Is my data safe on SharePoint Online and Office 365?

There are plenty of reasons why organisations want to migrate their SharePoint intranet, Exchange, and other digital workplace tools to the cloud. But some people still view the move to the cloud as a big risk. Working at Content Formula, I find risk is the most common objection we come across from our clients when considering Office 365.

This is entirely rational. If you are responsible for your companys data and systems its your job to think about this and ask — wheres my data going to sit? How secure is it? What about compliance? Reliability?

Cloud securitySecurity

This infographic of the worlds biggest data breaches will send shivers down the spine of any CIO. It also illustrates the different ways that data can fall into the wrong hands. This means that any security measures need to be multi-layered. Office 365 security is made up of the following layers: physical security, logical security, data security, user controls and admin controls.

Physical security is all about ensuring the data centres themselves are safe and secure from threats such as intruders but also from ‘inside jobs’. Microsoft goes way beyond security guards and CCTV. They have biometrics palm readers, segregation of the data network from the external network, demagnetisation and destruction of faulty hard drives, and role separation of datacenter staff to name a few.

Logical security covers computer systems and the processes for managing them and keeping them secure. Microsoft has two teams in place called Red Team and Blue Team who try to uncover security holes in the Office 365 architecture. The red team attempts to penetrate the systems whilst the blue team attempts to detect and stop them. On top of this, Microsoft also hires independent auditors and penetration testing firms to make sure their systems are bullet-proof. Logical security doesnt just protect from external hackers but also from internal Microsoft access.

The data security layer ensures that data is adequately encrypted both when it is at rest – sitting in a data centre – and when it is in transit across the internet. This means that the only time it is not scrambled is when you are viewing it on your PC. On top of this there are all sorts of anti-spam, monitoring, and malware tools to make sure your data and staff are not falling prey to data thieves.

Giving customers and end users controls so that they can set their own security is a key concept in Office 365 security.

Data Loss Prevention, for example, allows you to restrict where content can be saved and shared, such as a USB stick, OneDrive, or SharePoint. Office 365 also enables end-users to send an encrypted message (even outside their own company) if they feel email is not secure enough.

Mobile Device Management allows IT admins to control how data is accessed on mobile devices and even wipe a device that has been lost or stolen. There are a bunch of other enterprise-level user controls on Office 365.

Data access and privacy

Entrusting a third party to hold and manage your data invariably means that you are giving them access to it. Or does it? Microsoft stresses that it doesnt mine data for advertising purposes but has further recognised customer concern around this and has found many ways to secure customer data from itself as much as possible. Further, Microsoft aims for transparency, disclosing all sorts of details around data location and data access.

The only times Microsoft will access your data is to fix service issues. Even in these instances, there are many restrictions. For instance, only specifically trained, authorised, and authenticated engineers access the data and this is always logged by the system and made available to the customer.

Where possible, only non-content such as IP address, email addresses, subject lines etc. are accessed to resolve issues. If an issue requires content access (as opposed to non-content) this is escalated first and further controls are invoked. There is now an optional yet built-in alert and permission system called Lockbox so that customers can explicitly bar access to data from authorised engineers.

In light of the Edward Snowden NSA revelations, Microsoft also is at pains to stress how seriously it controls customer data access by government agencies. It publishes details of law enforcement requests and fights requests in court if it believes them to be unjustified.


Microsoft has racked up an impressive list of certifications and standards when it comes to compliance around data protection. These include international, regional, and industry-specific standards. They are independently verified and audited on a continuous basis. In some cases, Microsoft works directly with data protection bodies to develop their services. In 2014, Microsoft received a letter of endorsement for Office 365 from a group consisting of all the data protection agencies in the European Union. Through the ‘EU Model Clauses’, Office 365 customers can now comply with the EUs stringent Data Protection Directive relating to cross-border transfers of personal data.

To help customers meet specific compliance requirements for their industries, and to enable demonstrable control to auditors and regulators, a whole slew of customer controls are in place. For example, customers can access the Office 365 service logs so that they can show how data has been processed and managed. eDiscovery tools allow customers to mine and analyse vast amounts of data for litigation and investigation purposes. Many other controls allow clients to customise for compliance purposes.


These days its fair to say that file management and email are mission critical. Service reliability is therefore a key risk when moving to the cloud. Again, Microsoft sees transparency as a key means of addressing doubts about reliability. It publishes uptime reports that show that the Office 365 service has never dropped below its 99.9% uptime guarantee, at least on a global level.

As a customer, you also have access to an Office 365 service health dashboard of impressively detailed and granular data and reports surrounding your own service.

O365 Service Health Dashboard

When it comes to my own experience with Office 365, Ive had a few minor glitches but nothing more. Ive worked in large organisations that manage their systems in-house; if you have too I am sure you too have seen these systems go down frequently, often for hours at a time.

And this final point brings me to my conclusion. Because surely any evaluation of a cloud service like Office 365 has to be done in comparison with the in-house alternative delivered using smaller resources, less expertise, and more rudimentary functions. Not moving to the cloud may represent the bigger risk for many organisations.

I hope I’ve provided an overview of how Microsoft addresses key risks; as a Tier 1 Microsoft cloud solution provider, we have the utmost confidence in Microsoft’s cloud security. For more detail go to the Office365 Trust Centre.

As a gold Microsoft Partner, we can help you with every aspect of SharePoint and Office 365. Take a look at our recent work.

Intranet hierarchy of needs

There are many ways to build a new intranet, or revamp an ageing one. Whatever your approach, your objective must be to create a useful, useable intranet that adds value to your business.

Design is a holistic process, but there are some foundation concepts that should be solidly addressed.

