As a Microsoft partner for Office 365 and Azure solution implementation, we often come across customers who are either planning to migrate some of the workload to Office 365 or started some proof of concepts for selective workloads in cloud, but worry of adopting cloud as primary workload or infrastructure.
This situation is mostly prevalent in small and medium sized organization where IT must justify security, privacy and compliance concerns to business leaders and decision makers that their data is safe. Also, we have come across similar concerns for large organizations where they have matured into identifying general cloud concerns for a SaaS or PaaS based platform and how to evaluate for a specific vendor.
We try to evade all these concerns and doubts because for most of the organizations this is paradigm shift for extending some part of their infrastructure on cloud. Some of the major questions asked are – Is our information secure? Who can access it? What are the data privacy policies? How do these policies translate on how we manage and store our data in the cloud? Let’s dive into the answers which are specific to Office 365.
Data ownership and protection
Most important question is related to data ownership and protection of data on office 365 – like who has access to my data, where my data is stored, who owns my data.
Where my data is stored?
Microsoft Office customers know where their customer data is stored and the location of their datacenters around the world. Each of our business cloud services has specific data residency and transfer policies. The customer’s country or geo, which the customer’s administrator input during the initial setup of the services, determines the primary storage location for that customer’s data. So, in case if a customer’s primary office is in India then datacenter will reside in India. You can check more information on geos and location here. This site lists all geos and location of data for all types of Microsoft online services.
Who owns my data?
If you put your money in a bank who owns your money? You. Bank is just managing money on your behalf. In same way, you own your data
For Microsoft, your data is your business. Microsoft does not share business customer data with our advertiser-supported services, nor do we mine it for marketing or advertising. This policy is backed by our agreements and reaffirmed by the adoption by many Microsoft services of the world’s first international code of practice for cloud privacy, ISO/IEC 27018.
What happens to my data if I leave the service?
Based on Online Services Terms, Microsoft contractually commits to specific processes when a customer leaves a cloud service or the subscription expires. This includes deleting customer data from systems under Microsoft’s control:
- If you terminate a cloud subscription or it expires (except for free trials), Microsoft will store your customer data in a limited-function account for 90 days (the “retention period”) to give you time to extract the data or renew your subscription. During this period, Microsoft provides multiple notices, so you will be amply forewarned of the upcoming deletion of data.
- After this 90-day retention period, Microsoft will disable the account and delete the customer data, including any cached or backup copies. For in-scope services, that deletion will occur within 90 days after the end of the retention period. (In-scope services are defined in the Data Processing Terms section of our Online Services Terms.)
How I would get my data if you go out of business or I terminate the contract?
For Microsoft partners and reseller this is a common question –
If a partner or reseller goes out of business, customer can change partner or reseller as their services are governed under contract with Microsoft. In case customer does not want to continue online services like Office 365 with Microsoft they have ample time to get backup or migrate their data to other services after subscription termination as described in above question.
Who can access my data?
During the term of your subscription to Microsoft business services, you can access and extract your customer data. Customers of Azure, Dynamics 365, Intune, and Office 365 in-scope services can retrieve a copy of their customer data at any time and for any reason without the need to notify Microsoft or ask for assistance.
Microsoft limits access to customer data by deploying several measures and processes that falls under two categories – physical and logical
Access to physical datacenter facilities is guarded by outer and inner perimeters with increasing security at each level, including perimeter fencing, security officers, locked server racks, multifactor access control, integrated alarm systems, and around-the-clock video surveillance by the operations center.
Access to customer data is restricted based on business need by role-based access control, multifactor authentication, minimizing standing access to production data, and other controls. Access to customer data is also strictly logged, and both Microsoft and third parties perform regular audits (as well as sample audits) to attest that any access is appropriate.
In addition, Microsoft uses encryption to safeguard customer data and help you maintain control over it. When data moves over a network—between user devices and Microsoft datacenters or within datacenters themselves—Microsoft products and services use industry-standard secure transport protocols. To help protect data at rest, Microsoft offers a range of built-in encryption capabilities.
Microsoft engineers do not have default access to cloud customer data. Instead, they are granted access, under management oversight, only when necessary.
