As we start accepting the thought of the cloud and Office 365 for our businesses, security and privacy are still on our minds. Though many security breaches happen from within, we often worry when we hear that our content will be somewhere other than our own servers. Especially in the “cloud” somewhere. So what does the Office 365 data protection promise for both security and privacy do to help appease these worries?
If you can get into the servers where any of our content is stored, I’d be extremely impressed. More than impressed in fact. Let’s see…
“As a standard policy, Microsoft does not disclose the location of its data centers. Microsoft operates between 10 and 100 data centers located around the world.”
First, try to find the location for these facilities. They’re not disclosed to the public and finding them will be your first challenge. Let alone finding the one that has the content you’re looking to breach. And if somehow you’ve found them, here are some of the things you have to get through.
You need to be identified as authorized personnel and get passed the multiple layers of physical security… Oh and bypass the biometric as well as motion sensors all under constant video surveillance. I think this sounds closer to a new “thief” movie called “Ocean’s 365” than a likely scenario.
Whether you’re communicating with the various Office 365 experiences or looking at the data being at rest, you’ll see that it’s always encrypted. Disks using BitLocker encryption, SSL over HTTP and even IRM on Document Libraries are a few things that ensure no unwanted eyes can peek at your data.
In Office 365, the way you and your users use the platform isn’t mined for advertising purposes. Though many cloud platforms will use this information to target ads like Facebook and Gmail as examples, this isn’t something you’ll have to worry about here.
With the many preconceived worries on the cloud and security, Microsoft takes a safe approach by making sure none of your data can get exposed.
From an administrator’s perspective as well as an end users’, you can manage what can be seen and by whom on your content. But privacy goes beyond the extensive options we have come to expect from most of these cloud platforms, it’s also about the data collected on the usage of the platform.
Microsoft may use the data to improve the overall experience, but the data will not be shared. And when I mean the data collected, it does not mean they’ll access your actual content. Your mailbox or OneDrive for Business files will never be accessed without your permission. Only data on how you use features to improve the service, not unlike when you look at Analytics of people visiting your website to improve it over time.
On top of that, the Admin Center allows you to audit all access to your tenant information by a Microsoft Employee so you know what’s going on.
Microsoft employs multiple layers of redundancy and backups of information at the datacenter level, so in a rare event where data may be lost or corrupted on Microsoft servers, it can be restored.
Though there is no link I can point you to with a service description for backup and recovery, it’s important to know that it may not be ideal for all organizations. The platform comes with many capabilities from Versioning to Recycle Bins as well as recovery options. However, they are not indefinite. Meaning it may be too late for you to recover the data or the recovery method may not be ideal for you in your scenario.
I know what you’re thinking, “That’s horrible! I don’t want them to keep my data even after I no longer use Office 365”. To give you time to take your data away from a terminated subscription, you have a timeframe which allows you to do so.
“Upon expiration or termination of your Office 365 subscription or contract, Microsoft will provide you, by default, additional limited access for 90 days to export your data.”
More details on data portability can be accessed in the Trust Center.
Though still a concern for some due to legal and regulatory requirements, Microsoft will keep your data in the region specified when the subscription is first created. A region doesn’t necessarily mean a country however, if this is a concern for you then you should look at the details in the Trust Center.
Keep in mind that many worries we have about this are misunderstood. Be sure to understand your requirements before.
Identity is very important in this digital age, it proves you are who you are and often that’s through a password. To make sure a simple brute force attack doesn’t lead to a security breach, Office 365 makes sure users require a strong password.
If you’d like more protection, especially for those users that have a little more power over the tenant or access to extremely confidential information, you can also enable multi-factor authentication. With this turned on, users will have an extra layer of security other than just the password.
Both as an administrator and as a regular user, you can control what is seen and by whom it is seen in your organization. Depending on the organization and culture, not everyone within will be ok with sharing the same data about themselves or on their usage.
The data is often imported from Active Directory or entered manually by users to create a complete profile. It’s often valuable to have as it enabled you to build rich solutions that interact with the data as well as Office Graph to make better connections.
“Microsoft just announced that it is the first major cloud provider to adopt the first international cloud privacy standard developed by the International Organization for Standardization (ISO)” – Microsoft on the Issues
Even privacy authorities across Europe approve Microsoft’s cloud with an official stamp. It’s hard to beat, independently verified, Office 365 is without a doubt much more secure than you could possibly even allow your own servers to be.
It’s unlikely the security breach will happen from the outside
Security concerns will never go away, just change as we transition to a new work model. We use the cloud, experiences from Office 365 to do what we need to do. Recently, I talked about how granting access to External Users combined with a human mistake almost cost us quite a bit if we hadn’t found it in time. And that will continue to be the case regardless of whether it’s On-Premises or in the Cloud.
On their side, Microsoft has put everything into place from regular backups to ensuring your data stays in-region as well as enforcing strong passwords to help you stay protected. Concerns from moving to the cloud in terms of Security and Privacy are normal as we are not used to it, but with the Office 365 data protection seem unfounded. It’s more likely we will cause a breach with our configurations or human errors than someone gaining access to our data.
This Infographic is based on the “Top 10 security and privacy features of Office 365” provided on Microsoft’s website.