Who owns the data we store in your service? Will you use our data to build advertising products? Do you offer privacy controls in your service? Do we have visibility to know where our data is stored? Can we get our data out of your service if we decide to leave?
These questions are top of mind for any organization that is considering Office 365. Luckily for you, Microsoft publishes the Office 365 Trust Center to answer those and many more questions about security on the Office 365 service.
Microsoft has 4 core tenants for its approach to earning and maintaining your trust:
1. Built-in Security
- Service-level security through defense-in-depth
- Customer controls within the service
- Security hardening and operational best practices
At the service level, Office 365 uses the defense-in-depth approach to provide physical, logical, and data layers of security features and operational best practices. In addition, Office 365 gives you enterprise-grade, user and admin controls to further secure your environment.
Physical Security – 24-hour monitoring of data centers, Multi-factor authentication, including biometric scanning for data center access, Internal data center network is segregated from the external network, Role separation renders location of specific customer data unintelligible to the personnel that have physical access, Faulty drives and hardware are demagnetized and destroyed
Logical Security – Lock box processes for strictly supervised escalation process greatly limits human access to your data, Servers run only processes on whitelist, minimizing risk from malicious code, Dedicated threat management teams proactively anticipate, prevent and mitigate malicious access, Port scanning, perimeter vulnerability scanning, and intrusion detection prevent or detect any malicious access
Data Security – Encryption at rest protects your data on our servers, Encryption in transit with SSL/TLS protects your data transmitted between you and Microsoft Threat management, security monitoring, and file/data integrity prevents or detects any tampering of data
Admin and User Controls– Rights Management Services prevents file-level access without the right user credentials, Multi-factor authentication protects access to the service with a second factor such as phone, S/MIME provides secure certificate-based email access, Office 365 Message Encryption allows you to send encrypted email to anyone, Data loss prevention prevents sensitive data from leaking either inside or outside the organization, Data loss prevention can be combined with Rights Management and Office 365 Message Encryption to give greater controls to your admins to apply appropriate policies to protect sensitive data
2. Continuous Compliance
- Proactive processes to meet your compliance needs
- Customer controls for organizational compliance
- Independently verified to meet evolving standards
Office 365 is a global service and continuous compliance refers to the commitment to evolve the Office 365 controls and stay up to date with standards and regulations that apply to your industry and geography. Because regulations often share the same or similar controls, this makes it easier for Microsoft to meet the requirements of new regulations or those specific to your organization and industry. In addition, Office 365 provides admin and user controls, including eDiscovery, legal hold, and data loss prevention, to help you meet internal compliance requirements. These require no additional on-premises infrastructure to use.
Independent Verification – Our service is verified to meet requirements specified in ISO 27001, EU model clauses, HIPAA BAA, and FISMA, Our data processing agreement details privacy, security, and handling of customer data, which helps you comply with local regulations
Proactive Approach to Regulatory Compliance – We have built over 900 controls in the Office 365 compliance framework that enable us to stay up to date with the ever evolving industry standards, A specialist compliance team is continuously tracking standards and regulations, developing common control sets for our product team to build into the service
Customer Controls for Organizational Compliance – Legal hold and eDiscovery built into the service helps you find, preserve, analyze, and package electronic content (often referred to as electronically stored information or ESI) for a legal request or investigation, Data loss prevention in Office 365 helps you identify, monitor, and protect sensitive information in your organization through deep content analysis
3. Privacy by Design
- Your data is not used for advertising
- You have extensive privacy controls
- You can take your data with you when you want
When you entrust your data to Office 365 you remain the sole owner of the data: you retain the rights, title, and interest in the data you store in Office 365. It’s our policy to not mine your data for advertising purposes or use your data except for purposes consistent with providing you cloud productivity services.
Data Ownership and What it Means – You are the owner of the data; Microsoft is the custodian or the processor of your data, It’s your data, so if you ever choose to leave the service, you can take your data with you, We do not mine your data for advertising purposes
Our Role as Data Processor – We only use your data for purposes consistent with providing you services you pay us for, regularly disclose the number of law enforcement requests we receive through our transparency reports, a government approaches us for access to customer data, we redirect the inquiry to you, the customer, whenever possible and have and will challenge in court any invalid legal demand that prohibits disclosure of a government request for customer data
Privacy Controls – Privacy controls allow you to configure who in your organization has access and what they can access, Design elements prevent mingling of your data with that of other organizations using Office 365, Extensive auditing and supervision prevent admins to get unauthorized access to your data
4. Transparent Operations
- You know where your data resides and who has access
- Visibility into availability and changes to the service
- Financially backed guarantee of 99.9% uptime
Moving to a cloud service shouldn’t mean losing access to knowing what’s going on. With Office 365, it doesn’t. We aim to be transparent in our operations so you can monitor the state of your service, track issues, and have historical view of availability.
Data Location and Access – We maintain multiple copies of your data, across data centers, for redundancy and will share with you where your data is located, We tell you who has access to your data and under what circumstances
Support with a Human Face – You have on-call 24/7 phone support for critical issues, We have DevOps processes which means 24/7 escalation to the actual development team to resolve issues that cannot be resolved by operations alone
We’re Accountable to You – We conduct a thorough review of all service incidents, regardless of magnitude of impact and we share the analysis if your organization is affected, We commit to delivering at least 99.9% up-time with a financially-backed guarantee.
If you would like to know more about Office 365 Security, contact us at Perficient and one of our certified cloud specialists can assist you in your deployment of Office 365.