Trust is a key issue in any discussion of cloud services. After all, when you choose a cloud service, you're trusting them to reliably deliver the promised services and to protect your data against loss, damage, and theft. This is true whether you're talking about a consumer cloud service such as Apple's iCloud or a business service such as Office 365 or Salesforce.
In particular, Microsoft has faced a lot of questioning centered on trust. As one of the dominant players in the SaaS market, and as a multi-national organization with extensive facilities all over the globe, they've had to deal with extra scrutiny of their privacy and security practices. To their credit, they've been remarkably transparent. This transparency started early on, with the Office 365 Trust Center's collection of videos and documents explaining Microsoft's policies in clear, simple language. It has continued with clearly worded, easily understandable blog posts such as this and this by Microsoft's senior leaders (including president and chief legal officer Brad Smith). For the more technically-oriented reader, the Microsoft Cyber Trust blog, despite its stupid name, has some excellent content.
However, these efforts have fallen a little flat with some customers because they are generic, not oriented towards any one region, industry, or domain. Customers want very specific guidance on how cloud providers' security and privacy features will work in their particular case.
One example: I have a customer in the manufacturing industry. They're a subsidiary of a publicly-traded US-based company with several thousand users worldwide, about half in the US and half elsewhere, including some in the EU. Quite naturally, they have lots of questions around compliance, data sovereignty, and privacy in Office 365. While Microsoft's existing guidance has been useful to them, it's sometimes hard to convince legal and compliance teams that the general guidance Microsoft provides covers their specific case—after all, these professionals are paid to reduce risk, and absent a statement from the vendor that says "nope, no risk here," the easiest way to reduce risk is to say no to the cloud.
Thankfully, Microsoft has recognized this issue as a blocker for cloud deployments and they're addressing it through the brand-new Office 365 Service Trust Portal. The basic concept of the STP is simple: you log in to your tenant, activate the STP for it, and then Microsoft provides a customized set of documents relevant to you. Relevance is determined by the location of your tenant, the industry and vertical that you specify, and the locations where you have users. Once you've activated the portal, you can grant access to users in your tenant (presumably including your compliance and legal teams) so they can find the documents they require to answer their security, privacy, and data sovereignty questions.
To activate the portal, start by pointing your browser at https://trustportal.office.com. After logging in with your Office 365 tenant administrator credentials, you'll be asked to authorize the STP application.
After authorizing the portal, the first app page you'll see is the Settings page, where you select the regions and industries that pertain to your tenant. The granularity of choices that you have tells you a lot: Canada, Germany, and Japan have strong privacy laws and are listed separately, but all of South America (save Brazil) is lumped together, and the US and Mexico are listed together as "North America." The industries available to choose from are interesting too—there are entries for jewelry, religion, and a variety of more conventional industries.
After choosing the regions and industries appropriate for your tenant, click the "Save" button. Optionally, you can use the "Add User Role" link to add other tenant users as either portal administrators or portal users.
Once you've finalized the settings, the rest of the portal pages become available:
- The Home page gives you a fairly useless set of links that point to the sets of compliance and trust documents you have access to, as well as a redundant link to the settings page. The link for providing feedback is probably the most useful item here.
- The Compliance Reports page lists all of the reports Microsoft has generated covering their compliance with specific regulations. You can filter reports by region or industry; for example, if you said that you're a manufacturer with operations in Brazil, Germany, and North America, you can choose from any of those regions. You can also keyword-search the document names and summaries, but not their full text.
- The Trust Documents page lists specific documents that pertain to your tenant. The page says it offers "white papers, FAQs, end-of-year reports, and other Microsoft Confidential resources that are made available to you under non-disclosure agreement." To me, this is the most valuable section of the portal—while the items collected here are already available to most customers through their Microsoft sales or technical support channels, having them collected in a single place is valuable, and being able to focus only on documents that pertain to your organization's industry and geographies is even more valuable. (Because the items here are all provided under NDA, I didn't include a screen shot; you'll have to go look for yourself if you want to see what's there.)
Although much of the content on the STP is immediately useful, I'm more interested in seeing what Microsoft does with this. Because the portal is actually an application, it could potentially be extended to take advantage of data from your tenant—for example, Microsoft could customize the documents displayed to focus on features that you've licensed and deployed, separating those that don't pertain to what you're actually doing. They could even leverage usage data from Office Graph—the kinds of things that are now displayed in Delve, such as information about who's shared which documents—to provide more focused recommendations and content. In addition, Microsoft will certainly continue to pump out security, compliance, and privacy documentation, and the STP is the logical place to collect and organize it.
The signup process is simple and quick, so give it a try—I'd be interested to hear back from you to see whether you found anything new or unexpected in the documents that the STP exposes for your particular industry and geography.