Cloud Services you can trust: Security, Compliance and Privacy in
Office 365
used
with permission from Microsoft
When
you make a decision to place your trust in a cloud services provider for
productivity services, security, compliance, and privacy are top of mind.
With over a billion customers on Office and decades of experience running
online services, we understand what it takes to earn and continue to
maintain your trust and confidence in Office 365.
Our construct for
security, compliance and privacy in Office 365 has two equally important
dimensions - Built-in capabilities that include service-wide, technical
capabilities, operational procedures and policies that are enabled by
default for customers using the service and Customer controls that include
features that enable you to customize the Office 365 environment based on
the specific needs of your organization.
We will look at Built-in
capabilities and Customer controls for each of the key pillars of trust -
Security, Privacy and Compliance - in more detail below.
Security
Security of our customers' information is a key trust principle. We
implement policies and controls to safeguard customer data in the cloud
and provide unique customer controls that you can use to customize your
organizational environment in Office 365.
Built-in
capabilities
As an Office 365 customer, you will benefit
directly from in-depth security features that we have built into the
service as a result of experience gained from years of building
enterprise-grade software, managing a number of online services and
billions of dollars in security investments. We have implemented
technologies and processes that are independently verified to ensure high
security of customer data.
Some key aspects of our built-in
security capabilities are:
- Physical security - We monitor our data centers
24/7 and we have technologies and processes to protect our data centers
from unauthorized access or natural disasters
- Security best practices -We use best practices in
design like Secure Development Lifecycle and operations like
defense-in-depth to keep your data secure in our data centers
- Data encryption - Every customers' email content is
encrypted at rest using BitLocker Advanced Encryption Standard (AES)
encryption
- Secure network layer - Our networks are segmented,
providing physical separation of critical back-end servers from the
public-facing interfaces at the same time our Edge router security
detects intrusions and signs of vulnerability
- Automated operations like Lock Box processes -
Access to the IT systems that store customer data is strictly controlled
via lock box processes. This access control mechanism is similar to a
system where two people have to turn the key for an action to be
allowed.
Customer controls
As a result of Office
365 offering productivity services to a wide range of industries, we have
built both features and choices that you can control to enhance the
security of data based on the needs of your organization.
Some key
aspects of our customer controls for security
are:
Encryption features
- Exchange Hosted Encryption - Enables delivery of
confidential business communications safely, letting users send and
receive encrypted email directly from their desktops as easily as
regular email.
- S/MIME - Enables encryption of an email messages
and allows for the originator to digitally sign the message to protect
the integrity and origin of the message. As part of our continued
investment in security technologies that Government and Security
conscious customers care about, we are adding support for S/MIME for
Office 365 in the first quarter of Calendar Year 2014.
- Rights Management Services - Enables a user to
encrypt information using 128-bit AES and use policies on email or
documents so that the content is appropriately used by specified
people.
Identity and access features
- Role based access control - Allows administrators
to enable access to authorized users based on role assignment, role
authorization and permission authorization.
- Exchange Online Protection - Allows administrators
to manage your company's Anti-virus and Anti-spam settings from within
the Office 365 administration console.
- Identity Management - Provides organizations with
various options for identity management such as cloud based identity,
identities mastered on-premises with secure token based authentication
or hashed passwords to integrate into the Office 365 identity management
system based on the security needs of your organization.
- Two factor Authentication - Enhances security in a
multi-device, mobile, and cloud-centric world by using a second factor,
such as a PIN, in addition to the primary factor which is
identity.
Compliance
Another key principle of Office 365 trust is Compliance. It is
expected that commercial organizations have regulations and policies that
they must comply with to operate businesses in various industries. These
policies can be a mix of external regulatory requirements that vary
depending on industry and geographical location of the organization and
internal company-based policies. Office 365 provides built-in
capabilities and customer controls to help customers meet both various
industry regulations and internal compliance
requirements.
Built-in capabilities
Office 365 stays
up-to-date with many of today's ever-evolving standards and regulations,
giving customers greater confidence. To bolster this and to continue
earning your confidence, we undergo third-party audits by internationally
recognized auditors as an independent validation that we comply with our
policies and procedures for security, compliance and privacy.
