Overview of Office 365, SharePoint Online and My Data

A major area of concern about Office 365 is the lack of understanding about how and where the data itself is stored and what proactive measures are being taken to ensure that your data is safe.

As part of our research and our ongoing consulting efforts at EPC Group in relation to Microsoft SharePoint 2013 and Office 365, we were able to take a tour of an Office 365 data center/facility and hear firsthand from Microsoft some of the steps they are taking to help customers feel at ease about their data.

With any data that is outside your organization’s direct control (that is, outside of your on-premises network), there are justifiable concerns. One of the main detractors a lot of large organizations or organizations withsensitive or proprietary data are wary of the hosted cloud model.

The following section details what Microsoft is doing in terms of protecting data within Office 365, as well as the precautions they are taking to address these security concerns.

Understanding the Physical Hardware behind Office 365

The actual Office 365 data itself is stored in the Microsoft network of data centers led by Microsoft’s Global Foundation Services.

These data centers are located around the world in strategic locations to take into consideration business continuity, disaster recovery, and government stability throughout the globe.

Microsoft has architected and literally built these data centers from the ground up to protect services and data from not only natural disaster but physical intrusion or physical attack and unauthorized access as well.

Per Microsoft’s statement, “Data center access is restricted 24 hours per day by job function so that only essential personnel have access to customer applications and services.” There are multiple failover controls and security processes.

There are required security processes including badges and smart cards, biometric scanners, on-premises armed security officers, and 24-7 continuous video surveillance, including various two-factor authentication methods.

There are also motion sensors and security breach alarms, as well as seismically braced racks where required, and automated fire prevention and extinguishing systems in case of natural or man-made disasters.

Office 365 and Network Security at Microsoft

The overall networks that run the underlying Office 365 infrastructure are segmented to provide physical separation of critical backend servers and storage devices.

These are set apart from any public-facing interfaces, and the implementation of edge router security provides the ability to detect intrusions and signs of vulnerability.

All the client or external connections to Office 365 use SSL for securing Outlook, Outlook Web App, Exchange ActiveSync, POP3, and IMAP as stated by Microsoft in a recent press release.

All customer connections are encrypted using industry-standard transport layer security (TLS)/Secure Sockets Layer (SSL), which uses a secure client-to-server connection to help provide data confidentiality and integrity between the desktop and the data center.

The TLS between Office 365 and external servers for both inbound and outbound email is also enabled by default.

Antivirus and Anti-Spam

Microsoft has publicized that Office 365 utilizes a multi-engine anti-malware that protects against 100% of known viruses and that is continuously updated. The solution also provides for anti-spam protection, capturing 98%-plus of all inbound spam, while the underlying engine uses advanced fingerprinting technologies that identify and stop new spam and phishing vectors in real time.

Can Others See Your Data?

A major concern most customers have is whether others can see their data. Office 365 is architected as a multitenant service but that also means that customers do share hardware resources.

Office 365 is designed to host multiple tenants securely through data isolation as each tenant is segregated through Active Directory, which isolates customers using security boundaries or silos.

This is architected in a manner to help ensure that different companies that share hardware resources—that is, co-tenants—will not have their data accessed or compromised by another tenant that is not associated with that organization.

Microsoft does provide the option for organizations to procure dedicated hardware for an Office 365 deployment if required, but that is a path that in some cases seems counterintuitive to the main reason Office 365 exists.

What Type of Encryption Is Deployed?

Microsoft stores Office 365 customer data in multiple states in the US as well as in data center's across the globe. Data is stored at rest on storage media and in transit from the data center over a network to a customer device. All email and related content are encrypted on disk using BitLocker 256-bit AES Encryption.

This protection architecture covers all disks on mailbox servers and includes mailbox database files, mailbox transaction log files, search content index files, transport database files, transport transaction log files, and page file OS system disk tracing/message tracking logs.

EPC Group Tip

BitLocker 256-bit AES Encryption is a combination of full disk encryption designed to protect data for entire disk volumes. It uses the AES encryption algorithm.

The Advanced Encryption Standard (AES) is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST). AES is widely used by the U.S. government as well as governments throughout the globe.

The BitLocker 256-bit AES encryption policies are also applied to all email contents including these types:

• Mailbox database files
• Mailbox transaction log files
• Search content index files
• Transport database files
• Transport transaction log files
• Page file OS system disk tracing/message tracking logs

How Proactive is Microsoft Being to Protect Your Data?

Microsoft uses a methodology for the protection of Office 365 referred to as “Prevent Breach.”

This is a defensive strategy aimed at predicting and preventing a security breach before it happens, but the defensive strategy connotation realistically contains offensive measures, including port scanning and remediation, perimeter vulnerability scanning, OS patching to the latest updated security software, network-level DDOS (Distributed Denial of Service) detection and prevention, and multifactor authentication for service access.

The processes Microsoft’s staff uses also involves continuous auditing of all operator and administrator access, as well as a review of subsets of actions. Access is granted for specific tasks on an as-needed basis to troubleshoot issues of the service should they arise.

An interesting element I found is that the staff’s email is actually segmented during work on specific issues for an added layer of protection in regard to communications with other staff members during troubleshooting and so forth.

As in most data centers and highly sensitive environments, the staff members must pass background checks, and should an employee leave the organization, all of that employee’s accounts are deleted and his or her access is audited and scrutinized to prevent any lagging accounts from existing within the environment.

The following is a list of prevention breach items that Microsoft has established regarding the proactive nature of Office 365 security:

• Port scanning and remediation
• Perimeter vulnerability scanning
• OS patching
• Network-level DDOS detection and prevention
• Auditing of all operator access and actions
• Zero standing permissions in the service
• Just-in-time elevations
• Automatic rejection of non-background-check employees to high-privilege access
• Automatic account deletion
• When employee leaves
• When employee changes groups
• When there is lack of use
• Isolation between mail environment and production access environment for all employees
• Automated tooling for routine activities

In summary, having visited several Microsoft Data Centers firsthand and performed an independent audit for EPC Group's Hybrid Cloud Advisor Practice, I was extremely impressed at how proactive Microsoft is being to ensure that data is secure and compliance standards are being upheld to truly meet their advertised underlying service level agreements (SLAs).

EPC Group’s Nationally Recognized Practice Areas

EPC Group leading SharePoint, Office 365, Infrastructure Design and Business Intelligence Practice areas continue to lead the way in providing our clients with the most up-to-date and relevant information that is tailored to their individual business and functional needs.

Additional "From the Consulting Trenches" strategies and methodologies are covered in EPC Group's new book, "SharePoint 2013 Field Guide: Advice from the Consulting Trenches" covering not only SharePoint 2013, Office 365 and SharePoint Online but Information Management, ECM\RM and overall compliance strategies in this ever changing world of "Hybrid IT."