My journey into work last week consisted of me having a debate with a few friends about storing data on-premise vs storing data in the cloud, in particular office 365.
I was able to discuss some key points and advantages of using office 365, so I thought it would be a good idea to give a brief overview on some of the advantages of using office 365 on my blog and more importantly outline what measures Microsoft take to ensure that ‘our’ data is safe in the cloud.
Firstly, its important to understand that Microsoft offers various levels of security to its users within Office 365.
No one has specific access to data, No third party, literally no one.
Each data centre (where data is stored) has a strict control of access as to who can actually enter the data centre & what they can do; this is governed by what Microsoft called ‘Lock Box’. Essentially meaning that if an engineer does have to go into the data centre; then their is a strict access control as to what the engineer can do – at no point will that engineer have access to the data; its mainly just troubleshooting tasks.
Below is a brief overview on some of the various layers of security offered on different layers.
Network Layer – Firstly all data on Office 365 is encrypted in transit using TLS/SSL; this ensures that data is confidential; (previous blog post on SSL) – so if a user did ‘intercept’ communication; then the results would be scrambled and would be of no use to them.
Physical Layer. On Premise, an IT Admin or IT staff know exactly where the disk that contains the data is, they know exactly which computer it is on and exactly how to get to it; this is generally how an premise environment is run – in that someone knows exactly where the data is. A malicious user once on the server has the ability to do whatever they want, i.e. run code, delete data, copy data, remove the drive etc.
In the cloud world, the only folks who can get into the data centre are the engineers, for e.g. during maintenance – but their are strict access controls in place to ensure data is not accessed, its mainly just troubleshooting tasks.
Having ability to find out whose server is whose, or which partition data lives on or where it lives within the data centre is like finding a needle in a haystack, the size of the data centre and the amount of servers would mean a malicious person would never know which disk drive belongs to a particular person.
But in a worse case scenario supposing an engineer pulls a drive out? – Microsoft have invested in BitLocker which basically means that the drive that is pulled out will be wiped.
Furthermore Microsoft have a Blue team and red team.
The red team are constantly trying to ‘hack’ into Microsoft Data centres whilst at the same time the Blue team are consistently trying to prevent those attacks.
Logical Layer. No code that is not known to Microsoft is allowed to be executed on any of the servers; i.e it cant get random code out of the environment and run it on servers . Only known processes are white listed to run on servers, This would make is virtually impossible for a malicious user to run a malicious code on a server (that’s if they ever got on).
User Layer – The office 365 admin portal offers much more in terms of security.
>Multi Factor Authentication – Multi factor Authentication is a two way sign in process, making it harder for a malicious user to get into your account; When a user signs into their Office 365 account with their username and password – an additional layer of security must be acknowledged via a phone call or text before that user can sign in. This feature is also available on most Hotmail / Outlook accounts.
> Data loss prevention – DLP essentially scans emails for sensitive information, such as “Credit Card Number”. Warnings can be given to the sender alerting them and give the sender control of weather they would like to send the email or not. If the sender agrees to send the email, then it can be encrypted using TLS encryption or we could apply rights management
> Rights management. Rights Management is a list / library setting (within SharePoint) that allows site owners to protect attachments stored against list items and / or supported file types.
For e.g. If a document is downloaded; the file is encrypted so only authorised people can view it; furthermore the file can be have restrictions imposed on it; making it impossible for users to print, copy, save a local copy etc.
There is a fantastic white paper which is available here to download which details the above with additional security measures Microsoft have taken to ensure data is safe in the cloud.