Microsoft Acknowledges Security Best Practice Failures
It was an easy post to miss in the run up to the Thanksgiving holiday. On November 25, we posted the results of an Electronic Frontier Foundation (EFF) survey detailing how Microsoft fails to meet 4 out of 5 security best practices for its cloud service data centers and its customers’ data (Google and Dropbox were the only vendors surveyed that meet all 5 criteria).
This week, Microsoft acknowledged that not all customer data is encrypted in their data centers — at rest, or in transit within and between data centers. In a ZDNet article dated December 5th, Chris Dunkett reports that Microsoft will not fully protect stored user data until the end 2014.
The article also quotes Brad Smith, Microsoft general counsel and executive vice president, legal and corporate affairs, stating that Microsoft will work “…with other companies across the industry to ensure that data traveling between services — from one email provider to another, for instance — is protected.” Microsoft is acknowledging that they currently do not run STARTTLS services, and industry security best practice.
While Microsoft is actively positions itself as the “enterprise knowledgeable” competitor to a “consumer-centric” Google, pointing out how Microsoft runs its own large data centers. Once again, however, Microsoft fails to realize that the methods and practices used to run their own data centers do not translate to multi-tenant data centers hosting customer data.