Security and Compliance in Office 365
Having an effective cloud security conversation with your customers is critical to winning an Office 365 engagement. Partners with customers in highly regulated industries, such as financial services and healthcare, must have this conversation, but it is equally important for you to talk about this topic with customers that are new to the cloud and need additional assurances before they trust Microsoft with their IP. In this series of posts, I’ll provide you with the information and resources you need to present the Office 365 security and compliance story to your customers with confidence.
Understanding the full scope of security and compliance in Office 365 can be overwhelming. I recommend addressing it with customers into two parts: first, explaining why customers should trust the service and its built-in capabilities; second, providing details about the protection controls and tools available to keep customer data safe.
Office 365 Trust Center
Have you had to answer questions from Security Compliance Officers or IT leaders such as "Who has access to my data?" or "Is my data encrypted at rest?" or “How does Office 365 meet my specific compliance needs?” Answers to these and similar questions are available in the Office 365 Trust Center.
In the Trust Center, Microsoft provides open and transparent information about how we run Office 365 and our commitment to our customers’ data privacy, security, and compliance requirements. The recently updated site is organized to help you structure your conversations around the pillars of built-in security, privacy by design, continuous compliance, and transparent operations.
Resources listed on the site can also help you respond to security portions of Office 365 proposal requests. Here are resources I use frequently in discussions about Office 365 security:
- Top 10 lists – questions to ask a cloud solution provider, security and privacy features, and compliance standards
- Office 365 mapping of CSA Security, Compliance and Privacy Cloud Control Matrix requirements – download this whitepaper for a detailed look at how Office 365 maps to the security, privacy, compliance, and risk management requirements as defined in the Cloud Security Alliance (CSA) Cloud Control Matrix (CCM).
For more about the trust center pillars, watch this video:
Customer controls and tools
Once you're comfortable articulating the built-in capabilities of Office 365 security, compliance, privacy, and transparency, you should familiarize yourself with the controls and tools that enable you to customize the Office 365 environment according to your customer’s needs.
Customer controls including data loss prevention (DLP), archiving, auditing and reporting, and eDiscovery will be covered in upcoming posts in this series.
Keeping current on Office 365
Announcements made about this topic at TechEd Europe are outlined here: Office 365—Our latest innovations in security and compliance, and other updates are listed on the Office 365 for business roadmap. I'm particularly excited about the Office 365 Compliance Center that’s in development, which brings together management and enforcement of auditing, archiving, encryption, preservation, deletion, discovery, and DLP policies in a central location, so you don’t have to configure them separately. You can define central policies that apply across your data in Office 365, such as preserve policies that keep content in SharePoint and Exchange indefinitely or for a set time period.
Other enhancements in development that you can read about in the Office 365 for business roadmap include eDiscovery Center enhancements in scale and scope, RMS support for One Drive for Business document libraries, and MDM for Office 365. Visit the Office 365 for business roadmap regularly to stay informed about updates.
To better understand these capabilities and show them to your customers, use the Microsoft demo environments that are available to Microsoft partners. Both the Microsoft Office Division Demos and the Microsoft Experience Center scripts contain walkthroughs of some of these capabilities including data loss prevention and eDiscovery.
- The MOD Enterprise Hero Demo script has a storyline that highlights a DLP capability called document fingerprinting which protects sensitive information collected in emailed forms as well as Office 365 Message Encryption (more on these in my next post).
- The latest MEC Facilitator Guide section, "Manage Messages with Outlook," shows Policy Tips in action and the "Discover Information" section highlights eDiscovery. The MOD demo has a section on eDiscovery as well but I find the MEC demo to be more comprehensive.
I hope you found this introduction to security and compliance in Office 365 helpful. I’m looking forward to going deeper into this topic over the next couple of weeks. Subscribe to the US Partner Community blog to see new posts in your email inbox.
Register today for our January 8 Office 365 Partner Community call and series—I'm excited to have Vijay Kumar join us for this discussion.