said, some customer data appears not to fall under the above policies and you as the customer need to understand what this is and be careful with data you upload that falls under that. Most of this appears pretty obvious, however, One example from Microsoft data categories and definitions:

Object metadata

Is information provided by you, or on your behalf, that is used to identify or configure Online Service resources, such as software, systems, or containers, but does not include their content or user identities. Examples include the names and technical settings of Azure Storage accounts, Virtual Machines, Azure databases and data collections (and of their tables, column headings, labels, and document paths, as applicable). Customers should not include personal data or other sensitive information in object metadata because object metadata may be shared across global Microsoft systems to facilitate operations and troubleshooting.

The primary document about security and safety of data within Azure appears to be "Protecting Data in Microsoft Azure" (PDF download, linked as "Azure Data protection" in the middle of Data management at Microsoft). This touches on MS staff access only on page 17, where it discusses how staff are trained, they have strict protocols that are audited¹, etc., but it's vague on the details. It does reiterate what we've already seen above, in some cases being a bit more explicit:

Further protecting customer information, policy dictates that Microsoft personnel should not have persistent access to any customer data, including VMs, files, keys, databases, AD tenants, logs, or other types unless the customer explicitly grants access. If needed to resolve an urgent issue, Microsoft Azure administrators or support staff are provided with “just in time” access to customer data, which is revoked as soon as the issue is closed or requested.

The text couple of paragraphs also make clear that anything removed from the data centre is wiped first, and "delete means delete," and is "instantly consistent."

That said, the document is still well worth reading in its entirety if you're using Azure for any security-sensitive information, since security problems are far more likely to come from within your organization than from Microsoft.


¹ Don't read too much into the "comprehensive audits" part, by the way. Many security frameworks, such as ISO/IEC 27001 audit not that you're actually doing a good job at securing things, but that you have documented specific security controls and you have procedures for ensuring that you follow that documentation. Thus, if you document that passwords shall be no longer than 8 characters and consist only of lower-case letters, so long as you can show that you're following that, you pass the audit.

cjs
  • 1,355
  • 1
  • 12
  • 23
3

I am addressing the "rogue employee" aspect only.

The vast majority of Microsoft employees do not have access to your data. The few that do still need to jump through some hoops to request access to it.

I am a former Microsoft employee. The few times I did get access to user data, it was with the knowledge and agreement of the customer.

Patrick
  • 141
  • 3
-1

The short answer: If it is cloud it is YES!!! The first rule of IT (or any tech) security is 'the man who holds the box OWNS the box'.

'Safes are meant to keep people outside, not inside' that is how magicians get out of safes.

Now, think, all the companies 'out-sourcing' their data/development/support to Asia and Europe. The recent Capital-One security breach, etc. The Man/Woman CSR 'holds' the box! When you call your credit card/bank the 'CSR' asks you to verify your information... now he/she knows a LOT about you!

A long time ago (over 20 years) I 'caught' an 'big blue' partner's tech reading/browsing a customer's hard disk on a computer that came for repairs.

I have had my emails being read by my email services provider, since then I operate my own email servers. My hotmail, yahoo and gmail accounts are 'public domain' as far as I am concerned!

As ex-president Jimmy Carter said 'The most secure way to communicate is by regular (U.S.) mail'.

I am confident that my answer will be down-voted and removed :)

  • 1
    If you are confident your answer is so poor it should be downvoted, you shouldn't be posting it. Wild rants are fine for discussion boards, but this is not a discussion board. – cjs Oct 13 '19 at 14:37
  • As for your answer itself, it's a very poor security analysis. Every security system has weaknesses; to determine how happy you are with your security tradeoffs you need to expose an analyze these. For example, you ignore physical security: from that point of view your hotmail/gmail/etc. accounts are _much_ more secure than those on your own server which is either in a location (your house or office, perhaps) much less secure than a data center, or at best, in a data center with a lot more random clients using your room than a cloud provider would have. – cjs Oct 13 '19 at 14:40
  • So the OP's question here is, what mitigation have cloud providers put in place to prevent the obvious "employees reading customer data" attacks? You do not address this at all. – cjs Oct 13 '19 at 14:41
  • No matter what 'mitigation' a cloud provider puts in place, the 'lowly' tech has access to it.Even for co-location there is no guarantee. Therefore the safest solution is to host your OWN servers having ultimate control of the 'box'. When 'stake holders' say 'our data is in the cloud'. I ask them, but where is your box, actually and the 'silence is deafening'. Therefore, even for 'Azure', where is the box, physically? I believe I have answered the OP's question: if your data is sensitive, it is at more risk in the cloud. In other words NO SENSITIVE DATA SHOULD BE IN THE CLOUD! – Mr. de Silva Oct 13 '19 at 17:21
  • 1
    _"No matter what 'mitigation' a cloud provider puts in place, the 'lowly' tech has access to it."_ This is simply not true. The vast majority of techs working in cloud providers do not have access to the data of customers, and even for those techs that do, you can put systems in place both limit the amount of access and carefully track who has what sort of access. Further, you completely ignore physical security. Consider how well you know who has really had access to your apartment or office when you're not there. – cjs Oct 13 '19 at 18:50