As Microsoft Office has grown in scope over the years, more organizations are moving more data across the platform. Organizations considering Office 365 are concerned about this data being hosted in the cloud, especially as security threats such as ransomware increase.
Managed Service Providers need to be able to provide rock-solid assurance to clients that their data will be safe. Here’s what they need to communicate to their clients in order to alleviate concerns.
According to a Cloud Security Alliance report, 73 percent of survey respondents are holding back from moving to the cloud largely because of a cloud skills gap — “a lack of knowledge and experience on the part of IT and business managers.” Many organizations harbor security concerns, too, but part of the problem with cloud security in their eyes relates to that same skills gap. MSPs can add a lot of value for their clients by providing risk assessments and risk mitigation guidance.
The high view
According to a Microsoft white paper, Office 365 security is layered, which is important, as this approach secures more threat vectors than just the digital realm. The three layers are fully operational from the start and require no customization or special activation. Your clients will be interested to know that this layered protection goes well beyond typical Software-as-a- Service offerings.
However, for organizations with highly complex security and compliance requirements, Microsoft has third-party security vendor partners to add even more layers of security. Your valuable knowledge and experience as an MSP can help them decide if they need more layers, and if so, which ones.
Here’s what you need to tell your clients about the three layers of protection already built into Office 365.
The physical layer
Microsoft protects the facility and network to guard against physical intrusions, be they from insider threats or outsiders looking to directly connect with data on the Microsoft end. Physical data center access is closely monitored, and only authorized personnel have access. The protection on this front is multi-layered too. Microsoft uses several systems for data center security, including biometric readers, motion sensors, 24-hour secured access through the use of badges and multi-factor identification, video camera surveillance, human security guards and security breach alarms.
The network level is also heavily guarded. Connections to the network are restricted to those necessary for operation only, meaning ports and unauthorized connections are blocked. Microsoft employees are not allowed to mine or view customer data for advertising purposes. That means they don’t read customer emails or other data.
There are also numerous security features throughout the network to assist in detecting, preventing and alerting any intrusion.
You can count on that data being regularly backed-up so data is never lost. There is also plenty of redundancy to ensure data rolls over in the event of a downed server.
The logical layer
Think of this layer as protecting the interfaces of Microsoft humans with Microsoft machines — the admin end of things. To reduce human intervention and interaction to an absolute minimum, Microsoft has automated most of its operations. Further, human access is strictly restricted through privileges set to the minimum necessary to perform any given job function.
Less human touch means less human opportunity for errors, mishaps and misdeeds.
Anti-malware software is also used to detect and thwart any threat introduced to the systems. If anything is detected, it is quickly quarantined. Updates and patches are also applied quickly and regularly to ensure operations remain secure at all times from known threats.
The data layer
Data is encrypted at rest and in transit via Office 365 features that adhere to cryptography standards such as SSL/TLS and AES. Microsoft also uses BitLocker and has integrated it with the operating system.
It’s true that data from multiple tenants is stored or moves within or across shared hardware — that is, servers. That’s how public cloud computing works and why there is so much efficiency in the cloud model. But Microsoft goes beyond most SaaS vendors in isolating and guarding tenant data so it never intermingles.
Microsoft has also deployed machine learning for intelligent protection to track and mitigate vulnerabilities at scale. This technology actually learns about threats so that it becomes increasingly capable of finding and even predicting threats. Its detection and reaction times are far faster than those of humans.
There is another security feature your clients will likely want to know about: Microsoft’s data is hosted in-region. This is of particular importance in the face of new regulations such as the General Data Protection Regulation, or GDPR, in the European Union, which affects almost everyone.
“The territorial reach of the GDPR will, however, extend far beyond the EU. It will affect any business coming into contact with European data, from large Silicon Valley tech companies to private Chinese bloggers.,” writes attorney Claus Färber in a JDSupra Business Advisor post.
Besides helping your clients adhere to territorial regulations such as the GDPR, knowing that data resides in their own region is often comforting to companies who may fear regulations or threats of uprisings or other concerns in regions they aren’t comfortable or familiar with.
What MSPs can do
Beyond serving as a valued adviser and educator on the security in Office 365 and other cloud-based products, MSPs can also help clients choose and deploy additional products to meet their specific security needs.
It’s important to note that Office 365’s security features are truly exceptional when compared to many other cloud services. However, data is often shared with other cloud services that are not so exceptional in security performance. Indeed, Microsoft is working on more APIs to aid in data sharing and integration with apps outside its own.
Then there is the data transmitted to and stored in other Microsoft products — such as SharePoint, OneDrive and Exchange — which also must be safe to bring into those environments. So, adding additional security layers to protect all of those apps and data exchanges, and not just Office 365, is a very good idea.
Microsoft is also as vulnerable to subpoenas as any other company, and encrypted data may be seized and unencrypted by authorities without your client ever being aware.
MSPs can help clients protect themselves in all these situations by presenting and helping clients choose and then deploy third-party cloud products that best address these issues and meet each client’s specific needs.
Office 365 should be the corporate standard in terms of security features and other cloud services, but MSPs can and should serve as trusted advisers that ensure that security products and services are added to the mix if and when needed.