Cloud Services you can trust: Security, Compliance and Privacy in Office 365
When you make a decision to place your trust in a cloud services provider for productivity services, security, compliance, and privacy are top of mind. With over a billion customers on Office and decades of experience running online services, we understand what it takes to earn and continue to maintain your trust and confidence in Office 365.
Our construct for security, compliance and privacy in Office 365 has two equally important dimensions - Built-in capabilities that include service-wide, technical capabilities, operational procedures and policies that are enabled by default for customers using the service and Customer controls that include features that enable you to customize the Office 365 environment based on the specific needs of your organization.
We will look at Built-in capabilities and Customer controls for each of the key pillars of trust - Security, Privacy and Compliance - in more detail below.
Security of our customers' information is a key trust principle. We implement policies and controls to safeguard customer data in the cloud and provide unique customer controls that you can use to customize your organizational environment in Office 365.
Built-in capabilitiesAs an Office 365 customer, you will benefit directly from in-depth security features that we have built into the service as a result of experience gained from years of building enterprise-grade software, managing a number of online services and billions of dollars in security investments. We have implemented technologies and processes that are independently verified to ensure high security of customer data.
Some key aspects of our built-in security capabilities are:
- Physical security - We monitor our data centers 24/7 and we have technologies and processes to protect our data centers from unauthorized access or natural disasters
- Security best practices -We use best practices in design like Secure Development Lifecycle and operations like defense-in-depth to keep your data secure in our data centers
- Data encryption - Every customers' email content is encrypted at rest using BitLocker Advanced Encryption Standard (AES) encryption
- Secure network layer - Our networks are segmented, providing physical separation of critical back-end servers from the public-facing interfaces at the same time our Edge router security detects intrusions and signs of vulnerability
- Automated operations like Lock Box processes - Access to the IT systems that store customer data is strictly controlled via lock box processes. This access control mechanism is similar to a system where two people have to turn the key for an action to be allowed.
Customer controlsAs a result of Office 365 offering productivity services to a wide range of industries, we have built both features and choices that you can control to enhance the security of data based on the needs of your organization.
Some key aspects of our customer controls for security are:
- Exchange Hosted Encryption - Enables delivery of confidential business communications safely, letting users send and receive encrypted email directly from their desktops as easily as regular email.
- S/MIME - Enables encryption of an email messages and allows for the originator to digitally sign the message to protect the integrity and origin of the message. As part of our continued investment in security technologies that Government and Security conscious customers care about, we are adding support for S/MIME for Office 365 in the first quarter of Calendar Year 2014.
- Rights Management Services - Enables a user to encrypt information using 128-bit AES and use policies on email or documents so that the content is appropriately used by specified people.
- Role based access control - Allows administrators to enable access to authorized users based on role assignment, role authorization and permission authorization.
- Exchange Online Protection - Allows administrators to manage your company's Anti-virus and Anti-spam settings from within the Office 365 administration console.
- Identity Management - Provides organizations with various options for identity management such as cloud based identity, identities mastered on-premises with secure token based authentication or hashed passwords to integrate into the Office 365 identity management system based on the security needs of your organization.
- Two factor Authentication - Enhances security in a multi-device, mobile, and cloud-centric world by using a second factor, such as a PIN, in addition to the primary factor which is identity.
ComplianceAnother key principle of Office 365 trust is Compliance. It is expected that commercial organizations have regulations and policies that they must comply with to operate businesses in various industries. These policies can be a mix of external regulatory requirements that vary depending on industry and geographical location of the organization and internal company-based policies. Office 365 provides built-in capabilities and customer controls to help customers meet both various industry regulations and internal compliance requirements.
Built-in capabilitiesOffice 365 stays up-to-date with many of today's ever-evolving standards and regulations, giving customers greater confidence. To bolster this and to continue earning your confidence, we undergo third-party audits by internationally recognized auditors as an independent validation that we comply with our policies and procedures for security, compliance and privacy.
