Part 3: The Office 365 approach to privacy in the public cloud – Choice

In our third and final post about the privacy tenets Microsoft Office 365 was built on - responsibility, transparency, and choice - we'll talk about how our customers have the opportunity to choose whether information will be collected, shared, or made public. There are three categories that fall under choice: administrative access, identity management, and Microsoft partners. Based on the Microsoft whitepaper "Privacy in the Public Cloud: The Office 365 Approach" below we provide more information about each one.

Administrative Access

We had three priorities in mind when we formulated our strategy for administrative access to data managed by Office 365:

• We always give our customers access to their customer data.
• Access to customer data is strictly limited, and sample audits are performed by both Microsoft and third parties to verify that access is only for appropriate business purposes.
• We recognize the extra importance of customer data like Exchange Online emails and SharePoint Online team site content. There are strict controls over who will be granted access to customer data. There must be a legitimate business justification and the request must but approved by the person's manager. When data access is approved and occurs we can provide a report of the event upon request.

Office 365 customers have complete access to their own environment, including user mail boxes, SharePoint websites, and document stores. Customers maintain control over security policies and user accounts. This level of control allows administrators to enforce their organization's privacy and security policies.

Identity Management

There are two options for Office 365 user identification: Office 365 user IDs and federated IDs.

Office 365 user IDs are created by administrators for every individual user of the service. Employees can use this ID and a password to sign in to all of their Office 365 services. A single sign on application helps users easily create and use strong passwords to help keep their information safe.

Federated identification uses on-premises Active Directory Federation Services to authenticate users on Office 365 using their existing corporate ID and password. With federation, user identities are administered only on premises. This allows organization to use two-factor authentication (such as smart cards or biometrics in addition to passwords) for maximum security.

Microsoft Partners

The third category of choice is Microsoft provides customers with ways to initiate, maintain, or terminate relationships with Microsoft partners who are part of the Office 365 ecosystem. This is designed to allow customers to take advantage of the special services partners provide without impacting the Office 365 account if and when a partners' access to their information is disabled.

For more information about the security and privacy practices for Office 365 visit the Office 365 Trust Center. Additional information on Microsoft's approach to privacy is available at www.microsoft.com/privacy.

Additional resources:

• Part 1: The Office 365 approach to privacy in the public cloud - Responsibility
• Part 2: The Office 365 approach to privacy in the public cloud - Transparency (Video)
• Office 365 Trust Center
• FISMA becomes latest security certification for Office 365
• Privacy in the Public Cloud: The Office 365 Approach
• Microsoft Private Cloud: A comparative look at Functionality, Benefits, and Economics
• Office 365 service specific privacy & security practices

______________________________________________________________________________

--Stephen Bury

See how customers are using Office 365 here.

Interested in trying or buying? Review plans or start a free trial now.

Just want to know more? Visit Office365.com.