Is my data safe on SharePoint Online and Office 365?

There are plenty of reasons why organisations want to migrate their SharePoint intranet, Exchange, and other digital workplace tools to the cloud. But some people still view the move to the cloud as a big risk. Working at Content Formula, I find risk is the most common objection we come across from our clients when considering Office 365.

This is entirely rational. If you are responsible for your companys data and systems its your job to think about this and ask — wheres my data going to sit? How secure is it? What about compliance? Reliability?

Cloud securitySecurity

This infographic of the worlds biggest data breaches will send shivers down the spine of any CIO. It also illustrates the different ways that data can fall into the wrong hands. This means that any security measures need to be multi-layered. Office 365 security is made up of the following layers: physical security, logical security, data security, user controls and admin controls.

Physical security is all about ensuring the data centres themselves are safe and secure from threats such as intruders but also from ‘inside jobs’. Microsoft goes way beyond security guards and CCTV. They have biometrics palm readers, segregation of the data network from the external network, demagnetisation and destruction of faulty hard drives, and role separation of datacenter staff to name a few.

Logical security covers computer systems and the processes for managing them and keeping them secure. Microsoft has two teams in place called Red Team and Blue Team who try to uncover security holes in the Office 365 architecture. The red team attempts to penetrate the systems whilst the blue team attempts to detect and stop them. On top of this, Microsoft also hires independent auditors and penetration testing firms to make sure their systems are bullet-proof. Logical security doesnt just protect from external hackers but also from internal Microsoft access.

The data security layer ensures that data is adequately encrypted both when it is at rest – sitting in a data centre – and when it is in transit across the internet. This means that the only time it is not scrambled is when you are viewing it on your PC. On top of this there are all sorts of anti-spam, monitoring, and malware tools to make sure your data and staff are not falling prey to data thieves.

Giving customers and end users controls so that they can set their own security is a key concept in Office 365 security.

Data Loss Prevention, for example, allows you to restrict where content can be saved and shared, such as a USB stick, OneDrive, or SharePoint. Office 365 also enables end-users to send an encrypted message (even outside their own company) if they feel email is not secure enough.

Mobile Device Management allows IT admins to control how data is accessed on mobile devices and even wipe a device that has been lost or stolen. There are a bunch of other enterprise-level user controls on Office 365.

Data access and privacy

Entrusting a third party to hold and manage your data invariably means that you are giving them access to it. Or does it? Microsoft stresses that it doesnt mine data for advertising purposes but has further recognised customer concern around this and has found many ways to secure customer data from itself as much as possible. Further, Microsoft aims for transparency, disclosing all sorts of details around data location and data access.

The only times Microsoft will access your data is to fix service issues. Even in these instances, there are many restrictions. For instance, only specifically trained, authorised, and authenticated engineers access the data and this is always logged by the system and made available to the customer.

Where possible, only non-content such as IP address, email addresses, subject lines etc. are accessed to resolve issues. If an issue requires content access (as opposed to non-content) this is escalated first and further controls are invoked. There is now an optional yet built-in alert and permission system called Lockbox so that customers can explicitly bar access to data from authorised engineers.

In light of the Edward Snowden NSA revelations, Microsoft also is at pains to stress how seriously it controls customer data access by government agencies. It publishes details of law enforcement requests and fights requests in court if it believes them to be unjustified.


Microsoft has racked up an impressive list of certifications and standards when it comes to compliance around data protection. These include international, regional, and industry-specific standards. They are independently verified and audited on a continuous basis. In some cases, Microsoft works directly with data protection bodies to develop their services. In 2014, Microsoft received a letter of endorsement for Office 365 from a group consisting of all the data protection agencies in the European Union. Through the ‘EU Model Clauses’, Office 365 customers can now comply with the EUs stringent Data Protection Directive relating to cross-border transfers of personal data.

To help customers meet specific compliance requirements for their industries, and to enable demonstrable control to auditors and regulators, a whole slew of customer controls are in place. For example, customers can access the Office 365 service logs so that they can show how data has been processed and managed. eDiscovery tools allow customers to mine and analyse vast amounts of data for litigation and investigation purposes. Many other controls allow clients to customise for compliance purposes.


These days its fair to say that file management and email are mission critical. Service reliability is therefore a key risk when moving to the cloud. Again, Microsoft sees transparency as a key means of addressing doubts about reliability. It publishes uptime reports that show that the Office 365 service has never dropped below its 99.9% uptime guarantee, at least on a global level.

As a customer, you also have access to an Office 365 service health dashboard of impressively detailed and granular data and reports surrounding your own service.

O365 Service Health Dashboard

When it comes to my own experience with Office 365, Ive had a few minor glitches but nothing more. Ive worked in large organisations that manage their systems in-house; if you have too I am sure you too have seen these systems go down frequently, often for hours at a time.

And this final point brings me to my conclusion. Because surely any evaluation of a cloud service like Office 365 has to be done in comparison with the in-house alternative delivered using smaller resources, less expertise, and more rudimentary functions. Not moving to the cloud may represent the bigger risk for many organisations.

I hope I’ve provided an overview of how Microsoft addresses key risks; as a Tier 1 Microsoft cloud solution provider, we have the utmost confidence in Microsoft’s cloud security. For more detail go to the Office365 Trust Centre.

As a gold Microsoft Partner, we can help you with every aspect of SharePoint and Office 365. Take a look at our recent work.

