There was no other offering in Microsoft’s history that has found such a response as Office 365. Customers believe that the platform will not only fit their professional needs, but also will provide reliable protection and management of information resources which are of great importance for business. High level of security in Office 365 is achieved through regular monitoring, maintenance, improvement, reporting, verification.

Microsoft aims to demonstrate that in Office 365 your private information remains only yours; this means, that it will never be analyzed for advertising campaigns and that your data will only be accessed for the purpose of providing office work organization “cloud” services. When getting Office 365 subscribtion, you are presented with series of regulatory warnings describing management methods.

Surely, numerous websites and Microsoft documents contain the most complete information, but it is often presented in diverse formats and scattered over many sites, making it difficult to study important topics. We think that it would be useful to provide a single, explicit overview of the data security measures applied on the Office 365 platform, which will be used as a reliable basis for the development of the company’s data management strategy.

The structure of this article is quite simple: we provide a detailed description of various security, compliance, administration, management functions implemented in Office 365. The unified order of presentation was chosen for all topics:

  • Description of each control or data protection function.
  • Explanation of its purpose and application methods.
  • Sources of additional information.

We are confident that this material will be an indispensable resource for Office 365 administrators and security experts. Microsoft team dedicated considerable efforts to alleviate as much as possible concerns about safety of data in Office 365.

Pay special attention to the Office 365 Trust Center security management center —there you will find detailed explanations for all topics discussed in this article. All standards changes applicable to Office 365 are promptly reflected on the site, also each update concerning new security measures, links to national and international certificates issued to the cloud platform are provided.

The objective of this guide is to give an overview of these materials that can help readers to understand Microsoft’s approach to protection of data integrity and to quality improvement of provided by Office 365 services. The information given in the article can be divided into four categories: security, compliance, administration, management.

This guide is just for you in case you have any responsibilities for the technical development or maintenance of the Office 365 platform or if you are a business owner concerned about how exactly your valuable information is handled in Office 365, or if you just want to discover more details about the platform administrative functions.

How is security provided by Office 365

Now, after reviewing topics which will be covered further in this article, let’s look at each capability implemented in Office 365: security, compliance, administration, and management. We will start with data security function.

Office 365 is rooted on one of the most safe data centers across the globe. It meets Microsoft’s Security Development Lifecycle (SDL) requirements for secure applications. Many methodologies have been formed over the course of decades, and during this time, Microsoft has been developing its own corporate software, so since the end of the 1990s, these efforts have covered numerous web services.

The Office 365 platform has user and administrative corporate-level management functions, which make it possible for companies to scale environments, providing a security guarantee at all levels in particular : physical, logical and data level, plus compliance with industry standards.

Microsoft team is improving the security level of the Office 365 platform all the time, starting with scanning of ports and perimeter up to operator or administrator actions and access constant auditing. To stay current in steps Microsoft team is taking for data protection, check the Office 365 Roadmap website (https://products. office.com/en-US/business/office-365-roadmap), plus its useful to keep an eye on fresh updates once in a while.

Physical security

In this part we want to refer to the systems management and data access management. Microsoft ensures a 24/7 protection of all data centers equipment, for example multi-factor authentication binding for each system. For physical access such protection as biometric scanning is applied. Also there is a separation of all internal network systems from the external network.

Furthermore, due to division of roles, even
personnel who have physical access to the system cannot determine the specific customer’s data location. Operating procedures in the data center guarantee equipment and systems updating and optimization, as well as demagnetizing and destroying of failed drives and devices. You can rest peacefully since the equipment with your valuable data is safe in one of the most reliable data centers across the globe.

Logical security

It is the software and platform protection by applying authentications, reliable passwords, permission levels, and other features due to which only certain people will be given the permission for access to your data.

Customers are given complete control of their data very rarely in cases when Microsoft needs data access for a dispute resolving (Office 365 secure storage Customer Lockbox). Proactive risks management is provided by Office 365 security system, as well as scanning of port and perimeter, and precise regulation of processes from confirmed list on the server. These functions provide reliable protection from malware and unauthorized accesses.

