How Secure Is Office 365?

At its core, Office 365 operates some of the most secure data centers in the world, adhering to Microsoft’s internally-developed Security Development Lifecycle. Many of the best practices were developed over decades of Microsoft’s own enterprise software development efforts, and since the late 1990’s, this has included a host of online services.

“Office 365 is verified to meet the requirements specified in ISO 27001, European Union (EU) Model Clauses, the Health Insurance Portability and Accountability Act Business Associate Agreement (HIPAA BAA), and the Federal Information Security Management Act (FISMA). Our data processing agreement details the privacy, security, and handling of customer data, which helps you comply with local regulations.” Microsoft Trust Center

Office 365 logoThe Office 365 platform provides enterprise-grade user and administrator controls, giving organizations the ability to manage and scale their environments with the assurance that all physical, logical, and data security layers adhere to industry best practices (or better). Microsoft makes continuous improvements to the security of the Office 365 platform, from port and perimeter scanning to regular auditing of operator/administrator activities and access.

While organizations need to understand how they are meeting their security and compliance needs today, and how Microsoft can improve on that, customers of Office 365 are ultimately responsible for their own data. Microsoft provides broad oversight of the service plan, including service uptime and SLAs. Customer requirements for security and compliance will likely extend beyond these capabilities – and organizations need to understand the limitations of their service plans and have strategies in place to mitigate these gaps.

In a 2019 study conducted by CollabTalk and the Marriott School of Management at Brigham Young University that was sponsored by Microsoft and leading ISV partners, the top issues identified by respondents was not the technology, but administrator and end user education:

  • When asked how Microsoft could enhance the security of their products, 83% of research respondents requested more assistance in understanding and implementing Microsoft products.
  • Of those that thought Microsoft security was sufficient, 80% of respondents have either not run security and compliance checks, or do not know if they have.
  • Of those who did not think the current security protection offered by Microsoft was sufficient, 57% of respondents were not aware of Microsoft’s security division.
  • Of those who did not think the current security protection offered by Microsoft was sufficient, 71% of respondents were not aware of Microsoft’s overall security and compliance strategy.

The overall governance of your Office 365 environment has less to do with the technology and more to do with the practices and procedures you put in place to administrate your information assets. Office 365 provides the tools and capabilities you require to develop sound governance standards and meet your internal and industry-defined governance requirements.

Based on our primary and secondary research, six key recommendations were identified to improve organizational security and compliance practices within Office 365:

  1. Approach security and compliance more holistically, looking at it as an integrated business solution rather than through functional silos or individual workloads. Make each topic part of your existing or future governance oversight committee meetings, as review and management of security and compliance issues will likely comprise a large portion of your ongoing operational activities. Develop metrics for each workload that will be meaningful at the company-level, as well as the business unit or team-level and provide deeper insights into how different user groups are adhering to company security and compliance standards.
  2. Identify feature gaps and create an operational strategy for those gaps, allowing CSOs, IT Managers, and other key business stakeholders to understand the features and limitations of each workload within Office 365 (For example, OneDrive can only restore deleted files for 93 days) and more transparently manage employee expectations.
  3. Conduct scheduled inventory audits on a regular basis to help clean up and classify data and improve information architecture (IA) across the board. Setting security and compliance policies is difficult when managers and employees do not know the state and disposition of their information assets. Audits provide visibility, and present opportunities to re-evaluate the priority of information assets, as well as to make policies and procedures around the content lifecycle clear to everyone.
  4. Create a training plan to better disseminate policies and procedures that moves beyond one-time training and makes awareness of security and compliance standards part of a mandatory education plan. Training plans that incorporate multiple tools and distribution methods are always more effective than simply providing a digital training PDF or posting a single training video to the company intranet. Organizations should take the time to create training assets that match the learning culture within the organization, providing self-help tools (videos, content, internal quizzes) and both formal and informal sessions (classroom, brown bags, ask me anything (AMA) discussions) to reach the broadest audience.
  5. Develop necessary governance and change management programs and committees to advance these ideas, support transparency, and to hold the organization accountable. This is especially critical as the pace of the Office 365 change release process is incredibly fast (including monthly and weekly builds), and organizations can easily miss key improvements or new features if they fail to stay on top of these releases.
  6. Better leverage the latest technology, getting “out in front of it” by “dogfooding” the latest features (pilots) to understand how new features can be utilized. More than ever, Microsoft tries to provide business guidance and user scenarios for all new features and capabilities, documenting administrator and end user guidance to help customers quickly adopt. Organizations that create an environment where new features are quickly testing and deployed will have a distinct competitive advantage over those who fail to adapt and adopt new solutions. This is especially true with security and compliance features, which can have an immediate impact through risk reduction.

Christian Buckley

Christian is a Microsoft Regional Director and M365 Apps & Services MVP, and an award-winning product marketer and technology evangelist, based in Silicon Slopes (Lehi), Utah. He is a startup advisor and investor, and an independent consultant providing fractional marketing and channel development services for Microsoft partners. He hosts the weekly #CollabTalk Podcast, weekly #ProjectFailureFiles series, monthly Guardians of M365 Governance (#GoM365gov) series, and the Microsoft 365 Ask-Me-Anything (#M365AMA) series.