45 Ways the Microsoft Cloud and Data Centers are Secure

Encore’s Total Productivity™ package includes a lot of cloud software, including the option to host your ERP and its data in the cloud.

To offer these cloud services, we use Microsoft Azure.  Also, Office 365 is hosted in the cloud. As a Canadian Cloud Solution Provider, we get a lot of questions regarding data security in Microsoft data centers, and we are always eager to let our customers know why we trust Microsoft.

More interested in Privacy? See 11 Things You Should Know About Privacy in The Microsoft Cloud

Here is the inside track on data security in the Microsoft Cloud.

  1. Microsoft offers services that work the way your employees do. But how is that secure? This is best illustrated by the following question – how sure are you that no one in your company is using Drop Box? By offering solutions that directly compete with, and often outperform, unapproved cloud services such as Drop Box – Microsoft allows you to let your employees get to work with the kinds of tools they want to use.  These Microsoft tools are, of course, restricted by the security policies you set.
  2. Microsoft has an economy of scale. What this means is that they can afford to be at the cutting edge of security, all the time. They also draw from a large, 15-year-old institutional memory of providing security for online data.  We find that many of our clients’ IT teams are not able to stay right on top of security issues tothe same level as Microsoft.
  3. Microsoft’s cloud software (i.e. O365) is always up-to-date. This benefits you as a business user, but it also means that the latest security patches are always deployed in a timely manner.
  4. New mobile device management (MDM) capabilities enable you secured access to corporate data in Office 365 services from a diverse range of smartphones and tablets, including iOS, Android, and Windows Phone devices.
  5. Microsoft notifies you, if requested, about changes in their service operations. As an administrator, you will receive service notifications and compliance notifications regarding datacenter location changes, in addition to security, privacy, and audit information.
  6. Every one of Microsoft’s services offer individualized security controls that you control. You’re in control of compliance, rights, anti-malware and anti-spam, and encryption levels.
  7. Applocker limits the processes that can be run on your data. You control Applocker.
  8. You control Rights Management, which is a unique technology that provides best-in-class data protection at the file level. With RMS you can not only encrypt data but also apply policies on the data to limit or allow the actions by the recipient of the data. This piece is deployable on-premise or in Azure; your choice.
  9. S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard for public key encryption and digital signing of MIME data. An email that is encrypted using S/MIME can be decrypted only by the email recipient’s private key.
  10. You may setup an SMTP email connection to your trusted partners that is secured using Transport Layer Security negotiation. The connector can be set to send emails using either opportunistic or forced TLS. This can prevent data in emails from being stolen in man-in-the-middle attacks when one corporation is sending emails to their business partner.
  11. You may optionally choose to use your own anti-malware service and route to and from Microsoft’s data centers via that third-party service.
  12. Anti-malware software is included for free to prevent, identify, and quarantine computer viruses and worms.
  13. The remediation of quarantined systems is not fully automated.
  14. Malware patches are implemented within the time frame specified by the issuing company.
  15. Malware software changes are both reviewed and evaluated by Microsoft’s review teams and the Change Advisory Board for applicability, risk, and resource assignment prior to being implemented.
  16. Your administrators can use the Administration Center to manage anti-malware/anti-spam controls, including advanced junk mail options and organization-wide safe and blocked sender lists.
  17. Content controls and multi-engine malware scanning also help eliminate documents containing malicious code. Based on file name extensions, Microsoft blocks certain file types that can contain malicious code from being uploaded to or retrieved from the service.
  18. Office 365 uses a totally configurable intelligent instant message filter (IIMF) to help protect the service and your networks against malware and spam via IM.
  19. Office 365 allows integration with an on-premises or cloud-based Active Directory or other directory stores and identity systems such as Active Directory Federation Services (ADFS) or third-party secure token systems (STSs) to enable secure, token-based authentication to services.
  20. Your existing corporate log-ons can be used to authenticate into Microsoft’s services, and additional security features can be implemented, such as ultra-secure logins (including facial recognition, fingerprint scanning, or retina scanning); multi-factor authentication; or client-based access control (i.e. requiring additional authentication when a user is on public Wi-Fi).
