Home

Perry Clarke

Perry Clarke is back to geek out with you through his blog and the Geek out with Perry video series.

In this edition, Perry is joined by a new co-host, Julia White to discuss what it looks like to run a secure service in Exchange Online. The discussion covers the investments in the data center as well as customer control features available in the service to help customers manage risks. Read the blog and check out the video to hear the full conversation.

If you want to geek out with Perry and the Exchange team join them at MEC 2014 in Austin, TX. Go to iammec.com to learn more about the event and register today.

Brian Shiers
Technical Product Manager, Exchange

30 Comments
Not applicable

@Bill: See

Statement of Microsoft Corporation on Customer Privacy. Microsoft has publicly stated the following:

We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis. In addition we only ever comply with orders for requests

about specific accounts or identifiers. If the government has a broader voluntary national security program to gather customer data we don’t participate in it.

Not applicable

@Joe, @Jerry: I've pointed you to some of our ongoing communication from Brad Smith, General Counsel & Executive Vice President, Legal & Corporate Affairs at Microsoft. The communication answers questions similar to the ones raised here.

It's not a discussion we can effectively have in blog comments, particularly if you've made up your minds.

Not applicable
@Jerry, please allow me to ask the same of you and any others. What assurances would those be? I'm asking entirely out of curiosity and not creating deliverables.
Not applicable
@Jerry: What specific assurances are you looking for?
Not applicable
Geek Out with Perry is Back!
thank U
Not applicable

@Joe: From June 6, 2013. Please click on the

source link for complete details and time.

There's quite a bit of communication about this issue, including (but not limited to):

  • Responding to government legal demands for customer data
  • Protecting customer data from government snooping
  • Providing additional transparency on US government requests for customer data
  • Law Enforcement Requests Report
  • Not applicable
    No question and answer about NSA PRISM Backdoor Access to the Office 365 servers ;)
    Not applicable
    @Bharat - That's not good enough. We need better assurances. We simply don't trust you. So, how can we get around this stalemate?
    Not applicable
    @Bharat Suneja - The statement you provided is that from Before the NSA PRISM revelations or After the NSA PRISM revelations?
    Not applicable
    @Bharat Suneja - So the World found out about the NSA PRISM, and the NSA PRISM documentations showed everyone in the planet that Public Cloud servers / Office 365 servers have Backdoor Access and then MS saying No we are ok.
    Not applicable
    @Bharat - Sorry, still don't trust you. A lying person would say the exact same things, so I don't know know what you could possibly say at this point to placate us. I do know that not only was your twitter account recently hacked by "the syrian army"

    or whomever, but very sensitive e-mail accounts that contained NSA requests were also hacked as well. You've now got OneDrive hooked into everyone's local searches in Windows 8.




    What I want to know is what will you accept as consequences when we find out that stocks have been traded illegally because people were hacking into Office 365 accounts and nobody at Microsoft noticed? How are you ensuring that ALL of our data is completely

    encrypted? Just showing us articles that we have already read is pointless. We've read those and still don't trust you enough to give you the benefit of the doubt. Call me what you will, but unless you can show me 100% that my data is 100% safe and there are

    zero attack points and such - I'm not going swimming in your pool that it appears people are peeing in.

    Not applicable
    @Jerry M - 100% safe = Private Cloud / On-Premises :)
    Not applicable
    Sounds to me that you won't ever trust these folks. You won't get a tour of the datacenter, so *exactly* what would it take? Independent audit? If so they do that. As part of the regular audit processes they have audit firms come in and examine for SSAE16

    reports and an alphabet soup of reports and certifications. What YOU need to do is add encryption BEFORE it gets up there wherby only YOU hold the encryption key because anything less is a cop out on your side. This is the reality folks, you should not trust

    you should encrypt before it gets it gets there dude.

