Microsoft announced a number of new cloud offerings today, including, notably, the availability of Azure Deutschland — a German cloud region that will offer Azure services that come not directly from Microsoft, but from the German
data trustee Deutsche Telekom.
The service, launched in Preview today, is interesting because Microsoft works hard to keep itself at arm's length from customer data in this region, and to make sure that the data is kept on German grounds.
In fact, while the region offers redundancy and backup, it does so through a private network to ensure that none of the bits being backed up even go through the public Internet where they might stray onto foreign soil.
Germany has some of the strictest data privacy protection laws on the books, and Microsoft said that Deutsche Telekom will have strict protocols regarding when Microsoft is allowed access, even for support:
Microsoft has – in this new model – no rights at all to access customer data. Only for special purpose like a support call from a customer a temporary access will be granted by the Data Trustee to the Microsoft engineer, and only for the specified area. After that time (using a technology similar to what you might know as JIT) all access is revoked automatically. So to repeat: Access is granted to the Microsoft engineer only by the Data Trustee. Microsoft has no way to grant that access to itself. And of course there is a logging of this process to an area where Microsoft has no access, too. In addition the Data Trustee is escorting the session and watching the engineer at work.
That RBAC is also in place for physical access to the datacenters. The Data Trustee has to approve the visit and will escort Microsoft or any of its subcontractors at any time during the visit.
That's a lot of work on Microsoft's part to limit the access it has, but with foreign companies increasingly wary of U.S. data policy, it will be interesting to see how popular these kinds of arrangements are.
It's also interesting to note that as Microsoft works to make its customer data less accessible to the U.S. government, the U.S. government is continuing to work to get more of its data with Microsoft: In addition to a new Canadian region, Microsoft also created two new regions designated US DoD East and US DoD West to service government and military customers.