The most common concern amongst IT and business decision makers regarding cloud collaboration is security. In its most simplistic form, webmail is collaboration in the cloud. Most users use a cloud based email to send pictures and documents to friends, family, or even colleagues. But how secure is sending documents this way?
Consider the inherent risk associated with the follwing scenarios.
1. A document being passed around via email
2. A document uploaded and accessed via cloud
Which document observes greater risk of exposure? Once a document is sent via email, there’s absolutely no control over that document whatsoever. Once that document leaves the corporate network, it can be manipulated to whatever degree the recipient wishes. However, a document uploaded and accessed via cloud can have access rights, roles, and privileges layered on top of it by an Administrator. For example, the document can be uploaded in “Read Only” mode so that no changes can be made to it when a user accesses the document on any device. This added security to cloud collaboration is the advantage of using SharePoint Online and OneDrive within the Office 365 suite.
Privacy and Security by Design
Every disk is encrypted with BitLocker to prevent physical access to your data, termed “Encryption at Rest.” This means that if someone tries to access a file off that disk, they will also need file-level encryption using an Advanced Encryption Standard (AES) key to access the content of the document. Should someone attempt to access the document without knowing the AES key, it would take hundreds of centuries at 100 trillion guesses per second to eventually hack or “guess” the AES key.
Every file in-transit comes encrypted with its own unique key via Secure Socket Layer (SSL) and Transport Layer Security (TLS):
- Secure Socket Layer encrypts sent documents with an “unbreakable” algorithm. The user receiving the document will only be able to view the encrypted content once the SSL protocol verifies they too have the necessary SSL certificates. This process is commonly called “the handshake,” wherein the server and client authenticate each other, thus allowing the client to cooperate with the server in creating various encryption/decryption algorithms.
- Transport Layer Security is nearly identical to SSL, but with a few added layers to make its security more robust. TLS is the successor to SSL, but both utilize “the handshake” in order to verify encryption/decryption credentials.
By utilizing SSL/TSL encryption protocols, SharePoint Online ensures all documents, whether within the corporate network or not, maintains a maximum level of security. At the end of 2014, Microsoft also added Office 365 Message Encryption Viewer for iOS and Android.
Users can also send one-time passcodes that expire after a defined time period when sharing files or folders. Finally, Office 365 guarantees:
- Your data is not used for advertising
- You have extensive privacy controls
- You can take your data with you when you want
Previously only available in Exchange email services, Office 365 now offers extensive Data Loss Prevention (DLP) capabilities in SharePoint and OneDrive for Business. Office 365’s Compliance Center allows for centralized management across various Office 365 applications, making management of multiple application policies much easier for IT Admins. Policy Management is now shared across these applications, so Admins only need to author a policy once.
Within the Data Loss Prevention interface of the Compliance Center, IT Admins can assign levels of security for specific applications. Once the Admin chooses an app (SharePoint, for example), the Admin then defines the Conditions for Personally Identifiable Information (PII) being shared either externally or internally. The Admin then defines the Action to be taken should a document contain sensitive PII (credit card info), such as informing the user of the risk, or revoke their ability to send the document altogether.
The below example shows a user trying to send a restricted document via email. An automatic email is sent to the user from the System Administrator, indicating what policies were violated and what s/he can do to resolve the issue.
Once the issue is resolved, the user can send an encrypted email. As mentioned in the above section, users of non-Microsoft platforms can now view an Office 365 email with one-time passcodes for Office 365 Message Encryption (OME). These passcodes can be used within a 12-hour window across multiple OME messages. The below image shows a user receiving an encrypted email:
Microsoft also goes a few steps further and allows complete transparency to their operations as long as they do not interfere with the security or privacy of anyone’s data. Some examples of this transparency include:
- Knowing where your data resides and who has access to it
- Visibility into availability and changes to the service
- Financially backed guarantee of 99.9% uptime
Microsoft has gone to great lengths to ensure your data is secure. With Office 365 now being a Billion dollar a year business, there is no question they are investing in security and uptime for your data. With the latest public release of up time at 99.98%, Microsoft is as good – if not better – than many other providers and often times have higher uptimes than your traditional on premises deployment.