Firstly, it’s important to understand that Microsoft offers various levels of security to its users within Office 365. No one has specific access to data - No third party, literally no one.
Each data centre (where data is stored) has a strict control of access as to who can actually enter the data centre and what they can do; this is governed by what Microsoft called ‘Lock Box’. Essentially this means that if an engineer does have to go into the data centre then there is a strict access control as to what the engineer can do – at no point will that engineer have access to the data; it’s mainly just troubleshooting tasks.
Below is a brief overview on some of the various layers of security offered on different layers:
Network Layer - Firstly all data on Office 365 is encrypted in transit using TLS/SSL; this ensures that data is confidential – so if a user did ‘intercept’ communication, then the results would be scrambled and would be of no use to them.
Physical Layer - On-Premise, IT staff know exactly where the disk that contains the data is, they know exactly which computer it is on and exactly how to get to it; this is generally how a premise environment is run, in that someone knows exactly where the data is. A malicious user once on the server has the ability to do whatever they want, i.e. run code, delete data, copy data, remove the drive etc.
In the cloud world, the only people who can get into the data centre are the engineers, for example during maintenance, but because there are strict access controls in place, this is mainly just to administer troubleshooting tasks.
Having the ability to find out whose server is whose, which partition data lives on, or where it lives within the data centre is like finding a needle in a haystack. The size of the data centre and the amount of servers would mean a malicious person would never know which disk drive belongs to a particular person.
But in a worst case scenario, supposing an engineer pulls a drive out, Microsoft have invested in BitLocker which basically means that the drive that is pulled out will be wiped.
Furthermore Microsoft have a Blue team and Red team to ensure they’re up to speed on data security - The Red team are constantly trying to ‘hack’ into Microsoft data centres whilst at the same time the Blue team are consistently trying to prevent those attacks.
Key things to note on Microsoft cloud security:
Logical Layer - No code that is not known to Microsoft is allowed to be executed on any of the servers; i.e. it can’t get random code out of the environment and run it on servers. Only known processes are white listed to run on servers. This would make it virtually impossible for a malicious user to run a malicious code on a server (that’s if they ever got on).
User Layer - The Office 365 admin portal offers much more in terms of security; some listed below:
- Multi Factor Authentication – This is a two way sign in process, making it harder for a malicious user to get into your account; when a user signs into their Office 365 account with their username and password – an additional layer of security must be acknowledged via a phone call or text before that user can sign in. This feature is also available on most Hotmail / Outlook accounts.
- Data Loss Prevention – DLP essentially scans emails for sensitive information, such as “Credit Card Number”. Warnings can be given to the sender alerting them and give the sender control of whether they would like to send the email or not. If the sender agrees to send the email, then it can be encrypted using TLS encryption or we could apply rights management
- Rights Management - This is a list / library setting (within SharePoint) that allows site owners to protect attachments stored against list items and / or supported file types. For example, if a document is downloaded, the file is encrypted so only authorised people can view it. Furthermore the file can have restrictions imposed on it making it impossible for users to print, copy, save a local copy etc.
There is a fantastic white paper which is available to download which details the above with additional security measures Microsoft have taken to ensure data is safe in the cloud. Download here.