Security in Office 365 is achieved through continuous monitoring, maintenance, improvement, reporting, and validation. Microsoft is committed to showing that your data in Office 365 remains yours; they will never be analyzed for advertising campaigns and your data will never be accessed except for the purpose of providing cloud services for organizing office work. When you subscribe to use Office 365, you are presented with a series of regulatory warnings describing how to manage it.
Of course, various websites and Microsoft documents contain the most comprehensive information, but it is often presented in disparate formats and scattered across many sites, making it difficult to learn important topics. We believe it would be useful to provide a single, comprehensive overview of the data protection measures in place in the Office 365 platform, which will serve as a solid basis for developing a data management strategy for the company.
The structure of this article is very simple: we provide a detailed description of the various security, compliance, administration, and governance features that are available in Office 365. A single order of presentation is chosen for all topics:
- A description of each control or data protection function.
- An explanation of its purpose and methods of application.
- Sources of additional information.
We are confident that this material will be an indispensable resource for Office 365 admins and security professionals. Microsoft has worked hard to mitigate concerns about data security in Office 365 as much as possible. Be sure to check out the Office 365 Trust Center for detailed explanations of all of the topics discussed in this article. The site timely reflects any changes to the standards applicable to Office 365, provides information on new security measures and links to many national and international certificates issued to the cloud platform.
The purpose of this guide is to provide an overview of these materials to help readers understand Microsoft's approach to protecting the integrity of your data and improving the quality of the services that Office 365 provides. The information in this article can be divided into four categories: security, compliance, administration, and governance.
If you have any responsibility for the technical development or maintenance of the Office 365 platform, if you are a business owner concerned about how your data is processed in Office 365, or if you are trying to learn more about the platform's administrative functions, then this guide is for you. ...
How Office 365 keeps you safe
Now, after reviewing the topics that will be covered in this article, let's take a look at each of the security, compliance, administration, and governance capabilities of the Office 365 platform, starting with data security.
Office 365 is built on some of the most secure data centers in the world, meeting Microsoft's Security Development Lifecycle (SDL). Many practices have evolved over the decades, and during that time Microsoft has been developing its own enterprise software, and since the late 1990s, this effort has spanned numerous web services.
The Office 365 platform provides enterprise-grade user and administrative management features that enable organizations to scale their environments while ensuring security at all levels (physical, logical, and data) and compliance with industry standards. Microsoft continually improves the security of the Office 365 platform, from port and perimeter scans to regular audits of operator or administrator activity and access. If you would like to keep abreast of the steps Microsoft is taking to protect your data, we recommend that you check out the Office 365 Roadmap (https://products.office.com/en-US/business/office-365?roadmap) and visit him to stay tuned for the latest updates.
Physical security
This section focuses on controlling access to systems and data. Microsoft provides 24/7 security for all data center equipment, including multifactor authentication for all systems and biometric scanning for physical access. All systems on the internal network are separated from the external.
In addition, due to the separation of roles, even people with physical access to systems cannot locate specific customer data. Operating procedures in the data center ensure that hardware and systems are updated and optimized, and faulty drives and devices are demagnetized and destroyed. You can rest easy knowing that the hardware that holds your data is protected in one of the most trusted data centers in the world.
Logical security
It is about protecting your software and platform by using authentications, passwords, permission levels, and other measures that only allow certain people to access your data. Microsoft gives customers complete control over their data on the rare occasion that Microsoft needs access to the data to resolve a conflict (Office 365 Customer Lockbox). Office 365 provides proactive threat management, port and perimeter scans, and precise control of approved list processes on the server, protecting against malicious code and unauthorized access.
Data security
It protects the confidentiality and integrity of data from natural disasters, system damage or equipment failure and unlawful user actions. Encrypting inactive and in-transit data protects it on both servers and storage devices, or in transit between the user and Microsoft.
In addition to combating current threats, monitoring security, and preventing any system tampering or data corruption, Office 365 provides detailed service level agreements (SLAs) for disaster recovery and business continuity to help meet all security requirements.
How does Office 365 manage compliance?
The Office 365 platform supports customers around the world by complying with various standards and regulations governing the handling of information assets. Microsoft is constantly expanding the list of supported compliance and security standards.
One of the key tenets of trusting Office 365 is compliance. Commercial organizations have regulations and policies that must be met to conduct business in a variety of areas. These policies can be a combination of external regulatory requirements, depending on the industry and geography, and internal company policies.
