In this week’s show, hosts Jeremy Chapman and Vijay Kumar tackle one of the most common questions asked about cloud services, “How safe is my data?” Security is an important element of trusting the service of any service provider. But even beyond security, they cover related concerns around data privacy, availability and show some of the controls your IT administrators have to configure access policies, lock down clients and build your own control set for data stored in or transferring though Office 365 services.
Jeremy: In last week’s show we rounded up all of Office apps and services to show cross-platform mobile devices coverage – from the core Office Mobile apps on iPhone and Android to new experiences like OWA for iPad. We also put Office VP, John Case, and skateboarding legend, Bucky Lasek, along with Office Mobile to the test as they navigated a rally course using roaming pace notes an Android phone, iPhone and Windows Phone all accessed from a single Office 365-stored document.
This week, I’m joined by Office 365 security and compliance lead, Vijay Kumar, to address the topics of security, privacy, configurability, availability and overall trust of Office 365 services. We also hear from Office 365 General Manager of Engineering, Kevin Allison, and hear back from Mark Russinovich, then we return to Madrid to hear from European-based security experts and get their perspective about Cloud versus on-premises security and data access.
Vijay: In fact today’s show we hope to give you the 101 on how we protect and manage access to your data with Office 365, as well as the behind the scenes view on Microsoft’s approach. We explore the topic in two halves. First, the measures that Microsoft has put in place to manage and monitor the Office 365 online service and second we look at what you can do to configure Office 365 for your specific organizational needs.
Jeremy: So let’s explore the first side of the coin, if you are considering a shift to Office 365 Cloud services, the first thing that you may want to know is who has access to it and how it’s safeguarded by Microsoft?
Vijay: Well we do all the things that you would expect from a physical security perspective in terms of how we lock down our data centers including perimeter and personnel access and replicate your data across data centers to protect from data loss or natural disasters. What many people don’t know is that access to every file is gated based on access permissions with a lock box process. Also, your data has its own unique footprint and is isolated from the data of other organizations.
Jeremy: And speaking of access, a related fear is around overall privacy. Whether or not you sign up with Microsoft as the service provider, you don’t want your data being mined for other purposes such as advertising and you want your data to move with you if in future, you decide not to use the service.
Vijay: Absolutely, and these measures are a given with Office 365. It’s your data and we simply process it while providing productivity services through email, Office applications, unified communications etc.
Jeremy: So even if a third-party requests access to my data it’s protected?
Vijay: That’s a great question and very topical given the recent press reports around domestic and foreign government access to stored data and data in transit. Ultimately unless legally obligated, Microsoft cannot fulfill requests to access your data. We have to inform you of third-party requests and require your consent. We even provide reports of non-owner access to email inboxes from the Office 365 Administrator Console.
Jeremy: So let’s talk about vulnerability of the service and how Microsoft mitigates criminal attempts to hack its data centers and your data. What most people want to know is how secure is their data in the Cloud compared to on-premises? One of the points that resonated with me made by Marcus Murray, a European security expert that we spoke to on location in Madrid was that one key advantage of the Cloud is that it’s difficult to hack into a system if you don’t have machine level access as you would do on-premises. The way most malware works is to install software or replace system level services on host machines to access data and mask the existence of the malware, if the host layer is abstracted as with Office 365, it is much more difficult to infect a system.
Vijay: We also take extra measures to ensure that services are sufficiently hardened from external hacking threats. Mark Russinovich discussed are red and blue teaming approach where we have experts on staff tasked with the challenge to penetrate the service. They employ all standard means from automated and code execution to social engineering in order to access infrastructure and service layers. At the same time, the blue team works to detect any successful breaches and block any points of entry. They also review access logs and details from the red team to look for patterns and issues to inform ongoing security hardening work.
Jeremy: And of course, a related point on how Microsoft safeguards data access is what happens if the service goes down? How can I trust that I will always have access to my data when I need it?
Vijay: We get asked that all the time, and we’ve had a lot of practice in maintaining ongoing application availability with our email and collaboration services that have been around for decades. The first thing to know is that we have a financially-backed SLA of 99.9% – which means the service cannot be down for more than 43 minutes in any given month or we need to compensate you as a customer.
We want to be transparent and accountable too. In fact, we publish our historical uptimes quarterly on the Trust Center. More than that though we built the code and so we know how to fix it and as Kevin Allison explains, we have a Dev Op process, which means the developer who wrote the code is the assigned operator and is on point to fix – resulting in faster and more agile issue resolution compared to traditional approaches for on-premise software.
Jeremy: Switching gears to explore the other half the coin has been a continuous topic on the Garage Series shows, that is how you define your own control set for managing Office 365 which is a key differentiator for Microsoft compared to other service providers. This is particularly important if you are concerned about meeting regulatory or company Compliance requirements around access to corporate data.
The good news is that, you have control over where your data resides – you can run Office 365 Services along-side your on-premises environment and keep your most sensitive data within your organization’s walls. Importantly too, can apply the same type of access rules that you would typically use to configure your on premises environment and in many respects they are easier to implement and faster.
Take for example Rights Management Services (RMS) – you can now set up file level access in 5 clicks in a large organization versus setting up and configuring a whole array of servers as you would do in the on-premises world. RMS protects the document and ensures that only those with access rights can view it. It is much stronger than simple password protection, because if the document does leak out of an organization, even employees of the organization where it was created would need to authenticate that A. they are still a member of the organization and B. have appropriate permissions to view or edit the file. For example, if a user were to load a USB drive with documents, then leave the company, then any document with RMS protection would not be viewable until that person authenticates against the Rights Management Service. In this case, since the former employee is no longer with the company, his log in and authentication attempts will fail and he won’t be able to access the file.
In addition to RMS, we also have tools like Data Loss Prevention where an IT administrator set up rules for sensitive information like credit card or personal identification numbers. Then Outlook will mount an attached file or scan the email text and warn users or if the information leaves the inbox, transport rules in Exchange will block that information from sending. We saw this in a previous episode as Mr. #DealWithIt (played by Stephen Rose) attempted to send his boss’s credit card details in a New Orleans bar.
Vijay: So today’s show was just an overview, we are just scratching the surface in terms of what’s possible – which is why we have two security show specials coming soon in the New Year
Jeremy: And, in fact we tackle mobile device control and security with Office 365 on next week’s show, when I’m joined again by all things data management and SharePoint expert, Mark Kashman. I’m also joined by Exchange engineering lead Greg Baribault to discuss the genesis and evolution of mobile device management in the advent of the ‘bring your own device’ trend where more and more people are using multiple devices of choice to get work done and to work from anywhere.
See you next week.
Jeremy and Vijay