Mahalo for supporting Honolulu Star-Advertiser. Enjoy this free story!
Are you considering a subscription to the Microsoft Office 365 suite of office applications for your small-to-medium business? If so, here are some security considerations that might help relieve concerns in this area.
Data privacy: Microsoft makes it clear that it is the custodian and processor of customer data, not the owner. Data is not locked into the service. Should you wish to cancel service, you can take your data with you. Microsoft also states it doesn’t access or analyze customer data for advertising purposes.
Data integrity: In addition to being housed in fortified data centers with fault-tolerant measures, customer data is replicated to at least one other data center in a different geographic region to help account for natural disasters. U.S. customers can rest assured that their data stays on U.S. soil.
Encryption: All customer-facing servers use Secure Sockets Layer/Transport Layer Security to communicate with client machines in order to protect data in transit. Servers use BitLocker with 128- or 256-bit Advanced Encryption Standard to protect data at rest.
Least privilege access: Operations are automated to minimize human intervention and potential access to data. Administrative access to servers is controlled using a "lock box" process that only grants elevated rights for a limited period. This is quite a contrast to most environments where administrator accounts have full access rights to most company data.
Continuous compliance: Office 365 controls stay current with a long list of information technology standards and regulations, and have passed numerous third-party audits.
They meet International Organization for Standardization 27001 standards, are authorized Federal Information Security Management Act Authority to Operate, meet Cloud Security Alliance Cloud Control Matrix and have verified Statements on Standards for Attestation Engagements 16 Service Operations Control 1 Type II audits.
A Health Insurance Portability and Accountability Act Business Associate Agreement is also available to all customers.
There are some security elements you can’t verify, and that’s where being able to trust your service provider comes in.
In my opinion, overall Office 365’s security and compliance controls are solid and well thought out. Keep in mind that security is an ongoing process and solutions must continue to evolve.
For an optimal experience, it’s always a good idea to partner with a knowledgeable and experienced service provider to assist with integrating Office 365 into your environment.
Vincent Hoang is an enterprise architect at Hawaiian Telcom, a Certified Information Systems Security Professional (CISSP), GIAC Systems and Network Auditor (GSNA) and Cisco Certified Network Professional (CCNP). Reach him at vincent.hoang@hawaiiantel.com.
77