In a nutshell, under the Shared Responsibility Model, the platform is responsible for hosting that data within certain parameters like uptime, availability, and speed. Similarly, users are responsible for the security of their own data, including backups. Microsoft recommends in its Services Agreement that users regularly back up their data.
When trying to determine “How secure is Office 365?”, it can be useful to divide “security” into three aspects: infrastructure, data, and access management, regulatory obligations, security of information, and business continuity/disaster recovery planning.
As the host of the infrastructure powering Office 365, Microsoft is responsible for:
- Host Infrastructure (DC, Operating System, Virtualization): This includes the securing and management of the virtual hosts, containers, storage, and platform services.
- Network Controls (Virtual networking, load balancing, DNS, and gateways): As the SaaS platform, Microsoft is responsible for the network infrastructure.
- Applications (Platform-managed applications and services): This includes web services, batch, docDb, IoT, analytics, media services, and others. Note: While robust identity management and comprehensive security capabilities are provided by Microsoft, the identity and access configuration of these services lies with you.
There is no difference between an on-premise model or a SaaS model when it comes to the customer’s responsibility for their data security, including backups. Microsoft makes it clear that no matter how you access its services, the responsibility of backing up data falls on the user.
Account and Access Management:
Identity and access management is a shared responsibility between Microsoft and your organization.
- Microsoft: Provides the framework of multifactor authentication (MFA), identity protection, role-based access control, and provisions to integrate with third-party applications using Azure Active Directory.
- User: You have the onus of configuration, management, and monitoring of user identities and access control. Microsoft provides users with tools to manage access to their account, but it’s up to the customer to implement and use those tools correctly.
- Microsoft: As the data processor, Microsoft has to explicitly process the customer’s data as per the controller’s (your) instructions. Microsoft also needs to inform its customers about breaches to its data centers and implement transparent security policies. Microsoft’s Trust Center details its extensive compliance with US national security laws, GDPR, and other international export control laws and regulations. It also offers considerable guidance to help your organization comply with industry-specific and local regulations.
- User: As the data controller, you have the complete onus of consent, access, privacy, and protection of data. You need to manage, classify, and configure best practices and solutions to meet your unique legal and compliance requirements. This includes both configuring Microsoft archive and retention policies and ensuring you have reliable data recovery solutions in place.
- Microsoft: Microsoft shoulders the responsibility of the protection of the DC (data center), network, and OS (operating system) with built-in data replication. In the event of a software failure/outage/tornado impacting a global data center, the DC to DC geo-redundancy allows Microsoft to fail over to the replication target. Note that geo-redundancy is not the same as backups, and cannot be used to restore lost or corrupted data.
- User: Organizations are responsible for securing the data they place in the cloud. Microsoft cannot protect you from data loss at your end due to accidental or malicious deletion/corruption, malware, ransomware, or sync errors. Network monitoring, firewalls, anti-virus software, and other security checkpoints and processes lie with you.
Business Continuity and Disaster Recovery (BCDR) Planning
- Microsoft: only offers time-bound recovery options with no provision for unlimited, point-in-time recovery. If no retention policy is set, you can only recover items from the past ~45 days. Even with Litigation Hold and eDiscovery, recovery is manual and contains outdated data. Microsoft does replicate your data to a second location for geo-redundancy, however, those backups cannot be used to restore your individual account. Any data deletions or corruptions are also duplicated, so Microsoft’s duplication cannot be relied upon to recover from data loss.
- User: If the user requires accurate data recovery from any point in time for their BCDR plan, they are responsible for implementing their own backup and recovery solution.
So, the answer to “How secure is Office 365?” is a combination of your organization’s security policies, Microsoft’s security procedures, and the end user’s commitment to cloud app security.