Some
key aspects of built-in compliance capabilities are:
- Independently Verified - Third party audits verify
that Office 365 meets many key world-class industry standards and
certifications
- Control framework - We follow a strategic approach
of implementing extensive standard controls that in turn satisfy various
industry regulations. Office 365 supports over 600 controls that enable
us to meet complex standards and offer contracts to customers in
regulated industries or geographies, like ISO 27001, the EU Model
Clauses, HIPAA Business Associate Agreements, FISMA/FedRAMP
- Comprehensive Data Processing Agreement - Our Data
Processing Agreement comprehensively addresses privacy and security of
customer data, helping customers comply with local
regulations
Customer Controls
We provide Compliance
controls within the service to help our customers comply based on the
policy needs of their organization.
Some key customer controls for
compliance are:
- Data Loss Prevention - Helps customers to identify,
monitor and protect sensitive data through content analysis
- Archiving - Allows organizations to preserve
electronically stored information retaining e-mail messages, calendar
items, tasks, and other mailbox items
- E-Discovery - Permits customers to retrieve content
from across Exchange Online, SharePoint Online, Lync Online, and even
file shares
Privacy
Privacy is our third trust principle. As more and more customers are
relying on online service providers to keep their data safe from loss,
theft, or misuse by third parties, other customers, or even the provider's
employees, we recognize that cloud services raise unique privacy questions
for businesses.
To meet your needs, we are continually
developing technologies to enhance privacy in our services. We call this
privacy by design - which is our commitment to use best practices to help
protect and manage customer data.
Built-in
Capabilities
Key built-in capabilities and principles of
Privacy in Office 365 are:
- No Advertising - We do not scan email, documents,
build analytics or data mine to build advertising products. In fact, we
do not use your information for anything other than providing you
services you have subscribed for.
- Data Portability - As an Office 365 customer, your
data belongs to you, and you can export your data at any time with no
restrictions. We act only as a data processor and provider of
productivity services, not as a data owner
- Notice and Consent - When we act upon your data, we
let you know why and we ask for permission in advance or redirect any
enquiries to our customers unless legally prevented to do so.
- Breach Response - We have strong, tested and
audited processes to inform you if there is a breach and remediate
issues if they occur.
- Data Minimization - We strive to minimize the
actual amount of customer data that our internal teams have access
to.
Customer Controls
In addition to built-in
capabilities, Office 365 enables you to collaborate through the use of
transparent policies and strong tools while providing the distinct ability
to control information sharing.
Some examples of customer controls
for privacy are:
- Rights Management in Office 365 - Allows
individuals and administrators to specify access permissions to
documents, workbooks, and presentations. This helps you prevent
sensitive information from being printed, forwarded, or copied by
unauthorized people by applying intelligent policies
- Privacy controls for sites, libraries and folders -
SharePoint Online, a key component service of Office 365 that provides
collaboration functionality has a number of privacy controls. One
example is that SharePoint Online sites are set to "private" by default.
A second example is that a document uploaded to a SkyDrive Pro is not
shared until the user provides explicit permissions and identifies who
to share with.
- Privacy controls for communications - In Lync
Online, another key component service that provides real time
communications in Office 365, there are various administrator level
controls as well as user level controls to enable or block communication
with external users and organizations. One example is blocking access to
federation in Lync. Similarly there are controls throughout the service
for the admins and users to ensure privacy of their content and
communications.
At Microsoft, we have been building Enterprise
software for over two decades and we run over 200 online services. We
bring all of this experience to Office 365 to give you industry leading
capabilities in security, compliance and privacy. In addition, we take the
advantage of scale and continuous feedback from providing services to a
diverse customer base across industry and geography to constantly learn
and improve the Office 365 services. Security, Compliance and Privacy are
the key pillars of the Office 365 Trust Center (the other two pillars
being Transparency and Service Continuity). Customers can have confidence
that Microsoft is a thought leader and will continue to make deep
investments to protect customers in the cloud.
|