The ability for organizations to control and customize security features in cloud-based productivity services, such as email, calendars, content management, collaboration, and unified communications, is becoming an essential requirement for virtually every company. Today, IT teams are being required to deliver access to productivity services and associated documents and data from more devices, platforms, and places than ever before. While user benefits are undeniable, broader access makes security management more challenging. Each endpoint represents a potential attack surface and another point of management for security professionals. At the same time, organizations face ever-evolving threats from around the world and must manage the risk created by their own users accidentally losing or compromising sensitive data. For these reasons, organizations require a cloud solutions that has both (a) built-in robust security features and (b) a wide variety of customizable security features that organizations can tune to meet their individual requirements. Organizations expanding remote access while maintaining security best practices may find it difficult and expensive to add this combination of security functionality if they deploy productivity services solely on-premises. Microsoft is an industry leader in cloud security and implements policies and controls on par with or better than on-premises data centers of even the most sophisticated organizations. Security in Office 365 consists of three parts. First, Office 365 is a security-hardened service that has security features built into the service by default. Office 365 customers benefit from in-depth security features that Microsoft has built into the service as a result of experience gained from two decades of managing online data and significant investment in security infrastructure. Office 365 has implemented and continues to invest and improve processes and technologies to proactively identify and mitigate security threats before they become risks for customers. Not many organizations can afford an on-site IT setup with built in security features of the same level of Microsoft at reasonable price. Office 365 has been designed form Small Businesses to Large Enterprises and is deployed by IT Consulting companies as well as providers IT Services Sydney and Australia wide. Second, Office 365 offers security controls that enable customers to customize their security settings. Office 365 is trusted by customers of all sizes across virtually every industry, including highly regulated industries such as healthcare, finance, education, and government. (deployed by IT Solutions Sydney and Australia wide providers for Australian organizations) Since Office 365 manages productivity services for such a wide range of industries and geographies, it offers feature choices that customers can control to enhance the security of their data. Third, security in Office 365 includes processes that allow for independent verification and compliance with industry standards. Security in Office 365 is all about -Built in Security – Customers Control – Independent verification and compliance. In 2008 Bill Gates announced that the company would offer online versions of its popular Exchange Server and SharePoint Server software for businesses of all sizes. The services, which in 2009 became part of the Microsoft Business Productivity Online Suite (BPOS), gave thousands of global businesses their first taste of cloud computing by providing access to email, calendaring, and shared workspaces over the Internet. But because this first generation of “software-as-a-service” cloud offerings had its roots in traditional server software, it was not fully optimized to take advantage of Microsoft’s global network of technologically advanced data centers. So, even as BPOS was launching, Microsoft was laying the groundwork for its successor: Office 365. The multi-year development effort, which culminated in the global launch of Office 365 in June 2011, yielded an online business service purposely built to optimize the flexibility, responsiveness, and efficiency of the cloud. Office 365 is an enterprise cloud service with robust data protections that reflect Microsoft’s core privacy tenets of responsibility, transparency, and choice. Microsoft has a broad network of people and processes that implement privacy standards and provide privacy guidance and training. These are the highlights of Microsoft’s approach to privacy governance in Office 365. The three Microsoft privacy tenets. Standing the Test of Time – Office 365 employs a variety of risk management mechanisms to appropriately manage regulatory change, organizational change, personnel change, and technological change. Before any of the services that are part of Office 365 launch to the public, subject-matter experts conduct privacy, security, and business continuity risk assessments on each service and work closely with the service owners to remediate any identified risks. After launch, Microsoft uses a process of continuous monitoring called Trustworthy Services Lifecycle to ensure that the data protection systems are functioning properly. Required functionalities are tested annually, semi- annually, quarterly, monthly, or at the time of each new release, depending on the level of risk associated with the particular privacy or security control. Regular risk assessments are conducts to refresh the control framework and, if necessary, to reset priorities if new aspects of the service emerge as high-risk. This multi-layered and continuous approach to monitoring the Office 365 data protection environment helps to quickly diagnose and remedy problems that occur and helps customers respond quickly to shifting regulatory or industry requirements. Enabling Regulatory Compliance – many organizations have a responsibility to comply with national, regional, and industry-specific requirements governing the collection and use of individuals’ data. Microsoft is committed to provide detailed information about