carloscastilla - Fotolia


Take Office 365 data security from the cloud into your own hands

The productivity suite may be cloud-based, but Office 365 data protection takes place on premises and in your hands. Ensure you're taking appropriate measures to secure your information.

To the cloud! It's the mantra of IT and security professionals looking to get the most out of their resources. However, just because there are quantifiable savings in time, money and effort doesn't mean you can enter the fray without understanding how Office 365 data security and privacy are affected.

Looking at Office 365 data security and privacy, there are four things you must consider to ensure you're doing what's right to protect information.

Data security: encryption

Does the IT organization need to encrypt sensitive intellectual property or customer data before it's saved, stored or transmitted through Office 365 to meet existing enterprise requirements? For example, does personally identifiable data exist that, if encrypted, does not fall under the reporting requirements for the Health Insurance Portability and Accountability Act (HIPAA) or state breach-notification laws? You may also be contractually bound to encrypt data before it's sent to the cloud. Data is supposedly encrypted in Office 365, but there's no true way to know for sure. Double encryption -- using your own tools as basic as .zip file encryption or data loss prevention (DLP) -- may be the only way to ensure that such data is truly protected.

Backup in the cloud

How are data and backups retained in the cloud? Change the defaults to meet your own requirements for data retention unique to specific regulations that may apply -- i.e., HIPAA or Sarbanes-Oxley. For example, Microsoft changed the default email retention policy for Exchange Online. Does this mesh with your existing standards and policies?

Microsoft has been accused of being in bed with the NSA since the Edward Snowden revelations in 2013. Remember that you have to look out for the best interests of your business, your customers and even yourself. Just because Office 365 is good for IT doesn't mean it's good for the business.

Data privacy regulations

How are your international contracts and regulations affected in terms of business partner or customer data? Does the recent ruling on the EU Safe Harbor agreement come into play based on how you're storing and processing European customer data?

Office 2016 controls

Office 2016 working in conjunction with Office 365 has new controls for DLP, multifactor authentication and mobile device management. Will these controls suffice? Will they work in conjunction with your existing security and privacy needs? Perhaps they can be ignored altogether. Only you know your specific requirements and whether Office 365 data security controls will help or hinder your cause.

Managing Office 365 data security

Here's the good news: This is not a technical challenge. Determining the best ways to manage Office 365 data security and privacy is a clear business challenge. Your legal counsel, CFO, compliance officer, or even someone at the CEO or board level should get involved -- it's not just an IT or security problem.

Often, competing interests within businesses create more problems. For example, corporate attorneys draft contracts and work with executives to approve terms for business deals contrary to what IT -- or in this case, Microsoft -- is doing.

By adopting Office 365 in the enterprise -- thus accepting the terms of use -- you may give away certain rights or agree to unique responsibilities related to data usage and ownership that are contrary to your own contracts, security policies, privacy policies and business culture.

Terms of use, privacy and security policies aside, you'll never really know what's going on in the cloud. You can hope for the best, but you also need to perform due diligence to minimize unforeseen risks. Don't let other people make Office 365 data security and privacy decisions for you. Whether your users take IT into their own hands via shadow IT, or vendors such as Microsoft dictate how things are done in terms of information snooping and sharing, you are ultimately the one in charge of Office 365 data security.

Next Steps

New Office 365 cloud data privacy rules

Office 365 and Exchange hybrid security

Best practices for cloud privacy around the world

Dig Deeper on Exchange Server setup and troubleshooting