What happens if you get a request from local, state or federal government to access my data?
In the case of government surveillance, Microsoft has taken steps to ensure that there are no “back doors” and no direct or unfettered government access to your data. Microsoft impose carefully defined requirements for government and law enforcement requests for customer data.
Microsoft will not disclose data hosted in Microsoft business services to a government agency unless required by law.
If Microsoft is compelled by law to disclose customer data, they will promptly notify the customer and provide a copy of the request, unless they are legally prohibited from doing so.
How do you demonstrate compliance for online services like Office 365?
Microsoft service is verified to meet the requirements specified in ISO 27001, European Union (EU) Model Clauses, the Health Insurance Portability and Accountability Act Business Associate Agreement (HIPAA BAA), and the Federal Information Security Management Act (FISMA).
Microsoft’s data processing agreement details the privacy, security, and handling of customer data, which helps customers comply with local regulations.
Microsoft has built over 900 controls into the Office 365 compliance framework that enable to stay up to date with frequent changes to industry standards. A specialist compliance team continuously tracks standards and regulations, developing common control sets for our product team to build into the service.
Office 365 meets the requirements specified in the following compliance certifications:
- SAS 70 / SSAE16 Assessments
- ISO 27001 certified
- EU Model Clauses
- EU Safe Harbor
- HIPAA-Business Associate Agreement
- FISMA/FedRAMP Authority to Operate
- Microsoft Data Processing Agreement
- PCI DSS Level One
Check this link for details of security audits and certifications for Office 365 – https://technet.microsoft.com/en-us/library/office-365-compliance.aspx
What are customer controls for my organizational compliance?
Legal hold and e-discovery built into Office 365 help you find, preserve, analyze, and package electronic content (often referred to as electronically stored information or ESI) for a legal request or investigation. Privacy controls allow you to configure who in your organization has access to and what they can access.
Data loss prevention in Office 365 helps you identify, monitor, and protect sensitive information in your organization through deep content analysis.
Business continuity and resiliency
What are SLA level and uptime expectations for using Office 365?
While Microsoft maintained an uptime of 99.99% in Q1 of 2017, Microsoft provides a financial backing to their commitment to achieve and maintain the service levels for each service. If they do not achieve and maintain the service levels for each service as described in the Service Level Agreement, then customer may be eligible for a credit towards a portion of their monthly service fees. You can check details of SLA agreement here
What kind of data protection is available to prevent loss of data?
Data protection services are provided to prevent the loss of SharePoint Online data. Backups are performed every 12 hours and retained for 14 days. This describes the data backup services as offered when SharePoint Online is generally available. You can check here for more details.
Does this support two-factor authentication?
Office 365 supports all kind of authentication including Active Directory and Azure Active Directory. Check this article for Multi-factor Authentication
How is my data encrypted as it flows across the network between my location and Office 365?
Office 365 encrypts your data while it’s on our servers and while it’s being transmitted between you and Microsoft. Office 365 provides controls for end users and administrators to fine tune what kind of encryption you want to use to protect your files and email communications. You can check the options available here – https://technet.microsoft.com/en-us/library/dn569286.aspx
How do you manage software upgrades? What are my responsibilities?
Microsoft manages all the upgrades, feature updates and enhancements. Before doing major updates, Microsoft informs about this to their customers for any scheduled downtime.
How many copies are made of my data and where are these copies located?
Microsoft maintain multiple copies of your data across datacenters for redundancy, Microsoft will share with you where your data is located, and will provide one-month notice if this expand into a new country in the region where your data is stored.
For businesses – be it small, medium or large, whether for profits, non-profit or educational institute, all have concerns relating to should they start using cloud services, and if yes, how will their data be protected in terms of security and privacy, and will their IP and business information be safe.
For the answers to all these queries, Microsoft has opened a separate site – Trust Center – and Transparency. Here you can get all information based on your role in the organization or based on the security, privacy, compliance or transparency for all online services from Microsoft.
Still got questions which are unanswered? Let us know and we will help you with them. Also let us know about your experience using cloud services, what are your inhibitions or organizational roadblocks in adopting cloud services. You can send an email to vikram dot jain at advaiya dot com