Office 365 Security and the Shared Responsibility Model
This is the second article of our Microsoft 365 series. Here is the first post if you haven’t read it already: What is Microsoft 365? Office 365? How does Microsoft manage Your Data? If you did read it, you already know what Office 365 is and the different variations of it on offer. You also know that Microsoft’s data management policy means you are responsible for your own data. But what does that really mean? In this article, we look to address Microsoft 365 and their shared responsibility model, whilst also looking into the security side of Office 365. It’s not that long ago when Microsoft announced that Office 365 is no more and rebranded all the old packages into MS 365 counterparts. We’ll stick with the old name for this article as it is a little bit less confusing (and because we ran a webinar using Office 365 because most people are still more familiar with that name … ).
Office 365 Security
As mentioned in our previous article, Office 365 is a secure addition to any business. Just how secure is it, however? Physically, Microsoft’s data centres are crazily secure. The likeliness of someone gaining access who wasn’t supposed to be is next to none. On top of this, multiple practices are put in place to ensure employees cannot get up to any foul play. In terms of virtually, Microsoft is almost impenetrable. They have a dedicated team constantly looking into and improving their security processes. To check the effectiveness of said team, Microsoft employs both internal and external auditors. The auditors test that Microsoft is on top of the latest schemes used by hackers, constantly checking they are front runners with optimum security processes. All of this results in Office 365 being super secure. To signify how secure Office 365 is, it is both ISO 27001 and ISO 27002 compliant, as well as SOC 1 and SOC 2.
Office 365 Reliability
Microsoft’s dedication to security results in them being super reliable. They very rarely encounter errors or intrusions that leads to downtime, with them having an uptime of 99.9% consistently over the last few years. Microsoft has achieved this so consistently they now aim to be active 99.99% of the time, which for a company of their size is truly a gruelling task. However, when things do go wrong, Microsoft has multiple failover strategies to work off and therefore, they are able to achieve such high uptime percentiles. Additionally, whenever something does go wrong, Microsoft conducts extensive post-issue reviews. Meaning, that the chances of the same problem happening twice, is around the same as lightning striking the same spot twice. Super unlikely but not impossible.
The Shared Responsibility Model
So, we know Microsoft’s Azure cloud offers the best in class security for Office 365, and that the chances of errors occurring on their side are very minimal. What is there to share the responsibility for? Well, we will get to this next, but first, it is worth pointing out that Microsoft is not exclusive in the shared responsibility model. This is, in fact, the standard model for any SaaS offering. Let’s dive into this a bit deeper. The shared responsibility model means that some aspects of data are solely the responsibility of the end-user. In Microsoft’s case, the data the end-user is solely responsible for is external devices that are used to access their services, information & data hosted on Microsoft’s infrastructure, and accounts & identities in the sense of user credentials and access rights. Identity and directory infrastructure is split between both parties. Whilst applications, network controls, operating systems, physical hosts, physical networks, and physical data centres are all the responsibility of Microsoft. This can be shown nicely in the comparison table below.
So, what does this actually all mean? It means that Microsoft’s responsibility is to provide you with all the tools and to make sure those tools are running accurately and securely. However, it is not their responsibility to monitor the content you create with these tools. Any file, folder, user account, user settings and so on is the responsibility of the end-user. If all your emails get deleted by accident, it is not up to Microsoft to make sure they can be recovered. Have a disgruntled employee or maybe one with something to hide who has deleted loads of data? Again, this would not be Microsoft’s responsibility. Therefore, all intellectual property is the responsibility of the end-user, and to be frank, Microsoft does not care about this data. They cannot utilise it so have no worries if it was to go missing. Therefore, you cannot get complacent.
Never feel that data is unlosable even once it is in the cloud. This has become increasingly important since the switch to work from home. This change has created more vulnerabilities in networks, from weaker home router firewall settings to fewer face-to-face meetings causing a rise in phishing. Now more than ever, end-user companies will be targeted directly for their data rather than someone attempting to steal it via Microsoft. Saying this, it is not all doom. Microsoft will not be responsible for any data that is lost or accidentally deleted. However, they do present you with a window of opportunity to retrieve losses. For files deleted from locally stored devices, this is a one-month time period. For files deleted off a SharePoint or one drive folder, this rises to three months. Therefore, whilst it is your responsibility to notice and act fast, Microsoft gives the end-user some leeway, taking the pressure of their responsibility to secure their own data. On top of using Microsoft’s time frame for retrieval, we strongly recommended using more than one cloud-based backup and recovery option. And so does Microsoft in their Services Agreement.
“We strive to keep the Services up and running; however, they are not offered with a guaranteed level of quality of service and all online services suffer occasional disruptions and outages. In the event of an outage or disruption to the Service, you may temporarily not be able to retrieve Your Content. We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.”Section 6, Service Availability
So, Microsoft and Office 365 both come with supreme security. They rarely encounter security problems due to their commitment to being front runners on security. They have such rigid processes in place to constantly monitor and improve any weaknesses they may have. This high level of security means from their side you have very little to worry about in terms of the safety of your created content. However, you must share the brunt of the responsibility. Microsoft can almost guarantee there will be no issues from their side, so you must be as thorough in your approach. You must have practices in place to make sure you are treating your data as the sensitive information that it is. You can not rely too heavily on Microsoft’s cloud as the only recovery option you have. Be as careful as possible that data can not be deleted, by accident or by foul play. When it is deleted make sure you have additional backup options past Microsoft. Your data is only secured by them for a limited time and any accidental deletions that become apparent outside of this time frame will need to be secured by alternative methods.
Our advice would be to have multiple cloud-based backup and recovery options. As well as limiting who has admin rights to delete the most sensitive data, Microsoft Azure has great capabilities for this. If you want to know more about Microsoft Azure don’t hesitate to get in touch! Additionally, do you have no idea who else can offer backup and recovery? We’ve got you covered! At IQ IN IT, the cloud is our bread and butter! We can review your current implementation alongside the size of your business and recovery needs, finding the perfect cloud-based solution for you!
We hope by now you know all you need to on Office 365’s shared responsibility model. As well as what Office 365 is and its different variations from our earlier article. You may now have more questions on Office 365. Like, how do I go about using these recovery options we have touched on here? What will the actual impact of utilising such a tool be on my business? Well, we will be touching on this and more in our next and final entry in this article series, so keep your eyes peeled for that.
About the Author
Juri Weidenkeller is the Head of Business Development at IQ in IT. His IT career began at a cyber security vendor. He worked with 400 different IT support companies and managed services providers across the UK and Germany before joining IQ in IT in 2021. His interest is in operation excellence, making the most out of technology, security and good customer relationships.
If you want to learn more on that topic, ask Juri a question (about his name for example) or if you have any other questions, don’t hesitate to get in touch. There is a “Schedule Online” button in the top right corner of this page that leads you to our calendars. Or ping us a message through the comments.