its cloud services to help them in their assessments. One tool Microsoft has developed to facilitate customers’ assessments of Office 365 is the Office 365 Trust Center, an online repository of detailed information about Office 365 privacy and security practices. On the Security, Audits, and Certifications page of the Trust Center, customers can locate information about the certifications held by both Office 365 and the Microsoft data centers that host the service. One compliance framework in particular— the highly regarded ISO/IEC 27001 standard for information security management systems—forms the foundation of our security and privacy approach with Office 365 and its supporting infrastructure. Using Customer Data Only for the Customers’ Purposes – In Office 365, Microsoft uses customers’ data only for what they pay for—to maintain and provide Office 365 services. Office 365 does not build advertising products out of customers’ data and does not scan emails or documents for the purpose of building analytics, data mining, advertising, or improving the service without customers’ permission. In addition, Office 365 allows customers to keep their data separate from Microsoft’s consumer services. Controlling Access to Customer Data – Office 365 applies strict controls over who will be granted access to key customer data. Microsoft and vendor support personnel are required to have a legitimate business justification to request access to Office 365 customers’ core data, and the request must be approved by the person’s manager prior to gaining access. Further, all Office 365 support personnel are accountable for their handling of customer data. Accountability is enforced through a set of system controls, including the use of unique user names, data access controls, and auditing. Securing Customer Information and Office 365 Systems – Microsoft understands that robust physical and logical security is a prerequisite for any successful privacy program, and protects Office 365 using a comprehensive security regimen that is monitored 24/7 and updated regularly. Unlike on-premises software that lives behind a corporate firewall and can be accessed only over a virtual private network, Office 365 is designed specifically for secure access over the Internet. Office 365 provides anti-spam and anti-malware technologies that are automatically updated to protect against the latest threats. The security features and services associated with Office 365 are built in, reducing customers’ time and cost associated with securing their IT systems. At the same time, Office 365 enables customers to easily control permissions, policies, and features through online administration and management consoles to meet their specific security needs. To help our customers find answers to their privacy and security questions about Office 365, Microsoft strives to be as transparent as possible about data protection policies and procedures. The Office 365 Trust Center – The centerpiece of transparency effort with Office 365 is the Office 365 Trust Center. The aim of the Trust Center is to tell users, in plain language, exactly how Microsoft handles and uses data gathered in their interactions with Office 365. The site details commitments Microsoft makes to Office 365 customers in six key privacy areas: Data Use Limits; Administrative Access; Geographic Boundaries; Third Parties; Security, Audits, and Certifications; and Regulatory Compliance. Geographic Boundaries – “Where is my data?” With Office 365, Microsoft provides a thorough summary of data location strategy on the Geographic Boundaries page of the Trust Center. Microsoft has a regionalized data center strategy. The specific details of where data is located or accessed from depend on the customer’s ship-to address, which the customer provides when purchasing the service. The three regions are the Americas, Asia, and Europe. Third Parties – Another frequent topic of concern is third-party access to cloud data. The Third Parties page of the Trust Center links to a current list of Office 365 subcontractors and provides information on how Microsoft works to help ensure that subcontractors comply with privacy requirements. Customers want clear opportunities to choose whether their information will be collected, shared, or made public. This includes the flexibility to limit or eliminate information sharing or to set different levels of access. For business, government, and education customers, choice means having tools to maintain and control access to the information stored in their cloud accounts. Microsoft has developed a number of tools for administrators within customer organizations to control access to Office 365. Administrative Access – With Office 365, customers have complete access to their own environment, including user mail boxes, SharePoint websites, and document stores. The customer maintains control over security policies and user accounts. This degree of control enables administrators to effectively enforce their organization’s privacy and security policies. Policies and users can be managed using a web-based management console or remote PowerShell for automation of routine tasks. Identity Management – Office 365 provides two options for user identification: Microsoft Office 365 user IDs and federated IDs. In the first case, administrators create Office 365 user IDs for each of their organization’s individual users of Office 365. Users sign in to all of their Office 365 services using a single login and password. Alternatively, customers can choose federated identification, which uses on-premises Active Directory Federation Services (a service of Microsoft Windows Server 2008) to authenticate users on Office 365 using their existing corporate ID and password. In this scenario, identities are administered only on premises. This enables organizations to use two-factor authentication (such as smart cards or biometrics in addition to passwords) for maximum security.
Related Articles -
Microsoft, Cloud Computing, Computer, Internet,
|