There are plenty of reasons why organisations want to migrate their SharePoint intranet, Exchange, and other digital workplace tools to the cloud. But some people still view the move to the cloud as a big risk. Working at Content Formula, I find risk is the most common objection we come across from our clients when considering Office 365.
This is entirely rational. If you are responsible for your company’s data and systems it’s your job to think about this and ask — where’s my data going to sit? How secure is it? What about compliance? Reliability?
This infographic of the world’s biggest data breaches will send shivers down the spine of any CIO. It also illustrates the different ways that data can fall into the wrong hands. This means that any security measures need to be multi-layered. Office 365 security is made up of the following layers: physical security, logical security, data security, user controls and admin controls.
Physical security is all about ensuring the data centres themselves are safe and secure from threats such as intruders but also from ‘inside jobs’. Microsoft goes way beyond security guards and CCTV. They have biometrics palm readers, segregation of the data network from the external network, demagnetisation and destruction of faulty hard drives, and role separation of datacenter staff to name a few.
Logical security covers computer systems and the processes for managing them and keeping them secure. Microsoft has two teams in place called Red Team and Blue Team who try to uncover security holes in the Office 365 architecture. The red team attempts to penetrate the systems whilst the blue team attempts to detect and stop them. On top of this, Microsoft also hires independent auditors and penetration testing firms to make sure their systems are bullet-proof. Logical security doesn’t just protect from external hackers but also from internal Microsoft access.
The data security layer ensures that data is adequately encrypted both when it is at rest – sitting in a data centre – and when it is in transit across the internet. This means that the only time it is not scrambled is when you are viewing it on your PC. On top of this there are all sorts of anti-spam, monitoring, and malware tools to make sure your data and staff are not falling prey to data thieves.
Giving customers and end users controls so that they can set their own security is a key concept in Office 365 security.
Data Loss Prevention, for example, allows you to restrict where content can be saved and shared, such as a USB stick, OneDrive, or SharePoint. Office 365 also enables end-users to send an encrypted message (even outside their own company) if they feel email is not secure enough.
Mobile Device Management allows IT admins to control how data is accessed on mobile devices and even wipe a device that has been lost or stolen. There are a bunch of other enterprise-level user controls on Office 365.
Data access and privacy
Entrusting a third party to hold and manage your data invariably means that you are giving them access to it. Or does it? Microsoft stresses that it doesn’t mine data for advertising purposes but has further recognised customer concern around this and has found many ways to secure customer data from itself as much as possible. Further, Microsoft aims for transparency, disclosing all sorts of details around data location and data access.
The only times Microsoft will access your data is to fix service issues. Even in these instances, there are many restrictions. For instance, only specifically trained, authorised, and authenticated engineers access the data and this is always logged by the system and made available to the customer.
Where possible, only non-content such as IP address, email addresses, subject lines etc. are accessed to resolve issues. If an issue requires content access (as opposed to non-content) this is escalated first and further controls are invoked. There is now an optional yet built-in alert and permission system called Lockbox so that customers can explicitly bar access to data from authorised engineers.
In light of the Edward Snowden NSA revelations, Microsoft also is at pains to stress how seriously it controls customer data access by government agencies. It publishes details of law enforcement requests and fights requests in court if it believes them to be unjustified.
Microsoft has racked up an impressive list of certifications and standards when it comes to compliance around data protection. These include international, regional, and industry-specific standards. They are independently verified and audited on a continuous basis. In some cases, Microsoft works directly with data protection bodies to develop their services. In 2014, Microsoft received a letter of endorsement for Office 365 from a group consisting of all the data protection agencies in the European Union. Through the ‘EU Model Clauses’, Office 365 customers can now comply with the EU’s stringent Data Protection Directive relating to cross-border transfers of personal data.
To help customers meet specific compliance requirements for their industries, and to enable demonstrable control to auditors and regulators, a whole slew of customer controls are in place. For example, customers can access the Office 365 service logs so that they can show how data has been processed and managed. eDiscovery tools allow customers to mine and analyse vast amounts of data for litigation and investigation purposes. Many other controls allow clients to customise for compliance purposes.
These days it’s fair to say that file management and email are mission critical. Service reliability is therefore a key risk when moving to the cloud. Again, Microsoft sees transparency as a key means of addressing doubts about reliability. It publishes uptime reports that show that the Office 365 service has never dropped below its 99.9% uptime guarantee, at least on a global level.
As a customer, you also have access to an Office 365 service health dashboard of impressively detailed and granular data and reports surrounding your own service.
When it comes to my own experience with Office 365, I’ve had a few minor glitches but nothing more. I’ve worked in large organisations that manage their systems in-house; if you have too I am sure you too have seen these systems go down frequently, often for hours at a time.
And this final point brings me to my conclusion. Because surely any evaluation of a cloud service like Office 365 has to be done in comparison with the in-house alternative delivered using smaller resources, less expertise, and more rudimentary functions. Not moving to the cloud may represent the bigger risk for many organisations.
I hope I’ve provided an overview of how Microsoft addresses key risks; as a Tier 1 Microsoft cloud solution provider, we have the utmost confidence in Microsoft’s cloud security. For more detail go to the Office365 Trust Centre.
As a gold Microsoft Partner, we can help you with every aspect of SharePoint and Office 365. Take a look at our recent work.