Back
Office 365

From inside the cloud: How does Office 365 continuously meet your compliance needs?

Shawn Veney is the principal architect on the Office 365 Governance Risk and Compliance team.

In the last two posts in our From Inside the Cloud series, we went behind the scenes to share with you different ways we protect your data. My colleagues and lead engineers Perry Clarke and Vivek Sharma focused on how we protect your data at rest and who has access to your data within Office 365. They explained the various mitigations that we have in place through our defense-in-depth approach and the measures that we take to control administrative access to the Office 365 service through our lock box process. These posts followed the overview that Rajesh Jha, our CVP of engineering and general manager for Office 365, shared about how we address security, privacy, compliance, and transparency of operations overall in the Office 365 service.

Today we’re taking a look at compliance. Compliance is one of the areas where we see some of the highest interest from customers who are considering moving to cloud productivity services—understandably so. You want to know not just that Office 365 meets the expected alphabet soup of industry regulations, but that we meet the ones that are important to you and your industry.

As I explain in today’s three-minute video, our goal is to provide continuous compliance. This means that we aren’t just checking through the list of regulations; we are ensuring that we build and maintain a living, growing, dynamic compliance framework. Let me explain.

Our control framework

Core to our approach is assessing your needs worldwide, not just geographically but across industries—healthcare, finance, government, defense, and more. These needs serve as a base set of requirements, also known as “controls,” that our engineering teams take as input when they’re designing the service—for example, when they’re developing ways to keep your data in a certain region or apply certain types of access. Today we have over 1,000 such controls in Office 365 and the number of controls is increasing, which is why we talk about continuous compliance.

The majority of industry regulations share a similar set of controls. And we have teams that even look at draft regulations under consideration, so that we can proactively assess new requirements and develop corresponding controls when we see a gap. What this means for you is that if a new regulation emerges for your industry, more than likely we are already working on the required controls within the Office 365 service and can respond to your specific needs faster. Further, as we add new additional controls, it strengthens the overall control framework.

This ability to support a broad scope of control requirements means that we have the agility to analyze and implement new requirements or regulations as they change or come up in the future.

These controls are significant for another reason, too: they have enabled Microsoft itself to meet some of the most stringent of requirements, from ISO 27001 to standards like CJIS, SSAE 16, HIPAA, and more. You can see our documented list in the Office 365 Trust Center.

Built-in capabilities that support compliance

Beyond our control framework, we also offer you capabilities built into the Office 365 service that enable you to promote the right behaviors in your organization for compliance. One example of this is data loss prevention (DLP), which allows you to set policies to control the flow of data inside and outside of your organization. Another capability built into the service is eDiscovery, for organizational search and in-place hold. If you need to pull application logs to meet your own organizational compliance needs or demonstrate governance over specific information within your company to auditors and regulators, eDiscovery enables you to do so—efficiently.

In the next few weeks you’ll be hearing more about DLP and eDiscovery from my colleagues Asaf Kashi and Kamal Janardhan, group principal engineers from our information protection team.

So where is all of this heading?

Ultimately our vision for the future of compliance is to drive even greater transparency and agility. We want to offer you an increasingly rich set of data and innovative features for compliance that can be integrated into your risk management program, so that you can credibly offer specifics to your auditors on how you are protecting and retaining compliance of your data in Office 365. Also, in doing so we hope to offer a level of visibility, control, and value to compliance officers that exceeds what you may be used to in on-premises environments today.

I hope that this helps clarify how we approach meeting your compliance needs.

Let us know what you’re thinking—send us your comments and questions. And of course you can find out more on this topic by visiting the Office 365 Trust Center.

—Shawn Veney

Join the conversation

5 comments

  1. great post and video. Microsoft’s Legal and Corporate Affairs (LCA) team is already doing Records Management in the cloud today. I’m proud to say my company is part of that effort. I’m glad Microsoft is continuing to innovate around Controls and Compliance Efforts. I’m also glad Microsoft continues to work with partners and to make it possible for partners to extend and enhance the framework to add functionality that helps insure customers data is protected … whether it’s on-premise or in the cloud.

    On Microsoft.com there is great case study showing how Microsoft LCA, Gimmal and Iron Mountain worked together to create Records Management in the Cloud. Here is the link: http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=710000003382

  2. Hi Shawn, Thanks for the update! The video in your blog shows – for just a short moment – a glimpse of the SPC14 announced Compliance Center. Since it should ship Q3 (Astrid McClean, SPC14) I am wondering why it is left out of the tables in the new update scheme (which is very useful, but unfortunate incomplete on this matter).

  3. Are there any plans to provide change control/auditing within the O365 Admin Centers? It would be very helpful to be able to see configuration change information, i.e, who enabled/disabled each setting and when it occurred. We have a lot of people with Global Admin permissions and having audit reporting at this level is very important to many businesses.

  4. Head to distinct banking companies, and you will probably obtain very many situations like a customer. Banking companies demand numerous prices appealing, offer you diverse terms and conditions along with the very same applies for payday cash loans.

  5. The planet we reside in nowadays is utterly diverse in contrast to 10 years earlier, nowadays individuals are constantly on the internet, which makes using a appearance on-line much more desirable for business to have.