Editor’s note 10/7/2015
The FAQs have been updated to provide more clarification.
Editor’s note 8/5/2015
The FAQs have been updated with Customer Lockbox purchase information.
This post was written by Vijay Kumar, senior product marketing manager, and Raji Dani, principal program manager for the Office 365 Security team.
As a cloud services provider, we recognize that organizations understandably want to have full control over access to their content stored in cloud services. Today at RSA, we announced Customer Lockbox for Office 365, a new capability designed to provide customers with unprecedented control over their content in the service. Customer Lockbox gives customers explicit control in the very rare instances when a Microsoft engineer may need access to customer content to resolve a customer issue.
In our efforts to maximize data security and privacy for Office 365 customers, we have engineered the service to require nearly zero interaction with customer content by Microsoft employees. Nearly all service operations performed by Microsoft are fully automated and the human involvement is highly controlled and abstracted away from customer content. As a result, only in rare cases—such as when troubleshooting a customer issue with mailbox or document contents—does a Microsoft engineer have any reason to access customer content in Office 365.
Microsoft Engineers do not have standing access to any service operation. All access is obtained through a rigorous access control technology called Lockbox. Today, Lockbox enforces access control through multiple levels of approval within Microsoft, providing just-in-time access with limited and time-bound authorization. In addition, all access control activities in the service are logged and audited.
With today’s announcement, we are bringing customers into the Lockbox approval process for instances involving access to customer content. Use of the Customer Lockbox feature ensures that Microsoft engineer does not get access to the customer’s content without customer’s explicit approval. When the customer gets the request for access, they can scrutinize the request and either approve or reject it. Until the request is approved, the Microsoft engineer will not be granted access.
Of course transparency and control are important in achieving trust, and all Customer Lockbox activity will be available to customers via the Office 365 Management Activity logs for easy integration into customer security monitoring and reporting systems.
Customer Lockbox will be available for Exchange Online by the end of 2015, and for SharePoint Online by the first quarter of 2016.
For more information about our trust principles and how we manage security, privacy and compliance, please visit the Office 365 trust center.
Frequently asked questions
Q. Who is notified when there is a request to access a customer’s content?
A. Administrators in the customer’s Office 365 environment are notified via email that there is a request for access. The Office 365 Admin Center portal will also display requests that have been submitted to the customer for approval.
Q. Who can approve or reject these requests in a customer’s organization?
A. Administrators in the customer’s Office 365 environment can approve or reject Customer Lockbox requests.
Q. Under what circumstances do Microsoft engineers need access to customer’s content?
A. No one at Microsoft has standing access to customer content in Office 365. Furthermore, Office 365 services are being engineered so that people performing service operations never have access to customer content. Therefore, we believe that the only scenario where a Microsoft engineer will need to access customer content is when the customer asks us to do so.
Q. What happens if a customer rejects the Microsoft engineer’s access to content?
A. Microsoft can only proceed following approval of a Customer Lockbox request. If a customer rejects a Customer Lockbox request, no access to customer content will occur. If a user was experiencing a service issue that required Microsoft to access customer content in order to resolve (though such circumstances are expected to be extremely rare), then the service issue might simply persist. Microsoft would inform the customer of this outcome.
Q. What happens to a Customer Lockbox request that was not acted upon by the customer in a timely manner?
A. Customer Lockbox requests have a default lifetime of 12 hours, after which they expire. Expired requests do not result in access to customer content.
Q. How do I purchase Customer Lockbox for Office 365?
A. Customer Lockbox for Office 365 will be available as part of a new premium Office 365 Enterprise Suite called E5. More information on E5 can be found here.