Data security

This is the confidentiality and data integrity protection from natural hazards, systems damage, equipment failure or illegal user acts. Applying the encryption of inactive and forwarded data protects it on servers as well as on storage devices, or during the process of transmission from user to Microsoft or backwards.

Besides dealing with current threats, monitoring security system and each system operation interference or data damage preventing, Office 365 offers a detailed Service Level Agreement (SLA) for disaster recovery and to ensure business continuity, which helps to cover all requirements for security.

How is compliance managed by Office 365?

Customers are supported by the Office 365 platform worldwide based on a numerous standards and regulations which determine the processing of information resources. The list of supported by Microsoft security and compliance standards is constantly expanding.

The core principle of reliance in Office 365 is certainly compliance. The companies have many regulations and policies that are required to be taken into account for running business in different areas. Such policies can consist of regulatory standards which depend on industry, geographic location, and on certain company’s internal policies.

There are embedded capabilities and user controls in Office 365 which will help the client to fulfil both industry-specific regulations and internal requirements and be in step with ever changing modern norms and legislation.

For these achievements to be consolidated, and to carry on winning users’ favour, Microsoft conducts independent audits that confirm its compliance with all policies and methodologies of security, compliance, and confidentiality.

The main elements of embedded compliance capabilities include independent audit to ensure that Office 365 comply with numerous international industry norms and certificates.

The management infrastructure used by Office 365 provides a strategic perspective to implementing extensive compliance control functions which meet a variety of industry-specific regulations. Over 600 management functions are supported by Office 365. This allows Microsoft to ensure compliance with complex standards and to enter into contracts with clients from regulated industries, such as ISO 27001, standard EU regulations, HIPAA Business Associate Agreements, FISMA/FedRAMP.

What is more, Microsoft uses a full data processing agreement to address security concerns related to client data. This helps clients to meet the local regulations. For additional information check the article with questions and answers on ensuring compliance with Microsoft regulatory requirements (https://www.microsoft.com/online/ legal/v2/en-us/MOS_PTC_ Regulatory_Comp.htm).

Microsoft has developed three useful services to provide clients with full control over compliance in Office 365.

  • Data loss prevention or DLP. It is both a strategy and a toolkit which helps administrators manage the traffic of confidential or vital data outside the corporate network. Because of DLP, administrators are able to set up policies depending on their company’s compliance requirements in order to minimize the possibility of accidental financial information, personal information (PH), or other important information about intellectual property revealing. DLP policy hints place notifications directly in the user email, warning the user of potential hazards prior to email sending. The notifications can also be used as an educational tool to familiarize personnel with the corporate compliance policies.
  • eDiscovery center. The electronic data discovery is the process thanks to which it became possible to search, discover, and protect electronic records in order to use it in legal issues resolving. These capabilities of Office 365 enable to search for information on SharePoint online sites, Exchange Online mailboxes, One Drive business accounts, or at one time in all listed stores. This eDiscovery center allows to create “dossiers” which in turn provide interaction space for gathering the core elements needed to form the evidence base. Any information kept in given environment can be discovered in Office 365 using eDiscovery, including even e-mail messages that were archived.
  • Messaging Records management. It is a domestic Office 365 storage technology. Configuration options allow to apply record management policies to both Exchange Online and SharePoint content for specifying the information to kept and the one that is no longer needed. Logging and audit reports preparing allow tracking everything from administrator actions to documents access or deletion. Many logging and reporting functions are provided, which can be customized to meet specific needs. The combination of email archiving and eDiscovery can considerably ease the tasks for users and administrators by reducing the number of operations needed for organizing the Inbox and by applying automatically a data storage policy according to the type of used information. An additional benefit of archiving is that there is no need for your users to sort their mail messages in independent archive files on local systems that may exist outside of your IT Department.

We can help you to migrate your corporate IT infrastructure to the cloud and to implement Office 365. Contact us [email protected]