It seems logical to think that data you stored in a privately controlled datacenter is safer than data in the cloud. But that’s not necessarily true. In fact, there is a broad range of security features that you benefit from when you put your data in a cloud service like Office 365. And when done right, data is more secure in the cloud than in on-premises servers.
Consider these added security benefits of data in the cloud:
- Broader scope of threat intelligence—When a customer’s on-premises servers are attacked by an external actor, the customer can take steps to protect themselves from subsequent attacks from that same actor. But damage has been done. Even if they buy access to threat intelligence feeds, the scope of available intel is constrained and your response is reactive. With Office 365, instead of simply reacting to individual attacks, customers gain the benefit of intelligence gathered from threats against other customers within the service as well. An attack launched against any organization in Office 365 can functionally inoculate everyone else.
- Greater automation and decreased human intervention—In the cloud, managing things like hardware, operating systems and patches boils down to a set of tasks that is familiar to any IT administrator. The biggest difference in the cloud is that to provide the service at scale, these tasks must be automated. The benefits of automation are two-fold. First, gaps in the security posture are addressed at scale. Second, with software operating the service instead of humans, there is less risk of falling prey to spear-phishing, offering an additional layer of protection. Manual management activities are minimal and must be approved by multiple people, which can include customers.
- Better anomaly detection due to uniformity and simplicity—When cloud services started out, they were mostly based on the same on-premises products that you always used—except they were deployed and managed on servers owned by the provider. In recent years, cloud services have evolved to dramatically simplify configuration options, server roles and management complexity. This simplification gives services the ability to consolidate how they protect, detect and respond to threats. Since software is the main source of interaction, illicit activity by human attackers is easier to identify.
- Constant innovation—Cloud security teams face two key pressures when building security capabilities: Every feature breaks at some scale, and every customer brings a particular set of concerns and requirements. We find that a robust set of well-designed and implemented capabilities can address most customer concerns, but the growth of the cloud service constantly challenges the design. A successful cloud security strategy requires us to innovate. One example is our approach to penetration testing. Some cloud services, including Office 365, have a full-time team of penetration testers who look for vulnerabilities. We asked ourselves how we would make sure that once the vulnerability has been fixed, it doesn’t recur, and that detections of illicit activity by penetration testers work for all instances of a given vulnerability. Our answer was to automate penetration testing attacks and then use that signal to verify the quality of our detections.
- Smaller breach boundary—A key piece of an effective security strategy is to make your breach boundary is as small and as diverse as possible. Sensitive assets should be isolated from each other, so that it is more difficult for an attacker to move from one asset to another. Most companies draw their breach boundaries at the directory level. If an attacker can acquire domain admin privileges, they can access any information managed in that domain. When you adopt cloud services, it is more difficult for the attacker to breach your domain and gain access to any of the data in the cloud service beyond normal “front-door” access to the services which are audited. The delegation of management to a third party, in a real and impactful way, asserts a new breach boundary.
- Cross-application security model—Traditional on-premises security capabilities center on the computer, the operating system and firewalls. In on-premises systems, you parse the logs for multiple applications and must make sense of what those logs mean. In the cloud, we standardize our logging systems to make them more consumable. You can evolve your security capabilities to enable an application-aware security model that adjusts to how attackers work—by breaching accounts, then achieving their goals through front-door interfaces. Cloud application services take your security to a new level by delivering integrated and context-aware security capabilities that cross application boundaries.
- Transparency—With Office 365 in particular, there is one other benefit: transparency. With many organizations using Office 365, we are compelled to operate in the full light of day. To earn your business, we must have your trust, and to earn that we must be transparent with you about how we protect your data. To that end, we allow our customers to control how a Microsoft support engineer accesses their data. Our business model relies profoundly on the belief that there are no shortcuts and no excuses when it comes to the security of your data.
If you’ve been sitting on the fence about adopting the cloud—based on a set of objections relating to security in the cloud—these security benefits should help ease your concerns. If you want to learn more how we approach security, check out the Office 365 Trust Center.
— Brandon Koeller, principal program manager for the Office security and compliance team