NSA Revelations Prompt Microsoft To Bolster Cloud Encryption, Transparency

Microsoft is taking steps to strengthen the data security measures of its cloud-based services to stem a growing apprehension surrounding its practices as result of the ongoing leaks about the National Security Agency's surveillance activities.

The changes are generally being met with praise from resellers and service providers fielding a variety of questions from clients evaluating cloud products from U.S. companies.

Microsoft's general counsel said on Wednesday that the company would bolster encryption for data flowing to and from its Outlook.com, Office 365, SkyDrive and Windows Azure services. Strong encryption will be in place by the end of 2014, according to the new plan outlined by Brad Smith, Microsoft's general counsel and executive vice president of legal and corporate affairs. Under the plan, encryption will also be applied to data stored in the company's servers. The encryption option will be provided to the developers of third-party services developed to run on Windows Azure, Smith said.

[Related: 10 Ways NSA Surveillance Revelations Could Impact The Channel ]

Sponsored post

U.S. technology vendors are trying to buttress trust in their products, following a long litany of news leaks about the extent of the NSA's global surveillance programs. Some of the leaks outlined in documents stolen by government contractor Edward Snowden have suggested cooperation between software makers and government intelligence officials as part of doing business in the U.S. Resellers, consultancies and service providers told CRN that they have seen a significant rise in concern from businesses in Europe and Asia. Any potential fallout from the NSA revelations is still being measured, said Dipesh Patel, principal of Pariveda Solutions, a cloud strategy and solutions provider based in Dallas.

"People are now much more curious about where their data goes, how it is treated and stored," Patel said. "Many of these questions are around compliance and security standards and what Microsoft's data centers do and what they don't do."

Microsoft is appealing to its international customers whose longstanding concerns about data security and privacy as a result of the U.S. Patriot Act have expanded since the NSA leaks, said Rick Doten, chief information security officer at Digital Management Inc., a Bethesda, Md.-based mobility solutions provider. All large, global technology vendors based in the U.S. are bracing for the fallout and trying to shore up customer faith in their products and services, Doten said.

"They're doing prudent things to be able to be more transparent, and while data security has been available, only now are we seeing encryption applied to areas where risk has generally been assumed," Doten said. "Trust has taken a big hit."

NEXT: Microsoft To Fight Gag Orders, Increase Source Code Review

Many clients simply want to understand who has access to any data residing in cloud-based applications and assurance of its continued availability, said Derik VanVleet, director of cloud strategy at Cloud Sherpas, a consultancy and cloud services provider based in Atlanta. Ultimately, most small and midsize businesses find increased security, not less security, once they get a full look at how large providers manage their massive data centers, VanVleet said.

"Once an enterprise customer is fully educated about what happens and their compliance concerns are met, there is an increased comfort level," VanVleet said.

Microsoft's Smith also reiterated the company's current policy to notify businesses of any requests it gets from law enforcement to access its customer data. But requests for customer data containing a gag order would be challenged in court, he said. Such requests typically come from the FBI and other U.S. federal agencies under a National Security Letter. In 2012, Microsoft received 1,000 demands with an accompanying gag order.

"We've done this successfully in the past, and we will continue to do so in the future to preserve our ability to alert customers when governments seek to obtain their data," Smith said. "We'll assert available jurisdictional objections to legal demands when governments seek this type of customer content that is stored in another country."

Microsoft also plans to open up transparency centers in Europe, the Americas and Asia to give government customers the ability to review the source code of its products. The company has a program to provide government clients with source code upon request. The changes will broaden the range of products included in its source code review program for prospective government clients, Smith said.

"We want to ensure that important questions about government access are decided by courts rather than dictated by technological might," Smith said.