Microsoft Security and trust
Built-in capabilities and Customer controls.
Overview:
The Office 365 Trust Center
Your people and your data are your most important assets and so, as you consider Office 365 for your productivity needs, we want to do our best to answer your top questions upfront. The Office 365 Trust Center is the place where we share our commitments and information on trust-related topics.
With the Office 365 service it's our responsibility to keep your data safe and secure. It's your data. You own it. You control it. And it is yours to take with you if you decide to leave the service. The core tenets of our approach to earning and maintaining your trust are:
Built-in security
- Service-level security through defense-in-depth
- Customer controls within the service
- Security hardening and operational best practices
Privacy by design
- Your data is not used for advertising
- You have extensive privacy controls
- You can take your data with you when you want
Continuous compliance
- Proactive processes to meet your compliance needs
- Customer controls for organizational compliance
- Independently verified to meet evolving standards
Transparent operations
- You know where your data resides and who has access
- Visibility into availability and changes to the service
- Financially backed guarantee of 99.9% uptime
Built-in security:
Office 365 is a security-hardened service, designed following the Microsoft Security Development Lifecycle. We bring together the best practices from two decades of building enterprise software and managing online services to give you an integrated software-as-a-service solution.
At the service level, Office 365 uses the defense-in-depth approach to provide physical, logical, and data layers of security features and operational best practices. In addition, Office 365 gives you enterprise-grade, user and admin controls to further secure your environment.
Physical security
- 24-hour monitoring of data centers
- Multi-factor authentication, including biometric scanning for data center access
- Internal data center network is segregated from the external network
- Role separation renders location of specific customer data unintelligible to the personnel that have physical access
- Faulty drives and hardware are demagnetizedand destroyed
Logical security
- Lock box processes for strictly supervised escalation process greatly limits human access to your data
- Servers run only processes on whitelist, minimizing risk from malicious code
- Dedicated threat management teams proactively anticipate, prevent and mitigate malicious access
- Port scanning, perimeter vulnerability scanning, and intrusion detection prevent or detect any malicious access
Data security
- Encryption at rest protects your data on our servers
- Encryption in transit with SSL/TLS protects your data transmitted between you and Microsoft
- Threat management, security monitoring, and file/data integrity prevents or detects any tampering of data
Admin and user controls
- Rights Management Services prevents file-level access without the right user credentials
- Multi-factor authentication protects access to the service with a second factor such as phone
- S/MIME provides secure certificate-based email access
- Office 365 Message Encryption allows you to send encrypted email to anyone
- Data loss prevention prevents sensitive data from leaking either inside or outside the organization
- Data loss prevention can be combined with Rights Management and Office 365 Message Encryption to give greater controls to your admins to apply appropriate policies to protect sensitive data
Privacy by design:
When you entrust your data to Office 365 you remain the sole owner of the data: you retain the rights, title, and interest in the data you store in Office 365. It's our policy to not mine your data for advertising purposes or use your data except for purposes consistent with providing you cloud productivity services.
Data ownership and what it means
- You are the owner of the data; Microsoft is the custodian or the processor of your data
- It's your data, so if you ever choose to leave the service, you can take your data with you
- We do not mine your data for advertising purposes
Our role as data processor
- We only use your data for purposes consistent with providing you services you pay us for
- We regularly disclose the number of law enforcement requests we receive through our transparency reports
- If a government approaches us for access to customer data, we redirect the inquiry to you, the customer, whenever possible and have and will challenge in court any invalid legal demand that prohibits disclosure of a government request for customer data
Privacy controls
- Privacy controls allow you to configure who in your organization has access and what they can access
- Design elements prevent mingling of your data with that of other organizations using Office 365
- Extensive auditing and supervision prevent admins to get unauthorised access to your data
Continuous compliance:
Office 365 is a global service and continuous compliance refers to our commitment to evolve the Office 365 controls and stay up to date with standards and regulations that apply to your industry and geography. Because regulations often share the same or similar controls, this makes it easier for Microsoft to meet the requirements of new regulations or those specific to your organization and industry.
In addition, Office 365 provides admin and user controls, including eDiscovery, legal hold, and data loss prevention, to help you meet internal compliance requirements. These require no additional on-premises infrastructure to use.
Independent verification
- Our service is verified to meet requirements specified in ISO 27001, EU model clauses, HIPAA BAA, and FISMA
- Our data processing agreement details privacy, security, and handling of customer data, which helps you comply with local regulations
Proactive approach to regulatory compliance
- We have built over 900 controls in the Office 365 compliance framework that enable us to stay up to date with the ever evolving industry standards
- A specialist compliance team is continuously tracking standards and regulations, developing common control sets for our product team to build into the service
Customer controls for organizational compliance
- Legal hold and eDiscovery built into the service helps you find, preserve, analyze, and package electronic content (often referred to as electronically stored information or ESI) for a legal request or investigation
- Data loss prevention in Office 365 helps you identify, monitor, and protect sensitive information in your organization through deep content analysis
Transparent operations:
Moving to a cloud service shouldn't mean losing access to knowing what's going on. With Office 365, it doesn't. We aim to be transparent in our operations so you can monitor the state of your service, track issues, and have historical view of availability.
Data location and access
- We maintain multiple copies of your data, across data centers, for redundancy and will share with you where your data is located
- We tell you who has access to your data and under what circumstances
Support with a human face
- You have on-call 24/7 phone support for critical issues
- We have DevOps processes which means 24/7 escalation to the actual development team to resolve issues that cannot be resolved by operations alone
We're accountable to you
- We conduct a thorough review of all service incidents, regardless of magnitude of impact and we share the analysis if your organization is affected
- We commit to delivering at least 99.9% up-time with a financially-backed guarantee.
- We publish uptime for the Office 365 suite every quarter. Our most recent and historical uptimes are below.
Recent worldwide uptimes:
2012 | 2013 | 2014 | ||||
99.97% | 99.94% | 99.97% | 99.96% | 99.98% | 99.99% | 99.95% |
Q4 | Q1 | Q2 | Q3 | Q4 | Q1 | Q2 |