carloscastilla - Fotolia
To the cloud! It's the mantra of IT and security professionals looking to get the most out of their resources. However, just because there are quantifiable savings in time, money and effort doesn't mean you can enter the fray without understanding how Office 365 data security and privacy are affected.
Looking at Office 365 data security and privacy, there are four things you must consider to ensure you're doing what's right to protect information.
Data security: encryption
Does the IT organization need to encrypt sensitive intellectual property or customer data before it's saved, stored or transmitted through Office 365 to meet existing enterprise requirements? For example, does personally identifiable data exist that, if encrypted, does not fall under the reporting requirements for the Health Insurance Portability and Accountability Act (HIPAA) or state breach-notification laws? You may also be contractually bound to encrypt data before it's sent to the cloud. Data is supposedly encrypted in Office 365, but there's no true way to know for sure. Double encryption -- using your own tools as basic as .zip file encryption or data loss prevention (DLP) -- may be the only way to ensure that such data is truly protected.
Backup in the cloud
How are data and backups retained in the cloud? Change the defaults to meet your own requirements for data retention unique to specific regulations that may apply -- i.e., HIPAA or Sarbanes-Oxley. For example, Microsoft changed the default email retention policy for Exchange Online. Does this mesh with your existing standards and policies?
Microsoft has been accused of being in bed with the NSA since the Edward Snowden revelations in 2013. Remember that you have to look out for the best interests of your business, your customers and even yourself. Just because Office 365 is good for IT doesn't mean it's good for the business.
Data privacy regulations
How are your international contracts and regulations affected in terms of business partner or customer data? Does the recent ruling on the EU Safe Harbor agreement come into play based on how you're storing and processing European customer data?
Office 2016 controls
Office 2016 working in conjunction with Office 365 has new controls for DLP, multifactor authentication and mobile device management. Will these controls suffice? Will they work in conjunction with your existing security and privacy needs? Perhaps they can be ignored altogether. Only you know your specific requirements and whether Office 365 data security controls will help or hinder your cause.
Managing Office 365 data security
Here's the good news: This is not a technical challenge. Determining the best ways to manage Office 365 data security and privacy is a clear business challenge. Your legal counsel, CFO, compliance officer, or even someone at the CEO or board level should get involved -- it's not just an IT or security problem.
Often, competing interests within businesses create more problems. For example, corporate attorneys draft contracts and work with executives to approve terms for business deals contrary to what IT -- or in this case, Microsoft -- is doing.
New Office 365 cloud data privacy rules
Office 365 and Exchange hybrid security
Best practices for cloud privacy around the world