Some key aspects of built-in compliance capabilities are:
- Independently Verified - Third party audits verify that Office 365 meets many key world-class industry standards and certifications
- Control framework - We follow a strategic approach of implementing extensive standard controls that in turn satisfy various industry regulations. Office 365 supports over 600 controls that enable us to meet complex standards and offer contracts to customers in regulated industries or geographies, like ISO 27001, the EU Model Clauses, HIPAA Business Associate Agreements, FISMA/FedRAMP
- Comprehensive Data Processing Agreement - Our Data Processing Agreement comprehensively addresses privacy and security of customer data, helping customers comply with local regulations
Customer ControlsWe provide Compliance controls within the service to help our customers comply based on the policy needs of their organization.
Some key customer controls for compliance are:
- Data Loss Prevention - Helps customers to identify, monitor and protect sensitive data through content analysis
- Archiving - Allows organizations to preserve electronically stored information retaining e-mail messages, calendar items, tasks, and other mailbox items
- E-Discovery - Permits customers to retrieve content from across Exchange Online, SharePoint Online, Lync Online, and even file shares
PrivacyPrivacy is our third trust principle. As more and more customers are relying on online service providers to keep their data safe from loss, theft, or misuse by third parties, other customers, or even the provider's employees, we recognize that cloud services raise unique privacy questions for businesses.
To meet your needs, we are continually developing technologies to enhance privacy in our services. We call this privacy by design - which is our commitment to use best practices to help protect and manage customer data.
Built-in CapabilitiesKey built-in capabilities and principles of Privacy in Office 365 are:
- No Advertising - We do not scan email, documents, build analytics or data mine to build advertising products. In fact, we do not use your information for anything other than providing you services you have subscribed for.
- Data Portability - As an Office 365 customer, your data belongs to you, and you can export your data at any time with no restrictions. We act only as a data processor and provider of productivity services, not as a data owner.
- Notice and Consent - When we act upon your data, we let you know why and we ask for permission in advance or redirect any enquiries to our customers unless legally prevented to do so.
- Breach Response - We have strong, tested and audited processes to inform you if there is a breach and remediate issues if they occur.
- Data Minimization - We strive to minimize the actual amount of customer data that our internal teams have access to.
Customer ControlsIn addition to built-in capabilities, Office 365 enables you to collaborate through the use of transparent policies and strong tools while providing the distinct ability to control information sharing.
Some examples of customer controls for privacy are:
- Rights Management in Office 365 - Allows individuals and administrators to specify access permissions to documents, workbooks, and presentations. This helps you prevent sensitive information from being printed, forwarded, or copied by unauthorized people by applying intelligent policies
- Privacy controls for sites, libraries and folders- SharePoint Online, a key component service of Office 365 that provides collaboration functionality has a number of privacy controls. One example is that SharePoint Online sites are set to "private" by default. A second example is that a document uploaded to a SkyDrive Pro is not shared until the user provides explicit permissions and identifies who to share with.
- Privacy controls for communications - In Lync Online, another key component service that provides real time communications in Office 365, there are various administrator level controls as well as user level controls to enable or block communication with external users and organizations. One example is blocking access to federation in Lync. Similarly there are controls throughout the service for the admins and users to ensure privacy of their content and communications.
In addition, we take the advantage of scale and continuous feedback from providing services to a diverse customer base across industry and geography to constantly learn and improve the Office 365 services. Security, Compliance and Privacy are the key pillars of the Office 365 Trust Center (the other two pillars being Transparency and Service Continuity).
Customers can have confidence that Microsoft is a thought leader and will continue to make deep investments to protect customers in the cloud.
Learn more about security, compliance, and trust in this weeks Garage Series: Explaining data security and your control in Office 365.
Learn more about recent compliance agreements with the announcement for the state of California and Microsoft signing the CJIS security policy agreement.
-- Vijay Kumar