Perry Clarke is the corporate vice president in Office Server and Services. Vivek Sharma is the director of program management in Office Server and Services.
In our last From Inside the Cloud post, “Is your data safe at rest?,” we looked at possible physical and logical threat vectors and the various mitigations in place with our defense-in-depth approach, including penetration testing. We also summarized some of the administrator and user controls available to you as part of the Office 365 service—through Rights Management (RMS) and data loss prevention—that enable you to authorize who can view data at the file and item level shared within the service. We stopped short of sharing with you how we manage who has access to your data in the service, which is what we’d like to focus on in this post.
The idea that somehow your data may be more accessible in Office 365 as a cloud service by the people administering and running the service, and therefore more vulnerable, is a common fear. How is it that we maintain the service and do not expose your data to engineers during troubleshooting activities? In this video, “Who has access to your data?,” Perry and I give you an overview of how we protect the security and privacy of your data in our services by controlling access to it.
As we explain in the video, ultimately if the service is working properly, nobody has access to your data. There is zero standing access to your data, unlike in on-premises environments, where an administrator may have long-standing permissions and access.
On the rare occasion that there is an incident that requires troubleshooting access to your data, administrators need to follow a stringent time-based work flow that we call “lockbox,” which through software allows only pre-assigned two-factor-authenticated administrators to request escalation. What this does is ensure that all actions related to access to your data go through a formal escalation request and approval process that is highly supervised, logged, and audited. Additionally, administrators can only request permission to take actions based on their predefined set of privileges through role-based access control (RBAC). All approved access is via a machine-generated password and all activities have a specified time window for completion.
RBAC is a very important factor in managing access to data in the Office 365 service. We’ve implemented this for Exchange and Exchange Online for over a decade and can now bring these best practices and learnings to the Office 365 service overall.
Our ultimate approach is to restrict powerful access to data by our administrators. This, by definition, means building the system in a way that allows for the machinery at the service level to read and write your data and that provides tools that enable individual administrators of the service to diagnose the health of the system and fix it without read or write actions. That means no one has meaningful access to data without escalation of privileges and we limit what the tools used to troubleshoot the service can do.
Beyond lockbox, the checks and measures in place to protect the security and privacy of your data in the online service are often a lot higher than what may exist in most on-premises environments.
As a global service provider, Microsoft has to meet industry standards such as ISO 27001 and SSAE 16 to protect the privacy and security of your data, determining when, if, and why your data should be accessed if at all.
We hope that today’s explanation helps clarify the topic of administrative access to your data. Let us know what you’re thinking—send us your comments and questions. In a few weeks, lead test engineer Matt Swann from our Blue team will join us for a post to share how we continuously monitor activities within our data centers, performing intrusion detection through a combination of expert teams and machine learning.
—Perry Clarke and Vivek Sharma