One of the biggest concerns for IT departments is the security of data in the cloud. Cloud usage has exploded and brought about an increase in the use of mobile devices. While it can generate cost savings, there are also increased security risks to your sensitive data. In order for you to decide if Microsoft’s cloud solution is the right suite for you when it comes to cloud services, you first need to consider Office 365 security, compliance and privacy capabilities.
Download our PowerPoint deck: 7 Free Things You Can Do to Improve Your Clients’ Office 365 Security Posture
Office 365 Security and Compliance
When moving your data to cloud services, security means adding yet another layer to consider, that of trust. It is “your data” and you need to be sure that your service provider is up to the task.
You also want to know if cloud-based data services comply with affected laws and whether the security is as good as your onsite structure. You are not alone with this, many companies see complying with local, state, and federal regulations as a distinct barrier to moving to the cloud. However, you can rest assured that Office 365 maintains capabilities that include technologies, operational procedures, and policies that are enabled automatically so that you do not have to worry about them.
In addition, you can customize the way you use Office 365 based on the needs specific to your business and business practices, while adhering to proven methods of security and compliance. Security and compliance is an ongoing process; it cannot remain static. Techniques are employed that maintain traffic while preventing, detecting, and mitigating breaches.
There are three levels that Office 365 maintains to protect your data. These areas, or layers, are the Physical layer, the Logical layer, and the Data layer. Each of these integrated layers function to prevent access to your data by unauthorized entities. Let’s explore each of these layers.
To begin with, the Office 365 data centers are distributed geographically in order to protect them from a natural or manmade disaster. These data centers employ security methods such as badges and smart cards, biometric scanners, on premises security personnel, surveillance video and the use of motion detector devices. In the case of a natural disaster, fire prevention systems are employed.
Network security involves protection at the edges of the network as well as points throughout the network. The layer only allows connections to exist that allow systems to function; all other types of connections, ports and protocols are prevented access. Office 365 networks maintain lists to limit access, and enable firewall rules and policies on hosts. These lists are called Access Control Lists, or ACLs and are configured on routers, IPsec policies on hosts, firewall rules and host based firewall rules thereby providing restrictions on network communication, protocols, and port numbers. At the network level, security is able to detect attempted intrusions. In addition, the backend servers and storage units are physically separated from the interface used by the public.
At the logical level, there are processes in place to control hosts, applications running on those hosts, as well as the admin staff that may access these hosts and applications in order to complete work on them. This is possible because most of the processes on these hosts and applications are automated. This automation keeps human intervention to a minimum level. This reduces the possibility of misconfigurations whether accidental or intentional from occurring. Please note that such automation includes the deployment of systems located in the datacenters.
Anti-malware software is configured for servers, network devices and other Microsoft applications. Any changes such as updates, hotfixes, or patches use a standard method of change management. Before changes are implemented, they are evaluated by an advisory board to eliminate any risk to the network or to your data.
Office 365 is known as a multi-tenant service which means your data shares the same hardware resources as do other customers. Data storage and use is kept apart by the use of the Azure Active Directory. It uses secure boundaries to prevent your data from being affected by other co-tenants.
Microsoft has built-in encryption features for Office 365 that utilize cryptographic standards in the industry that includes SSL/TLS, and AES. It also employs BitLocker which encrypts the customer’s hard drives to protect against data theft or exposure, plus it protects removable drives which may be lost or stolen. This make it useful even on drives that are no longer used and have had the data deleted. This makes it harder to recover deleted data from such drives using Bitlocker, than an unencrypted one.
The Office 365 security strategy can be thought of as a support system consisting of four columns.
The basis of any security strategy is to prevent intrusions in the first place. This is accomplished by such features as port scanning, scanning a potentially vulnerable perimeter, utilizing patches in a timely manner, isolating breaches, detecting and preventing DDoS (Distributed Denial of Service) incidents, and multi-level authentication.
Detection occurs when security alerts are collected, collated, and analyzed. These alerts can be internal or external in nature. Machine learning is employed to recognize new intrusion patterns or other anomalies in the network.
Response is employed to minimize the effects if a system component has been compromised. Office 365 employs an incident response process. This process includes standard operating procedures (SOPs) if an incident occurs, the capability to either stop or deny access to your data, and tools to monitor and mitigate the situation.
Recovery is just as important as the other columns to enable the operations to resume. It includes updating any systems that were affected and also auditing of the network to ensure that any impact has been eliminated.
Office 365 Privacy
How does Office 365 ensure the privacy of your data? Built into Office 365 there are privacy features that include not mining your data in order to use it for advertising purposes. It only uses your data to the extent necessary to provide you with the online services you have signed up for. You are told where your data is stored and who has access to it and why.
But it does not stop there. Office 365 allows you, the customer, to configure the privacy into your data. For example, there is the Customer Lockbox which allows you to control how much access is being allowed to Microsoft engineering. Your administrators and other individual can configure the permissions that any user has to the data. This includes blocking viewing, printing, copying or forwarding your data by those who are not authorized to do so.
Another example is that Sharepoint Online has a set of controls for privacy. By default Sharepoint Online sites are set to private so that is one less action that you need to make. In OneDrive for Business, any document uploaded to it cannot be shared with others until the uploader defines who and how the document is to be shared.
In Skype for Business there are administrator and user level controls that can be enabled to allow or block communications with individuals or entities outside of the network.
What Certifications Does Office 365 Hold?
As of this writing, Office 365 meets the strict standards for ISO27001, ISO27018, SSAE 16, FISMA, HIPAA BAA, EU Model Clauses, and Cloud Security Alliance.
How can the customer team up with Office 365 to prevent risk to its data? Although malware and other forms of attack are very real and certain, the customer can help prevent data loss due to user error. Exchange Online incorporates Data Loss Prevention (DLP). This feature identifies, monitors, and protects your sensitive data and employs users in its process. For example, if an email includes important information like Social Security numbers or credit card numbers, it notifies the sender before the email is sent.
Based on how you configure the policies, it can warn the sender but allow it to be sent anyway, it can require some form of authorization before the email is sent, or it can block the email from being sent at all. This form of control can apply to attachments as well as emails. Administrators can also receive an auditing report that identifies what information is being sent and who is sending it. This DLP capability is soon to be available to Sharepoint Online as well.
On the receiving end of an email, Exchange Online goes beyond protection against spam, viruses and malware and includes:
- Protection against unknown malware
- Real time protection against malicious URLs
- Robust reporting URL tracking
Let’s talk about auditing. By using the auditing processes and procedures afforded you by Office 365, you can track such actions as viewing, editing and deleting content. By summarizing these events, the administrators can use audit reporting to see how the data is being used, maintain compliance, and check out any possible issues.
So what happens to your data if your contract expires or you decide to cancel it? Office 365 gives you at least 90 days to make sure all data has been migrated to another location. Only at that instance will the data not be able to be restored commercially.
Today businesses need and demand online services in order to make their data available virtually anywhere in the world and on multiple devices. All of this in the face of unauthorized intrusion attempts that seek to disrupt your business operations, steal intellectual property, or destroy your sensitive data. With Office 365 you get a platform that allows a secure, cloud-based, and productive environment for you and your users. So, the Office 365 security, compliance and privacy capabilities should give you a peace of mind.
Download Our Free PowerPoint Deck!
7 Free Things You Can Do to Improve Your Clients' Office 365 Security Posture
Find out what you can be doing to better protect your clients, why you should be taking these precautions and a step by step guide of how to implement these procedures.