  21. Multi factor authentication is set up by you, and can be via any of the following: A mobile phone call, an SMS text message, and Office phone call, or an app notification.
  22. Microsoft’s data centers are built to withstand natural disasters; they have the latest in place such as fire prevention systems and seismically braced racks.
  23. Microsoft’s data centers were constructed from the ground up to be secure institutions, with continuous video surveillance and on-premises security officers. Think less like a construction site, more like a prison.
  24. Microsoft’s data center access is restricted 24/7 at the job level function.
  25. Microsoft data center access is controlled with badges, smart cards, biometric scanners, and two-factor authentication.
  26. Ports and connections into Microsoft’s data centers are blocked by default, and only opened if necessary for operations.
  27. Network traffic through open ports are filtered through the most up to date: Access Control Lists, firewall rules, and IPsec policies on hosts executed by many separate pieces of hardware.
  28. Back-end servers are physically separated from public-facing interfaces.
  29. Deployment and other basic operations are automated. This means that there is less human intervention in technical operations, and therefore a much lower chance of something going wrong.
  30. When it comes to data center technicians and your administrators, there’s appropriate background checks and strict account management so that only those essential to a task may perform that task.
  31. All access to Microsoft data centers is audited and reviewed regularly.
  32. Elevated privileges are requested via a “lockbox” process, which allows just-in-time accounts with high entropy passwords, limited access times, and persistent role-based permissions.
  33. All of Microsoft’s software and services are designed and deployed using Microsoft’s always up-to-date Security Development Lifecycle (SDL)
  34. All customer-facing servers negotiate a secure session using SSL/TLS (Secure Sockets Layer / Transport Layer Security) with client machines so as to secure the data in transit.
  35. Microsoft uses BitLocker as one mechanism to encrypt your data at rest. BitLocker is either deployed with Advanced Encryption Standard (AES) 128bit or AES 256bit encryption on servers that hold all messaging data including emails and IM conversations, content stored in SharePoint Online and OneDrive for Business. BitLocker drive encryption is a data protection feature that is integrated with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers and disks.
  36. Microsoft now uses Per-file encryption. With this, the encryption technology in Office 365 moves beyond a single encryption key per disk to deliver a unique encryption key per file.
  37. Microsoft operates under the principle of “assume breach”, which means that they take actions to safeguard your data as if there is already a breach.
  38. Microsoft has built-in port scanning and remediation, perimeter vulnerability scanning, operating system patches, network level Isolation/breach boundaries, DDoS (Distributed Denial of Service) detection and prevention, just-in-time access, live site penetration testing, and multi-factor authentication for service access to prevent breaches.
  39. Microsoft system and security alerts are harvested and correlated via a massive internal analysis system. The signals analyze alerts that are internal to the system as well as external signals (for example coming from customer incidents).
  40. Based on machine learning, Microsoft quickly incorporates new patterns to trigger alerts, as well as automatically trigger alerts on anomalies in the system.
  41. If there ever is a breach, a diligent incident response process, standard operating procedures in case of an incident, the ability to deny or stop access to sensitive data, and identification tools to promptly identify involved parties help ensure that the mitigation of a breach is successful.
  42. After an unlikely breach, Microsoft has the ability to change the security principals in the environment, automatically update the affected systems, and audit the state of the deployment to identify any anomalies.
  43. Threats don’t just target software vulnerabilities – they also target operational weaknesses. So, Microsoft uses the Operational Security Assurance (OSA) framework which includes continuous monitoring, helps to identify operational risks, provides operational security guidelines, and validates that those guidelines are followed.
  44. Key standards in Microsoft’s security technologies and best practices are independent audits and verifications of adherence to standards embodied in ISO 27001, ISO 27018, SSAE 16 SOC1 Type II, and HIPAA. Learn more.
  45. Microsoft supports compliance with many, many industry standards and regulations like those from CJIS and IRS 1075.

This article was meant for business users, which means that it was a little light on technical jargon. Also, it’s possible that this list is out-of-date from the moment it was published.  If you are interested in more detailed information, or have any other questions, please contact us, or check out the latest info at trust.office365.com.

18 Symptoms You Need the Cloud

If you experience these issues, the diagnosis is clear: time to adopt the cloud!

Get The Diagnosis

18 Symptoms You Need the Cloud

Get The White Paper