Office 365 has built-in capabilities and custom controls to help you comply with both various industry regulations and internal requirements, and keep pace with today's ever-changing standards and regulations. To build on these gains and continue to build trust with our users, Microsoft is independently audited to ensure that it adheres to all policies and procedures for security, compliance, and privacy.
Key aspects of the built-in compliance capabilities include independent auditing that certifies Office 365 compliance with many global industry standards and certifications. Office 365 uses a governance infrastructure that takes a strategic approach to implementing extensive compliance controls that in turn meet a variety of industry regulations. Office 365 supports over 600 management features that enable Microsoft to meet complex standards and offer contracts to customers in regulated industries such as ISO 27001, EU Model Regulations, HIPAA Business Associate Agreements, and FISMA / FedRAMP.
In addition, Microsoft uses a comprehensive data processing agreement to address privacy and security concerns regarding customer data, helping customers comply with local regulations. For more information on this topic, see the Microsoft Regulatory Compliance FAQ (https://www.microsoft.com/online/legal / v2 / en-us / MOS_PTC_Regulatory_Comp.htm).
To give customers the most complete control over Office 365 compliance, Microsoft has developed three helpful services.
Data Loss Prevention (DLP). DLP is a strategy and toolkit that helps administrators manage the flow of sensitive or critical information outside the corporate network. DLP allows administrators to customize policies based on their company's compliance needs to reduce the likelihood of accidental disclosure of financial information, personal information (PII), or other sensitive intellectual property information. DLP Policy Tips places notifications directly in the user's email, alerting them to potential dangers before sending the email. These notifications can also be used as an educational tool to educate employees about corporate compliance policies.
EDiscovery Center. Electronic Discovery (eDiscovery) is the process by which you can search, discover, and protect electronic records for use in legal matters. These Office 365 capabilities let you search for information on SharePoint Online sites, Exchange Online mailboxes, OneDrive for Business accounts, or all of the following stores. The eDiscovery Center enables the creation of “dossiers” that provide an interaction space for collecting the key elements needed to form an evidence base. With eDiscovery in Office 365, you can discover any information stored in your environment, including archived email messages.
Messaging Records management. Management (MRM) is an internal storage technology in Office 365. Customization options enable you to apply records management policies to both Exchange Online and SharePoint content to specify information that should be retained and information that is no longer needed. With logging and audit reporting, you can track everything from administrator actions to document access and deletion. There are many logging and reporting features that can be customized to suit your specific needs. The combination of e-mail archiving and eDiscovery can ease the burden on users and administrators by reducing the amount of work involved in organizing their inbox and automatically enforcing data retention policies based on the type of information used.
Continuous Compliance Services.
It is the infrastructure of the processes and management functions that Office 365 uses to proactively monitor and manage the platform. There are more than 1,000 controls, and the number is growing, and Microsoft regularly reviews its own data handling policies and procedures to support new customers and industry standards. As new customers join the service, each customer agreement specifies the data processing, privacy, and security processes required to comply with local data regulations. Microsoft continually reviews evolving industry standards to ensure that the Office 365 compliance infrastructure is up to date.
In addition, legal hold and eDiscovery capabilities are built into the system to help search, store, analyze and package electronic content for legal inquiries or investigations, while DLP can help identify, control and protect sensitive information.
International certificates and standards of conformity.
Microsoft recognizes that customers around the world are subject to various laws and regulations. Legal requirements and standards in one country or region may not apply in other regions.
The company operates in many regions, countries and economic zones, and Microsoft is continually expanding its range of services and features to ensure compliance with a wide range of regulations and privacy practices in accordance with customer needs.
The list below lists some of the core certifications and compliance standards implemented in the Office 365 platform. However, it is ultimately the customer who determines whether these standards meet their regulatory requirements.
- US Personal Health Insurance Liability and Portability Act (HIPAA).
- Data Processing Agreements (DPA).
- US Federal Information Security Management Act (FISMA).
- Federal Risk Management and Authorization Program (FedRAMP).
- ISO 27001.
- EU Model Regulations.
- US-EU Safe Harbor Agreement.
- Family Educational Rights and Privacy Act (FERPA).
- Statement of Standards for Audit Engagements No. 16 (SSAE 16).
- Personal Data Protection and Electronic Documents Act of Canada (PIPEDA).
- Gramm-Leach-Bliley Law (GLB).