Were platinum sponsor of the Intranet Now conference

When Wedge, our blog manager and intranet content strategist, came to me in 2014 and said he was launching a new and independent intranet conference, I knew I could help. But I couldnt have foreseen the momentum he built. From a few tweets, he found sponsors, speakers, and an audience in just weeks.

Intranet NowIt turned out that the UK was ready for a brand new conference. Intranet Now was born.

Nobody really knew what to expect back then, but the day went swimmingly, and everyone got a lot out of it.

Last years event had more time, energy, and money invested into it, and was a very swish affair.

Now, for the third event, Wedge and Brian (business partners) mean to switch things up even more, with over 20 lightning talks and a new format for the afternoon activities. I cant wait to see how it goes, and Im looking forward to the table discussions and workshops in the afternoon.

Supporting Wedge this year was an easy decision the Intranet Now conference is a proven event, that attracts comms and intranet people from across the country. With Content Formula as platinum sponsor, we hope to share a little of what weve learnt about intranets, SharePoint and Office 365. But beyond the technology, its the user research and the way we tackle collaboration problems that were known for, and so I hope the whole audience will enjoy our presentation and get something useful out of it.

Intranet Now is an independent conference, run by Wedge and Brian. Theyre keen to create a dynamic day of learning and conversation, and mean to exclude nobody the ticket prices are very low, and the early-bird tickets (which end this month) are virtually a gift. I suppose weve helped keep those prices so low!

A 7-point framework for employee engagement in the digital workplace

Modern organisations are using a number of clever techniques to accelerate internal change and make it stick. This free e-book puts forward a simple and effective 7-point framework to use to deliver change campaigns and programmes.

Setting the strategy and developing an essential intranet (presentation)

Months of intranet development and rework can save a few intense days of planning.

The video offers a 10-minute synopsis of my recent 45-minute keynote. Turn the sound on or off as you prefer.

Even though youll most likely develop your intranet in an agile and collaborative matter, its common sense to have the overall purpose and objectives mapped out and accepted by your stakeholders and colleagues.

The discovery phase of intranet development / improvement is an exciting phase in my mind; you get to uncover business problems and understand the value that a future solution might bring. In parallel, its also a good time to draft several light documents to guide the intranets direction.


Not everyone is thrilled by the word vision, but having a few short paragraphs to discuss with people inside and outside the project helps everyone gain a similar understanding of what can be intangible work. Think elevator pitch the paragraph that explains what people will be able to do and why thats so important.

My repeated advice is to publish all the supporting material as simple intranet pages and frequently update people with news stories and blog articles about progress.


The intranet strategy must support the business strategy or else what is your intranet for?

I asked the conference audience how many had an intranet strategy and a few hands went up. I asked if they had published and updated it most hands went down. Considering the stakeholders and all the content owners and contributors, shouldnt your intranet strategy be easy to access and easy to read?

Strategy isnt about the features or the technology, but about the direction and purpose.
Its about what we will achieve.


Now we get into what many people are rather interested in. The roadmap does layout new functionality and technologies. It shows what youre going to do and when. I am assuming that you believe in continuous improvement, rather than a launch and let go approach to intranet management.

If Microsoft can publish their Office 365 roadmap, you can certainly list out or visually present the improvements you have planned for the next couple of years. This may be as simple as switching on Yammer and helping the Customer Service team better collaborate with the Sales Team.

A 7-point framework for employee engagement in the digital workplace

Modern organisations are using a number of clever techniques to accelerate internal change and make it stick. This free e-book puts forward a simple and effective 7-point framework to use to deliver change campaigns and programmes.


Knowledge management? Knowledge sharing!Getting things done is the overall purpose of the digital workplace Ill let you define what work means when it comes to collaboration and your business. Its often been said that the intranet supports four purposes:

  • Knowledge management / document management libraries
  • Communication
  • Business processes / tools / activity
  • Collaboration – spaces and tools.

Information is for action, not storage. We musg enable better decision making.As much as document management can be crucial, lets just state for the record that its the application of knowledge that creates value.

How to deliver essential tools

The conclusion of my presentation states that only through research and continuous improvements can you deliver a truly essential intranet.

Content Formula has a visual approach to research. Many people claim to be visual thinkers and dont enjoy reading pages of research results or crunching the numbers involved with data analysis. Lots of stakeholders and clients actually ask to see designs before weve designed anything. Sounds daft, doesnt it? But it’s not.

WireframesAfter a little conversational research, our visual designers (Im thinking about John Scott here) can whip up custom intranet mock-ups to help project managers talk to stakeholders about the end result. These beautiful concept designs help gain buy-in from management and staff alike.

Then its on to user research and UX testing. After a variety of research methods, were able to start laying out content and functionality. We use wireframing to show page layouts, and we can transform these into online prototypes so that people can actually explore. We specifically use prototypes to test the UX by asking people to complete certain tasks like find a certain policy. By watching and measuring how people use the prototype, we can improve our architecture and designs.

Useful, useable, usedBecause our aim is to create an intranet that meets peoples expectations and solves business problems.

Take a look at our series of short articles about SharePoint intranet design, especially the one where John explains prototype testing in detail.

We use cookies to give you the best experience on our site. By continuing to use our website, you are agreeing to our use of cookies. To find more about the cookies, please see our Cookie notice.

You can also read our privacy policy.