How Microsoft builds privacy and security to work hand-in-hand
The Deputy CISO blog series is where Microsoft Deputy Chief Information Security Officers (CISOs) share their thoughts on what is most important in their respective domains. In this series, you will get practical advice, tactics to start (and stop) deploying, forward-looking commentary on where the industry is going, and more. In this article, Terrell Cox, Vice President for Microsoft Security and Deputy CISO for Privacy and Policy, dives into the intersection of privacy and security.
For decades, Microsoft has consistently prioritized earning and maintaining the trust of the people and organizations that rely on its technologies. The 2025 Axios Harris Poll 100 ranked Microsoft as one of the top three most trusted brands in the United States.1 At Microsoft, we believe one of the best ways we can build trust is through our long-established core values of respect, accountability, and integrity. We also instill confidence in our approach to regulations by demonstrating rigorous internal compliance discipline—such as regular audits, cross-functional reviews, and executive oversight—that mirrors the reliability we extend to customers externally.
Here at Microsoft, we are grounded in the belief that privacy is a human right, and we safeguard it as such. Whether you’re an individual using Microsoft 365 or a global enterprise running mission-critical workloads on Microsoft Azure, your privacy is protected by design. In my role as Vice President for Microsoft Security and Deputy CISO for Privacy and Policy at Microsoft, I see privacy and security as two sides of the same coin—complementary priorities that strengthen each other. They’re inseparable, and they can be simultaneously delivered to customers at the highest standard, whether they rely on Microsoft as data processor or data controller.
There are plenty of people out there who view the relationship between security and privacy as one of tension and conflict, but that doesn’t need to be the case. Within my team, we embrace differing viewpoints from security- and privacy-focused individuals as a core principle and a mechanism for refining our quality of work. To show you how we do this, I’d like to walk you through a few of the ways Microsoft delivers both security and privacy to its customers.
Security and privacy, implemented at scale
Our approach to safeguarding customer data is rooted in a philosophy that prioritizes security without the need for access to the data itself. Think of it as building a fortress where the walls (security) protect the treasures inside (data privacy) without ever needing to peek at them. Microsoft customers retain full ownership and control of their data, as outlined in our numerous privacy statements and commitments. We do not mine customer data for advertising, and customers can choose where their data resides geographically. Even when governments request access, we adhere to strict legal and contractual protocols to protect the interests of our customers.
A number of Microsoft technologies play important roles in the implementation of our privacy policy. Microsoft Entra, and in particular its Private Access capability, replaces legacy VPNs with identity-centric Zero Trust Network Access, allowing organizations to grant granular access to private applications without exposing their entire network. Microsoft Entra ID serves as the backbone for identity validation, ensuring that only explicitly trusted users and devices can access sensitive resources. This is complemented by the information protection and governance capabilities of Microsoft Purview, which enables organizations to classify, label, and protect data across Microsoft 365, Azure, and their third-party platforms. Microsoft Purview also supports automated data discovery, policy enforcement, and compliance reporting.
The beating heart of the Microsoft security strategy is the Secure Future Initiative. We assume breach and mandate verification for every access request, regardless of origin. Every user, every action, and every resource is continuously authenticated and authorized. Automated processes, like our Conditional Access policies, dynamically evaluate multiple factors like user identity, device health, location, and session risk before granting access. Support workers can access customer data only with the explicit approval of the customer through Customer Lockbox, which gives customers authorization and auditability controls over how and when Microsoft engineers may access their data. Once authorized by a customer, support workers may only access customer data through highly secure, monitored environments like hardened jump hosts—air-gapped Azure virtual machines that require multifactor authentication and employ just-in-time access gates.
Privacy is a human right
The intersection of privacy and security is not just a theoretical concept for Microsoft. It’s a practical reality that we work to embody through comprehensive, layered strategies and technical implementations. By using advanced solutions like Microsoft Entra and Microsoft Purview and adhering to the principles set out in our Secure Future Initiative, we help ensure that our customers’ data is protected at every level.
We demonstrate our commitment to privacy through our proactive approach to regulatory compliance, our tradition of transforming legal obligations into opportunities for innovation, and our commitment to earning the trust of our customers. Global and region-specific privacy, cybersecurity, and AI regulations often evolve over time. Microsoft embraces regulations not just as legal obligations but as strategic opportunities through which we can reinforce our commitments to privacy and security. This is exactly what we did when the European General Data Protection Regulation (GDPR) came into effect in May of 2018, and we’ve applied similar principles to emerging frameworks like India’s Digital Personal Data Protection Act (DPDP), the EU’s Network and Information Systems Directive 2 (NIS2) for cybersecurity, the Digital Operational Resilience Act (DORA) for financial sector resilience, and the EU AI Act for responsible AI governance.
Using regulatory compliance as a lever for innovation
Microsoft publicly cheered the GDPR as a step forward for individual privacy rights, and we committed ourselves to full compliance across our cloud services. We soon became an early adopter of the GDPR, adding GDPR-specific assurances to our cloud service contracts, including breach notification timelines and data subject rights.
Because we believe so strongly in these protections, our compliance efforts quickly became the foundation for a broader, proactive transformation of our privacy and security posture. First, we established a company-wide framework that formalized privacy responsibilities and safeguards. It mandated robust technical and organizational measures designed to protect personal data companywide, now aligned with cybersecurity standards like those in NIS2.
As part of this framework, Microsoft appointed data protection officers and identified corporate vice presidents in each business unit to provide group-level accountability. Microsoft also built what we believe is one of the most comprehensive privacy and compliance platforms in the industry. This platform is the result of a company-wide effort to give customers real control over their personal data, experienced with consistency across our products, while seamlessly integrating security and regulatory compliance.
To operationalize these commitments, we developed advertising and data deletion protocols that made sure data subject requests (DSRs) were honored across all our systems, including those managed by third-party vendors. Microsoft extended GDPR-like principles to customers globally. This initiative emphasized data minimization, consent management, and timely breach reporting. It also reinforced customers’ rights to access, correct, delete, and export their personal data.
Expanding from this foundation, we continue to take a proactive stance on emerging global regulations. For DPDP in India, we enhanced data localization and consent mechanisms in Azure to help organizations comply with local privacy mandates while maintaining robust security. Under NIS2 and DORA, our tools like Microsoft Defender for Cloud enable critical sectors to detect, respond, and build operational resilience—creating cybersecurity as the shield that protects privacy rights.
For the EU AI Act, Microsoft Responsible AI tools integrated with Microsoft Purview enable governance, classification, and compliance tracking of AI models, ensuring transparency and accountability across the AI lifecycle. In parallel, Microsoft Defender for Cloud extends protection for AI workloads and data environments, ensuring AI systems are secure, monitored, and resilient — much like a traffic light system that signals safe passage for innovation while mitigating risk.
Thanks to this early, decisive action to safeguard privacy and security worldwide, Microsoft is now in a strong leadership position as similar laws are passed by a growing number of countries. Because we’ve already gone above and beyond what initial regulations asked of us, we’re more easily able to adapt to the specifics of other related legal frameworks.
Learn more
To hear more from Microsoft Deputy CISOs, check out the OCISO blog series. To stay on top of important security industry updates, explore resources specifically designed for CISOs, and learn best practices for improving your organization’s security posture, join the Microsoft CISO Digest distribution list.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
1The 2025 Axios Harris Poll 100 reputation rankings
READ MORE HERE