"We will develop and deploy secure platforms and infrastructure that enable all industries. And we will strike the right balance between using data to create intelligent, personal experiences, while maintaining security and privacy." said Satya Nadella in 2014 to his employees!
Microsoft has been working on building the safest collaboration platform for all users in all industries But implementing strong security features was not enough, Microsoft had to get different Office 365 Security Certifications to prove its commitment to creating a safe environment.
The certifications we want to discuss aren’t the examination based qualifications that are available to IT professionals. Instead, we want to highlight and discuss the certifications within Office 365 and the important (although positive) ramifications of these certifications.
Enough of the riddles we hear you say, talk straight with us! Well, put bluntly, security standards are important for one simple reason: they offer trust to customers. These certifications help the end users feel confident that Microsoft’s offerings are secure.
Microsoft (to their credit) are very up front and transparent with this - to the point that they have set up a Trust Center which contains a wealth of information regarding the Office 365 security and Microsoft’s commitment to it.
Office 365: Certified Secure
ISO 27001, ISO 270018... What are they? Let’s explore a few of these certifications shall we?
It’s probably fair to assume that at some point in their careers, most IT professionals will come across an ISO 27001 certification process.
This certification deals with Information Security Management Systems, which are sets of controls, checks and processes relating to the initiation, implementation and maintenance of information security management. According to the ISO 27001 BSI site, there's a demanding four step process to go through in order to gain this certification.
In addition to the steps needed to satisfy the certification conditions, Microsoft have taken the additional step of asking the BSI auditors to review 20 additional controls that have been implemented for Office 365.
Whilst this is a concession mostly aimed at European customers, a specific certification has been obtained that complies with both EU and US data security and privacy issues.
This ISO standard may not be as well-known as its 27001 counterpart, but it has an important contribution to make. It works in the domain of Personable Identifiable Information (otherwise known as PII).
ISO 270018 mandates that an individual should not be identifiable by any data that's stored within a platform. In the case of Office 365, Microsoft obtained the ISO 270018: 2014 standard in their latest 27001 audit and have committed to:
Office 365 being an advertisement free zone
Clearly identifying processes for storage and disposal of PII
Clearly identifying any third parties dealing with personal transaction data
US - EU Safe Harbor
This specific piece of legislation is mostly intended for European firms.
EU data security regulations are for the most part much stricter than their US counterparts. To make sure that these regulations are adhered to, the European Union typically resorts to a blanket ban of any personal data being physically moved or stored outside of the region unless specific legal measures are in place.
The specific legal measures that have been put in place are known as a Safe Harbour agreement. The underlying agreement here is one that the European Union has signed with the U.S. Department of Commerce.
This agreement permits U.S. organizations to effectively self-certify that they are able to (and do) comply with the Safe Harbour principles. Subsequently, these principles match the data protection requirements that the EU insists on.
Microsoft first committed to this agreement in 2001 and have had it renewed every 12 months ever since.
What About Yammer?
It would be an oversight of us not to mention Yammer in this post due to its unusual status.
It makes sense that the Office 365 services will have the above certifications in place since they were built that way by design. As a recent acquisition however, Yammer is still in the process of being streamlined to conform to all of the above certifications. As it stands, as of March 2014, Yammer has achieved the ISO 27001 standard on its own (as confirmed on the social network’s blog). Yammer has also committed to include the various certifications mentioned above on their product roadmap.
Displaying Real Commitment
In closing, Microsoft's hard work and efforts in order to meet concerns over security, are to be applauded. They have taken plenty of steps, both technologically and from a compliance perspective to ensure that all potential client’s needs are met.
Beyond this, Microsoft offers a solid and as transparent as possible analysis of their offerings within the Trust Centre.