    Not applicable
    Read -- http://www.microsoft.com/en-us/download/details.aspx?id=26552 And then since it's clear that even with that you won't trust them, then YOU need to add encryption http://www.ciphercloud.com/products/ciphercloud-for-office-365/ and you control the

    encryption keys. Since ensuring that the NSA can't control your email is a key business need here, that's the way you do this. And by the way, what assurances do you have any anything else along the path to and from the Internet is similarly protected from

    the NSA's prying eyes? Seriously, since words don't cut it, encrypt it. You should be doing this now for your email transmissions.

    Not applicable
    RSA & NSA had contracts LOL ......... ciphercloud & NSA has contract..............
    Not applicable
    @JerryDude - Nice, thank you for that information. CipherCloud IMO does indeed handle a number of security issues. I think that's a decent compromise, but it does add quite a bit of cost. Should probably be part of the base O365 offering to have this feature,

    but if you need it, it's nice to know you have it available.

    Not applicable
    @Anon - there is no 100% safe even with on premises. Unless email is encrypted end to end, it's not secure now. I'm not a fan of the financial model of the cloud - that is a monthly subscription fee model - but the idea that somehow on premises is more

    secure just because the server is in the room next to you... is not reality of how email is set up.

    Not applicable
    On-Premises you do NOT have Backdoor Access such as Public Cloud. In Public Cloud you are giving you data to whomever? and who knows what kind of Backdoor Access to your .edb files? So On-Premises with Encryption is safe :)
    Not applicable
    You are positive you are encrypting your on premises email from end to end now with you on premises deployment? I'm not.
    Not applicable

    For those commenting: Have you watched the Geek Out video? Or parse through any of the links Bharat posted? :)

    @Bharat: Don't envy you having to deal with IT pros firmly in the on-premises camp (nothing wrong with that - do what works for you) and a bunch of trolls. Most are not interested in a professional discussion on this issue.

    Not applicable
    @Jerry: You seriously have trust issues. Rather than wasting time arguing online about NSA and other speculation if you don't trust Microsoft then change? You have a choice here is an open source option http://www.zimbra.com. So rather than complaining

    or calling people liars. Just go find another email system that you trust.

    Not applicable
    I agree 100% with Jerry M.
    Not applicable
    Jerry M is correct.
    Not applicable
    Save yourself all the Security Headaches such as NSA, Backdoor Access & other Security issues in the Public Cloud / Office 365 and Keep in it On-Premises and simple :-)...................
    Not applicable
    @George So you're saying your on-prem is more secure than the O365 solution? What you mean is, save yourself the headache of the NSA requesting MS to give up info, but leave yourself open to many more likely security breaches w/ on-prem.
    Not applicable
    On-Premises I have my data. In the Public Cloud / Office 365 the Vendor has my data. Really you do NOT see the issue here? LOL
    Not applicable
    @George, Yep the vendor has my data with NSA Backdoor Access..........
    Not applicable
    And I am F-ed...........
    Not applicable
    It's a shame no one has any enthusiasm about the Exchange product anymore. Microsoft hurt themselves badly by pushing the cloud too much. I wonder if Lotus will develop a decent e-mail product again?
    Not applicable
    At the end of the day, Microsoft is legally compelled to comply. As a legal entity, the focus of Microsoft's legal team will be on the legal position of the company, not the constitutional rights of the users, which are at the heart of the NSA PRISM program

    controversy. More importantly, perhaps, is what happens if a legal order is issued for access to a specific customer's data by the government that results in other customers' data being locked down, simply because they happen to share the same logical space,

    or may have been otherwise "a party of interest", yet committed no illegal actions - their only snag was that they were in some way logically related to the customer in question. Risk exists here. Each of us will need to assess the risk for ourselves, though.

    I personally find the risk too great, even with the best of intentions from Microsoft. But for small to medium businesses that don't mind the shared infrastructure and don't want to carry the burden of employment of properly skilled staff, it makes sense.

    I just wish Microsoft wouldn't push it so hard on their enterprise customers. I think their time would be better spent fixing the issues and shortcomings of Exchange 2013.