What you need to know about Office 365 security and compliance
The first thing you need to know about Office 365 security and compliance is that Office 365 is based in the public cloud. That means that the cloud servers are shared between different users. Although Microsoft takes effective measures to ensure that each user’s data is kept private, some organizations just cannot use public clouds at all for legal reasons. For the most part, however, it’s perfectly feasible for SMBs to use Office 365, even when they have to comply with programs such as HIPAA. Here’s a quick guide to what you need to know.
Data ownership always rests with the Office 365 customer
There seems to be a lot of confusion about data ownership and cloud services so here are the basics. In Office 365 data ownership always rests with the Office 365 customer and Microsoft never touches the data unless it is legally obliged to do so (e.g. to respond to a subpoena). There are internal security measures in place to ensure that Microsoft employees do not gain inappropriate access to a third party’s data.
Any customer can withdraw their data from Office 365 any time they wish to do so and if they do then Microsoft will purge all records of it. Microsoft does not analyze or mine the data in any way. It aggregates statistics on usage (to improve its service), but that is all.
Possibly the concerns about Office 365 have grown up because of reports that free cloud services were aggressively (and possibly illegally) exploiting the data stored in them. These reports may or may not be true, but Office 365 is not a free service. Quite the opposite, it’s a commercial service, backed by a U.S.-based company which has spent decades establishing a rock-solid reputation for security and reliability.
Even a public cloud can be at least as secure as an SMB’s internal infrastructure
In practical terms, any form of security is only as good as its management. The simple fact of the matter is that Microsoft has the resources (and industry prestige) to hire the best security personnel around, which puts them in a great position to implement effective security. By contrast, the average SMB is much less likely to have the resources to offer the sort of pay and benefits skilled cybersecurity professionals expect.
Added to this, Microsoft can host its cloud servers in buildings which are quite literally designed with security front and center. For example, they can choose out-of-town locations, which might not be at all convenient for the average business. They can also afford to equip these buildings with state-of-the-art security way beyond anything the average SMB could afford, even if they were able to fit it into their building.
Additionally, Office 365 has many in-built security tools, which make it possible for its customers to create their own balance of security and convenience. For example, Office 365 offers multi-factor authentication, which is vastly more secure than password-only authentication. It is, however, less convenient, which is why there is the option of whitelisting certain IP addresses. This means that Office 365 customers can opt to allow their staff to bypass MFA when they are in the office but use it when they are in another location.
In short, although no company can ever guarantee that its systems are totally hacker-proof, Microsoft can and does guarantee that it will apply the highest levels of security to Office 365 and the data stored within its system.
Compliance is basically the ability to show that you’ve done the right thing
Regardless of whether you’re looking at HIPAA, PCI/DSS, GDPR or any other program, all compliance basically works along similar lines. Mandates are set down and if you are audited or challenged in any other way, then you need to be able to demonstrate that you behaved in accordance with them. Sometimes this will require showing that you followed a specific instruction. Sometimes it will involve showing that you acted within the spirit of the regulation. In either case, however, the key word is “showing”.
All compliance programs place massive emphasis on record keeping and the good news is that Office 365 does too. There are all kinds of native reporting tools you can use to keep an eye on who is doing what with your data (and, more importantly, with your customers’ data). In addition to this, you can invest in third-party reporting tools, which can be very convenient if you want a quick and simple way to demonstrate compliance with specific programs. They’re can also offer improved search capabilities, which can be useful for answering specific questions.
If you’d like to know more about Office 365 security and compliance, please click here now to contact Aperio.IT.