Will the Office 365 Trust Center Allay Cloud Security Concerns?

One of the big concerns many organizations and IT professionals have about moving to the cloud, especially for business critical workloads like e-mail and calendaring, is that you have to trust someone else with your data. You have to have faith in your provider that they will maintain their systems properly, assure uptime, not let anyone access or remove your data without your explicit consent, and generally keep your data safe and secure. Various cloud providers have different levels of commitment to security and also different levels of transparency when it comes to sharing with customers what those providers are doing to fulfill those commitments.

At TechEd 2014, Microsoft’s Julia White, a general manager in the Office 365 division, announced the Office 365 Trust Center, a single place where the company reveals its efforts to keep individual organizations’ tenant data secure from both Internet based threats and also from governmental agencies and third parties that attempt to force Microsoft to turn over your data from a compliance perspective.

Microsoft's Julia White Discusses the Office 365 Trust Center
Microsoft Office 365 Division General Manager Julia White discussing security and privacy concerns in a video clip from the Office 365 Trust Center. (Source: Microsoft)

The Four Pillars of Office 365 Trust

The Office 365 Trust Center stakes the service’s reputation on four pillars:

Office 365 Security

Microsoft considers Office 365 security in four different ways: The security of the physical datacenters where the servers are housed; logical security, for restricting administrator rights and maintenance processes as well as application whitelisting on the servers themselves to prevent malicious code from running; data security, which involves encrypting data both when it is in transit to Office 365 and when it is at rest within the datacenters as well as monitoring threats and electronic intrusions and preventing attacks; and administrator and user controls for customers, encompassing rights management, the ability to send encrypted e-mail, and data loss prevention features that prevent your employees and users from leaking information in e-mail and attachments.

Takeaway: It is probably fair to say that Microsoft engineers and facilities can carry out this responsibility at least as well as you and your IT department can, given the vast amount of resources the company has.

Office 365 Privacy

The privacy space is where most reasonably objections to moving to the cloud come in. As the ability for governments to intercept and monitor traffic and data both in transit and at rest comes to the center stage after the Edward Snowden / National Security Agency leaks, the question on many minds is if cloud providers will stand up to law enforcement and intelligence agencies that attempt to gain access to customer data by asking the cloud provider, and not the business, for the keys to the kingdom. The only statement the Trust Center explicitly makes in writing regarding this phenomenon is an infirm one, if optimistic: “If a government approaches us for access to customer data, we encourage the inquiry to be made directly with you, the customer and will challenge attempts to prohibit disclosure in court.”

The other point being made in this section is that your data is never used for advertising or data mining purposes nor is it sold to outside parties, unlike you might expect from Google Apps.

Takeaway: The Trust Center will not assuage your concerns if you are worried about the government interfering with your data, even if Microsoft only fulfills the role of data custodian and processor. Microsoft makes no commitment to resist if the FBI shows up with a search warrant and demands the data from your tenant, or even the servers on which your tenant runs in the event that your tenant neighbor, not you, is under investigation. No assurances here.

Office 365 Compliance

Exchange 2010 introduced several litigation related features like eDiscovery and hold and those features carried over into Exchange 2013, the basis of the Exchange Online and Office 365 service. Microsoft reveals that the Office 365 service meets HIPAA BAA, ISO 27001, FISMA, and EU model clauses and is independently verified by a third party auditor. Microsoft also has a team evaluating regulatory standards in major markets around the world and how those standards are evolving, and that team makes design decisions for new controls based on those regulations that will eventually be integrated into the service (and, you would expect, to the on premises versions of the applicable software—eventually).

Takeaway: If you are already invested in Microsoft Exchange, you don’t lose any features when it comes to compliance, but you don’t gain any, either. If you’re moving from a competing e-mail solution, Office 365 delivers the compliance goods.

Office 365 Transparency

In this pillar, Microsoft reveals that they will always let you know in what geographic region your data lives so that you can stay on top of regulatory data storage requirements, and they have all the usual support channels available as well as a commitment to 99.9% uptime (which, to their credit, they have exceeded in the last seven calendar quarters).

Takeaway: the service is widely available and about as reliable as you will get. This is not news to anyone, although publishing the uptime statistics publicly and exactly may be new.

I am not sure the Office 365 Trust Center is going to change many minds about the cloud and its suitability for any particular implementation. While the whitepapers and videos that go into the behind-the-scenes detail of the service are interesting from the standpoint of seeing faces and imagery, there is not a lot new revealed in the Trust Center materials that really stand out for business decision makers and IT professionals that are not already sold on Office 365.

I’d like to see Microsoft take a position on the following issues:

  • A firm commitment to not offer governments access to data unless you, the tenant and the owner of the data, are informed that data has been made available. No more secret subpoenas or “encouraging” law enforcement to let you know.
  • A timeframe for how the service will evolve with new features and updates—a standardized schedule and a better way administrators could trust that their end user experiences would not change.
  • Data encryption to be on by default and turned off only through a series of dire-sounding warnings.

What would you like to see from Office 365 and the Office 365 Trust Center?