Shawn Veney is the principal architect on the Office 365 Governance Risk and Compliance team.
In the last two posts in our From Inside the Cloud series, we went behind the scenes to share with you different ways we protect your data. My colleagues and lead engineers Perry Clarke and Vivek Sharma focused on how we protect your data at rest and who has access to your data within Office 365. They explained the various mitigations that we have in place through our defense-in-depth approach and the measures that we take to control administrative access to the Office 365 service through our lock box process. These posts followed the overview that Rajesh Jha, our CVP of engineering and general manager for Office 365, shared about how we address security, privacy, compliance, and transparency of operations overall in the Office 365 service.
Today we’re taking a look at compliance. Compliance is one of the areas where we see some of the highest interest from customers who are considering moving to cloud productivity services—understandably so. You want to know not just that Office 365 meets the expected alphabet soup of industry regulations, but that we meet the ones that are important to you and your industry.
As I explain in today’s three-minute video, our goal is to provide continuous compliance. This means that we aren’t just checking through the list of regulations; we are ensuring that we build and maintain a living, growing, dynamic compliance framework. Let me explain.
Our control framework
Core to our approach is assessing your needs worldwide, not just geographically but across industries—healthcare, finance, government, defense, and more. These needs serve as a base set of requirements, also known as “controls,” that our engineering teams take as input when they’re designing the service—for example, when they’re developing ways to keep your data in a certain region or apply certain types of access. Today we have over 1,000 such controls in Office 365 and the number of controls is increasing, which is why we talk about continuous compliance.
The majority of industry regulations share a similar set of controls. And we have teams that even look at draft regulations under consideration, so that we can proactively assess new requirements and develop corresponding controls when we see a gap. What this means for you is that if a new regulation emerges for your industry, more than likely we are already working on the required controls within the Office 365 service and can respond to your specific needs faster. Further, as we add new additional controls, it strengthens the overall control framework.
This ability to support a broad scope of control requirements means that we have the agility to analyze and implement new requirements or regulations as they change or come up in the future.
These controls are significant for another reason, too: they have enabled Microsoft itself to meet some of the most stringent of requirements, from ISO 27001 to standards like CJIS, SSAE 16, HIPAA, and more. You can see our documented list in the Office 365 Trust Center.
Built-in capabilities that support compliance
Beyond our control framework, we also offer you capabilities built into the Office 365 service that enable you to promote the right behaviors in your organization for compliance. One example of this is data loss prevention (DLP), which allows you to set policies to control the flow of data inside and outside of your organization. Another capability built into the service is eDiscovery, for organizational search and in-place hold. If you need to pull application logs to meet your own organizational compliance needs or demonstrate governance over specific information within your company to auditors and regulators, eDiscovery enables you to do so—efficiently.
In the next few weeks you’ll be hearing more about DLP and eDiscovery from my colleagues Asaf Kashi and Kamal Janardhan, group principal engineers from our information protection team.
So where is all of this heading?
Ultimately our vision for the future of compliance is to drive even greater transparency and agility. We want to offer you an increasingly rich set of data and innovative features for compliance that can be integrated into your risk management program, so that you can credibly offer specifics to your auditors on how you are protecting and retaining compliance of your data in Office 365. Also, in doing so we hope to offer a level of visibility, control, and value to compliance officers that exceeds what you may be used to in on-premises environments today.
I hope that this helps clarify how we approach meeting your compliance needs.
Let us know what you’re thinking—send us your comments and questions. And of course you can find out more on this topic by visiting the Office 365 Trust Center.