As more and more organizations are contemplating their move to the cloud, the issue of security is often the area where a lot of anxiety arises. This is the case for Small to Medium businesses through Enterprise level companies in every sector. As business professionals, we all see the need to have our data kept secure and at our fingertips at all times. Microsoft has taken extra measures to make sure that security and reliability are covered in everything they do. This article will highlight the industry standards that Microsoft Cloud meets and how they are a fit for any industry, including those with specialized data requirements such as financial, medical or educational institutions. Microsoft bases their Office 365 Security on four guiding principles – Customer Privacy, Transparent Leadership, Independent Verification, and Top-Quality Security Practices.
Customer Privacy: Microsoft does not use data from Office 365 to build advertising products. They will not scan data or email for data mining purposes. Your Office 365 data is not co-mingled with consumer services. And, you retain full ownership of your data. You may remove or copy it outside Office 365 at any time.
Transparent Leadership: Microsoft maintains data centers throughout the world. They openly provide you information on the location of your data, as well as, the formula used to determine data location. Any data location changes are provided to customers in a timely fashion. Microsoft maintains strict policies on data access which they also make available to their customers.
Independent Verification: Independent agencies and auditors verify compliance with industry standards. Microsoft has the following certifications/accreditations:
SAS 70 /SSAE 16 – Statement on Auditing Standards No.70/Statement on Standards for Attestation Engagements No.16
ISO 27001 – certification on Information Security Management Systems (ISMS), based on the ISO 27002 Information Security Standards.
EU Safe Harbor – certification that ensures personal data transferred from the EU to non-member states comply with the appropriate data protection safeguards and practices.
HIPAA – The Health Insurance Portability and Accountability Act governs the use, disclosure and safeguarding of protected health information. Microsoft is one of the first companies to offer a HIPAA business associate agreement (“BAA”) for cloud-based services. A BAA ensures mutual responsibility for protecting the privacy of health data between Microsoft and Office 365 customers in the health care industry such as hospitals and medical schools.
Cutting Edge Security Practices: Microsoft’s data centers are built to the highest levels of physical security. Physical access is granted on an individual basis and is based on job function. Personnel are given only minimal required access. Physical access is controlled through multiple security layers and devices, including badges, smartcards, biometric scanners, on-premise security guards, video surveillance, and multi-factor authentication. In addition, system redundancy, climate control, and continuous monitoring are built into each data center.
Regulatory Compliance in Education: The Office 365 Security and Privacy principles outlined above are especially critical in education. To ensure student security and privacy, schools, colleges and universities face regulatory requirements unique to education:
FERPA – the Family Educational Rights and Privacy Act protects the privacy of student educational records and applies to schools that receive funds from the U.S. Department of Education. Office 365 includes specific controls and capabilities to help schools comply with the privacy requirements of FERPA and HIPAA.
COPPA - the Children's Online Privacy Protection Act regulates the collection of personal identifiable information about children under the age of 13 by websites or services accessed through the school’s Internet connection. Office 365 mailbox policies, which exclude student data from the global address book, and the ability to restrict email to the school’s domain are examples of Office 365 features that support COPPA compliance.
CIPA - the Children’s Internet Protection Act requires that schools which receive E-rate funding related to internet access restrict access to offensive or harmful content from school computers. Advanced anti-virus and anti-malware plus email filtering based on objectionable words provide schools with some of the tools needed to protect the students in their care.
For more information, see the Microsoft Trust Center or the Office 365 Security FAQ.