Saturday, December 5, 2020

Why a former open source fan trusts in Microsoft and their secure data handling

In the beginning of my IT "career" in mid-80's I was a open source fan and had bad prejudices against Microsoft. For me this was a huge "bad" US corporation and in these days it sounded also bad to pay money for software. Especially for kids having just their small pocket money. So illegal software copies were very widespread. Also people did not understand the concept of intellectual property in software these days. May be also as it was just too easy to make a simple copy of a program. Nobody was missing something (like it was physically stolen) as you made a copy out of "nothing".

Later on I was working as CAD administrator in my first job. There we also had Unix systems (Silicon Graphics IRIX, IBM AIX and still the evil Windows 3.1/3.11). Followed in my next job as 2nd level supporter for a SIEMENS affiliate company we used SCO Unix and Linux together with the (still evil) Windows 95/ NT 4.0. I loved Linux for the open source concept. Making things available for all for free.

But one day in my IT career a consulting company offered me a job to work as vendor lab engineer for (the big evil) Microsoft Corporation near Munich (Unterschleissheim). It took a while to think about it. I had so many (pre-)judices against them. But I realized I need to find out myself if I was right or wrong!

Until then I only got in contact with some Microsoft sales men and in these days these guys were very snobbish. At least it felt like snobbish. But I was willing to give it a chance and may be correct myself.

After a few weeks I realized the big difference between my thoughts and the reality. The tech guys there were as cool as the open source guys. Same techy mindset and all very open and friendly. But there was also this other difference which I understood better by then. Microsoft's techies realized they have to pay their bills at the end of each month for their houses, cars etc. So there was really a a very good justification for paying money for software. Actually this also paid my own bills :-$

So this was my personal conversion from a Linux open source minded "Saul" to a Microsoft/Windows minded "Paul"!

But when it comes to data protection (which is the origin topic of this article) then there is even a different story to tell. And why I absolutely trust in Microsoft's data handling way more than all others. I was one of the "victims" of this data handling. Victim in the sense as I learned on my own hands what does this really means to them!

Many people argue that Microsoft is making money with customers data. As far as I observed this is absolutely not true! Even the opposite is true!

First of all you have to think about different companies and their business models. Many of the "I-give- it-for-free" companies like Google, Facebook, Twitter (just to name a few more prominent) have a business model based on data. 

Rule of thumb is: "Whenever you do not pay for a product - YOU are the product."

Actually this is not bad and also very popular. Most people still like stuff they have not to pay for. But you need to make yourself aware that your personal usage pattern is used for marketing and advertisement purposes. So Google, Facebook and Co. doing their business based on advertisement.

If you use their services you need to accept that! And believe it or not I still use Google for searching.

Whenever you are a data protection officer arguing against Microsoft regarding data handling (obviously without knowing it better) then you also need to be consequent and stop using Google for search in your company!

Microsoft's business model is different. You actually pay for the services. The free stuff there is normally "just" to bind people to the paid stuff. Actually I myself use Office365 Home (for me and my family) and pay for it. I get all the cool new stuff and lots of services for a little price. So I do not care anymore. This meaning they make money with software & services not originally with data (only).

To be fair they are also getting usage data to help them making better advertisement to you (when it comes to Microsoft services) but they do not sell this data. 

To check this out in detail check it here in English or German (Microsoft Privacy statement).

Even Google states that they do not sell your data. They just create advertisement based on your behavior on their platform (or platform "legs" on other websites (with embedded google advertisement frames)) as stated here. As I was not working there I can not judge on this seriously!

Now lets come to Microsoft's internal data handling behavior. And this was even done by myself as how I was instructed to do:

  1. Whenever a customer went into our lab with some sort of personal data we refused it.
  2. If it was necessary we only allowed at least pseudonymized data.
    1. Then the data need to reside on dedicated systems
      (hardware or VMs on dedicated hardware)
    2. Not connected to any IP network
    3. Accessible only by KVM switch (just keyboard, video, mouse extension, no data transmission)
    4. KVM switch only accessible via dedicated VPN into our internal lab network and only from Microsoft corporate network
    5. Data deleted with DoD wipe process (DOD 5220.22-M) afterwards with 5 times writing "trash" on the whole hard disk (certified)
Actually we "feared" real customer / personal data in our lab environment as we had to take it very serious which introduced also a lot of extra work for us!

In my life I have seen many companies handling with data. But none of them was by far so strict as Microsoft is. And in days of GDPR Microsoft take it even more serious. They have today literally a dozen different personal data classifications and different handling instructions.

Also in terms of layered security (starting with access, process data, store data and even data disposal) Microsoft is really THE ultimate model student). And less they can not accept.

Just think of their cyber defense operation center (CDOC) which takes care of all Microsoft's assets on premise an in the clouds (public and private). Or the Microsoft Digital Crime Unit (DCU). They are helping to make the world actively safer every day. Just checkout their current reports.

This is why I absolutely trust in security & secure data handling at Microsoft. They do much more then even my bank does (and I had a IT project with my own bank as well many years ago!)