Intranet hierarchy of needs

Security the foundation requirement of your digital workplace

If your intranet is internally hosted, then your IT department will manage security as they do for your whole network.

If your intranet, or part of it, is hosted in the cloud then the host will manage security as part of their service. Its a fact that if youre using SharePoint Online or Office 365 then Microsofts cloud security is second to none.

As architects or intranet managers, your concern should be about password management and authentication. The weak chink in your security is employees reusing personal passwords on every system. What does your Information Security Manager advise regarding password complexity? Heres the official Microsoft password checker (other checkers might be fake).

Single sign-on is a must; people expect enterprise software to know who they are once theyve logged on to their computer and intranet.

What about two-factor authentication? Incredibly secure, but Aviva found log-ins declined sharply when they experimented with two-factor.

Access and accessibility

Ease of logging-in brings us to access; if your intranet is secure yet staff and authorised people cannot log-in without having to call the IT helpdesk, your intranet will not be a value-adding place of work.

Do you allow home access? If your intranet is in the cloud or simply hosted externally by a partner company, then access over the Internet should be easy. If your intranet is internally hosted then your Info Sec and IT people need to decide whether to open it up to the Internet or create secure access via VPN.

Its not all about working from home of course, knowledge workers might be on a train, waiting at airports, or working from a clients office.

Which brings us to the topic of mobile access. If people are allowed access to your intranet while out and about with their laptop, what about on a phone or tablet? You may already issue iPads to executives can they access the intranet over 3G or Wi-Fi when not in the office? What about their company issued smartphones?

Access via personal tablets and smartphones is also a consideration. The information security risk can be greater, depending on what people are able to access, but arrangements can be made to mitigate the risk. Many enterprises support BYOD (Bring Your Own Device) and deploy apps for secure communication. Mobile Device Management (MDM) can add a layer of security for company or personal devices.

A part of access is accessibility. Often swept aside as an issue that affects a small percentage of people, accessibility is actually about good design. Its about designing for real people, in different situations (in the office, walking in corridors, sat in a taxi) who have different needs and approaches to the screen and information.

Useful facilitating valuable work, reducing administrative burden

Who was it that said make it valuable, then easy, then fast, then pretty?

The usefulness of your intranet can only be measured against how it helps people support your organisations objectives. The very purpose of your intranet must be aligned with what people already do and actually need in order to work more efficiently and effectively.

This focus on productivity in no way invalidates the human side of business. Employee engagement, social communications, change management, and L&D can all be empowered and facilitated by a decent intranet platform.

Employees will only use the intranet if its of use to them. Its a tautology, but worth remembering. Home page communications will not, alone, draw people in. If the HR teams only accept request via email then they will live in their inbox. For the intranet to be useful to such a team, it would need to manage requests and workflows. Such an online approach should reduce admin burden and provide a more robust, auditable, service.

To monitor and demonstrate the intranets usefulness:

  • Review and develop KPIs that support business KPIs
  • Redevelop your intranet strategy to be sharper, and to directly support the business strategy
  • Revamp your intranet governance and ensure the right stakeholders are involved (via regular steering committee meetings).

Make your intranet into a company-wide service platform, rather than merely a cost to the IT and Comms departments.

Easy useable; works as needed and as expected

Hand-in-hand with useful comes the user experience (UX). This isnt simply about reducing clicks, but about providing an interface that allows experienced users to get on with things enabling less experienced people as well.

The only way to meet peoples needs and expectations is through ethnographic research. Following best practices will only get you so far. For example, stakeholders and the intranet manager may have strong ideas around what the main navigation menus should offer, but only from research can you find out what people really need and expect. Even menu names can be optimised to match peoples vocabulary; why use the technical name for your expense system if everyone just says expenses?

Whats the loading time of various intranet pages? Is it slower at different locations? Consider the network, server technology, and intranet design options available to optimise the speed of your intranet.

Design cant be a committee matter; a clear vision is required, backed up by relevant evidence. Design isnt just about how things look; design is about how things work. This is just as true for digital services as it is for real-life products.

What are peoples pain-points right now? How long does it take to complete an expense claim? How hard is it to update a document? Go around your organisation and discover what damages peoples intranet experience, then work out how to delight them.

Nice attractive, engaging; the form follows the function and directs use

People make up their minds about things in all sorts of illogical ways. The intranet could save a person hours each day, and they could still claim to hate it if it looks like something from the previous decade.

Its perfectly possible to design a home page and publish news and updates without photos or imagery of any kind. Our advice, however, is to really focus on the visuals communications, reference materials, and even forms benefit from relevant photos and illustrative graphics. Theres a definite shift to multimedia communications; user-generated videos and webinar recordings can make for engaging updates and support online learning.

Page layout and content design can quickly show people what they can do on the intranet faster. While forms may be boring, designing them for ease of use (considering the number of fields, clicks, and the order of everything) can save minutes, and frustration.

Work your way up the triangle

People wont thank you for a good-looking intranet that does nothing for them. Consider peoples needs in light of your organisations objectives, and get the foundations right.

Once your IT department and leaders are assured the intranet is secure, you can work on opening up access to people at home, to commuters, and to partners within your supply chain.

Once your intranet is truly useful a real enabler of business, you can work to refine how people use it, simplifying and streamline workflows, forms, and navigation.

Then you can optimise the reading experience to create a more engaging intranet.

Now, where within the triangle do you think social should sit? Collaboration might fit well within useful, but what about your enterprise social network and private messaging systems?

We use cookies to give you the best experience on our site. By continuing to use our website, you are agreeing to our use of cookies. To find more about the cookies, please see our Privacy Policy