One common question among businesses considering Office 365 is “Is it secure?” This is a great question to ask of any software, app, or company with access to your data (and should probably be asked more than it already is). The short answer is yes*, but a lot of the security is your responsibility.
Microsoft has done and continues to do a fantastic job of protecting your data. The datacenters where your content is physically stored are guarded and monitored 24/7 and have strict security measures like biometric scanners to prevent unauthorized persons. Furthermore, the personnel onsite at the datacenters don’t have access to your data; they only protect it – a practice called ‘role separation.'
Even before it gets to the datacenters – it’s still secure. Not to be too geeky, but Microsoft uses ‘encryption in transit’ for all data, which means that your data (as soon as you press send on an email or upload a document to OneDrive) is protected against eavesdropping.
But Microsoft doesn’t protect everything. They operate under a model of “shared responsibility” – this means they’re responsible for securing some things, and the customer is responsible for securing some things.
The responsibilities change depending on the type of service. For example, if you have a Windows Server at your office, physical security of the server is your responsibility. If you’re using a cloud service like Office 365, physical security of the cloud server is their responsibility.
In Office 365, you are entirely responsible for data classification. This basically means it’s on you to distinguish between sensitive data and public data (if you’re in a regulated industry, you may have specific requirements for this).
You’re also responsible for client & end-point protection and identity & access management. You’re responsible for who you give access to your data – whether willingly (like your employees) or unwillingly. Encryption in transit and protected datacenters don’t help if you keep your password on a sticky note underneath your keyboard or if someone in your company falls for a phishing attack.
This Microsoft article explains the responsibilities based on application type: https://blogs.msdn.microsoft.com/azuresecurity/2016/04/18/what-does-shared-responsibility-in-the-cloud-mean/
You’re not completely on your own, though. Office 365 has security features you can (and should be using) to help secure your environment:
Multi-Factor Authentication (MFA): Multi-factor authentication is one of the single most effective ways you can protect yourself. Multi-factor authentication requires two or more forms of authentication.
Typically, this is something you know (your password) and something you have (like a one-time use code from your cell phone). Office 365 already has multi-factor authentication included, and add-on options are available. It can also be added to your computer login. Many websites, including Google and Facebook, also have MFA available.
Mobile Device Management (MDM): Are you 100% certain that all your employees are perfectly happy? Can you afford to let even one of them leak your confidential data? Or – ever have an employee have a phone get lost or stolen?
MDM allows you to prevent employees from accessing corporate data on personal devices and gives you the ability to remotely wipe that corporate data (leaving all personal data intact and untouched). It’s included in Office 365 – you just have to set it up (we can help with that).
Use the “Security & Compliance” controls: Although you have to be an administrator, this easy to use portal allows you to monitor inbound and outbound spam/malware, the amount of inbound/outbound email (including those responsible), and various other controls that help you gain insight into where the data in your organization is going and how it’s being used.
This is certainly not everything. Office 365 has additional security features available and add-ons to help you manage and control your environment. An experienced Office 365 partner can also help you manage your environment to keep information safe.
*Important note: There is never a 100% guarantee when it comes to cybersecurity. By yes, we mean that Microsoft takes the necessary steps to secure your data. They have an incredibly large security team dedicated to securing and protecting customer data. This does, however, guarantee there will never, ever be some sort of breach. No company can ever make that promise, and quite frankly, you should be wary of any company that claims that can.