Everything You Need to Know about Office 365 Security
The complexity of delivering access to services from a growing number of devices, platforms, and places forces information security to be a paramount matter.
When you consider moving your organization to the cloud with Office 365, Office 365 security concerns add another layer of consideration. It is critical that you trust your service provider to take care of the key expectations around processing and managing your data – security, privacy, and compliance. Let’s build that trust by reviewing Office 365 security!
Office 365 Security is an Ongoing Process
Security in Office 365 is an ongoing process, not a steady state. It is constantly maintained, enhanced, and verified by highly skilled, experienced and trained personnel at Microsoft who strive to keep software and hardware technologies up to date and refined through robust designing, building, operating, and supporting processes.
To help keep Office 365 security at the top of the industry, Microsoft uses processes such as the Security Development Lifecycle; traffic throttling; and preventing, detecting, and mitigating breach.
Office 365 security consists of two equally important dimensions, service level capabilities and customer controls, which we dive into below!
If all of your questions aren’t answered here, you can stay up to date with Office 365 security by checking out our Microsoft Trusted Cloud Data Sheet, which includes several resource links to the Office 365 Trust Center and more!
Service Level Security
Microsoft is an industry leader in cloud security with policies and coAt the service level, Office 365 uses a defense in depth strategy that protects your data through layers of security – the physical, logical, and data layers – in the service controls for even the most sophisticated organizations. In addition, consistent updates ensure a highly secure cloud productivity service that meets rigorous industry standards in compliance.
Microsoft’s Office 365 security strategy also involves strategy to detect, prevent, and mitigate a security breach before it happens.
This involves continuous improvements to service-level security features, including:
- Perimeter vulnerability scanning
- Operating system security patching
- Network-level DDOS (distributed denial-of-service) detection and prevention
- Multi-factor authentication for service access
With regards to people and process, Office 365 security prevents breach with the following features:
- Auditing all operator/administrator access and actions
- Zero standing permission for administrators in the service
- “Just-In-Time (JIT) access and elevation” to troubleshoot the service
- Segregation of the employee email environment from the production access environment
- Mandatory background checks for high privilege access
Privacy by Design
When you entrust your data to Office 365 you remain the sole owner: you retain the rights, title, and interest in the data you store in Office 365.
In order to maintain your privacy, Microsoft ensures the following:
- No mining of your data for advertising or for any other purpose other than providing you services that you have paid for
- If you ever choose to leave the service, you take your data with you with full fidelity
- You will always know where your data resides, who has access, and under what circumstances
- Access to your data is strictly limited, non-destructive, logged and audited
Beyond this, Office 365 security has privacy controls to allow you to configure exactly who has access to what within your organization.
Security Customer Controls
Office 365 combines the familiar Microsoft Office suite with cloud-based versions of our next-generation communications and collaboration services: Exchange Online, SharePoint Online, and Lync Online. Each of these services offers individualized security features that you can control.
Data Integrity and Encryption
Along with the encryption technologies that are addressed at the service-level in Office 365 and managed by Microsoft, Microsoft also offers various technologies that you can implement and configure in your Office 365 tenant, inlcuding:
- Rights Management Service
- Secure Multipurpose Internet Mail Extension (S/MIME)
- Office 365 Message Encryption
- Transport Layer Security (TLS) for SMTP messages to partners
Secure End-User Access
It is critical to be able to control access to data and how it may be used. In the Office 365 service, Azure Active Directory is used as the underlying identity platform. This enables your tenant with strong authentication options granular control over how IT professionals and users can access and use the service.
Operating a global cloud infrastructure creates a need to meet compliance obligations and to pass third-party audits. Auditable requirements come from government and industry mandates, internal policies, and industry best practices. Continuous compliance refers to our commitment to evolve the Office 365 controls and stay up to date with IT standards and regulations.
As a result, Office 365 has obtained independent verification for the following:
- Obtained ISO 27001 and SSAE16 SOC 1 (Type II) Audit Verification
- Received Ability to Transfer Data Outside the EU with U.S.-EU Safe Harbor Framework and EU Model Clauses
- Signed the HIPAA Business Associate Agreement (BAA) with All Customers
- Received authority to operate from U.S. federal agency under FISMA
- Disclosed security measures through the Cloud Security Alliance Public Registry
Customer Compliance Controls
With Office 365, the different plans offer a range of compliance features, including data loss prevention (DLP), eDiscovery, auditing and reporting functionality, and data spillage management and deletion. Across these capabilities, the user experience is preserved and productivity is not impacted, leading to greater user acceptance.
Still curious about why organizations are moving to the cloud with Office 365? Check out our latest eBook, Why IT Executives are Running to Office 365, which includes more in depth descriptions of Office 365 security features, and much more!