7 Ways Office 365
Prioritizes Your
Data Security
Introduction
Experts estimate that 60% of businesspeople in the U.S. will be working
in the cloud by 2022.1 And with good reason—cloud computing
enables unprecedented agility, productivity, and cost savings.
But IT, HR, and legal leaders worry that migrating
to the cloud will increase their exposure to hackers
and other threats. It’s no surprise considering
the number of data breaches in 2015
represented the second highest year on record
since 2005.2
How does an organization innovate and expand
with an ever-present concern about security
and compliance? That’s when it’s valuable to
have a trusted partner like Microsoft f
or cloud
infrastructure—a partner already supporting more
than one billion customers around the world with
essential features that deliver enhanced security and
threat mitigation.
The business sector topped the ITRC
2015 Breach List with nearly 40% of the
breaches publicly reported in 2015 in
the U.S., an increase of 8.1% from 2014
figures.2
1
2
“Cloud Office Questions Begin the Shift from ‘If’ to ‘When,’” Gartner, 2015
“Identity Theft Resource Center Breach Report Hits Near Record High in 2015,” ITRC, 2015
02
Introduction
To be proactive means to put measures in place
that prevent problems before they start. Imagine
having peace of mind with proactive protection,
keeping your cloud data safe from cyber threats.
Empower your organization to overcome
common fears surrounding security and capitalize
on the promise of cloud computing. Read on to
learn how Office 365 can help you do all of
that—and actually improve data security and
administrative control.
3
“State of The Cloud Report,” Right Scale, 2016
03
Cloud Benefits 2016
% of U.S. Respondents Reporting These Benefits3
Table of
Contents
05
Chapter 1
Safety Starts With Trust
08
Chapter 2
10
Chapter 3
12
Chapter 4
15
Chapter 5
17
Chapter 6
19
Chapter 7
Working Around The Clock
Stay Secured On The Go
Compliance Reassurance
Advanced Security Management
Keep What’s Yours, Yours
Safety On An Organizational Level
Chapter 1
Safety Starts
With Trust
Safety Starts With Trust
We understand that a move to the cloud causes worry about losing
control of where your data is stored, who has access to it, and how
it gets used.
After all, the data shared between and generated by your business applications is essential to your
operations. You may even be mandated to safeguard that data to comply with industry regulations.
Let’s be clear, some of that data is what gives your company its competitive edge; that’s the last thing
you want falling into the wrong hands. Here’s how we handle security, privacy, and compliance—and
give you ultimate control over your data.
Privacy and the cloud:
ISO/IEC 27018 was created to allow cloud
service customers control over how
personally identifiable information (PII)
is used. For example, it prevents PII
entrusted to a cloud service provider from
being used for advertising without the
customer ’s consent. Microsoft was among
the first to comply with this standard.
06
Safety Starts With Trust
Own your data
Office 365 takes the extra measures to safeguard
your privacy and prevent any unauthorized
access to your data. You control your
information—we keep it safe; even if you decide
to leave the service, you can take your data
with you.
Maintain control
With Office 365’s built-in privacy controls, every
employee can configure Office 365 to grant—or
deny—access to their data across any device.
Even those with administrator-level status
cannot access your data without your authorization
(but they can make sure less proactive employees
are protected). And because you can take
advantage of multiple proven measures to
protect your data in transit, you can protect
users and their managed devices.
Stay ahead of the
compliance curve
Be confident about satisfying key regulations,
because Office 365 applications can help you
attain and maintain compliance with HIPAA,
FISMA, and many other regulations. We work
with regulatory bodies to comply with the latest
standards. Just as important, through our Security
and Compliance Center you can easily save and
find important business content, and help Office
365 users perform their own compliance tasks.
“The bottom line is that
any system, whether cloud
or on-premises, is only as
secure as the amount of
planning and technology
that goes into the data and
applications.”
—David Linthicum, “The public cloud is more
secure than your data center,” Info World,
2015
07
Chapter 2
Working Around
The Clock
Working Around The Clock
Staying ahead of digital attacks
is critical to protecting your
organization’s data. But those
security threats are continually
evolving. We understand your
security concerns and we take
them seriously.
You can rest easy knowing we are on constant
vigil to ensure your data is secure 24/7. We
continuously invest in advanced security tactics
and recruit world-class experts to quickly detect
intrusions, minimize their impact, and recover
more quickly. We call upon two highly skilled
and dedicated teams of security experts: one
tasked with launching simulated attacks and the
other charged with detecting and defending
against intrusions.
By constantly testing and challenging our
security capabilities, we stay abreast of emerging
threats and constantly improve the security
measures in Office 365. That means your data is
safe now and in the future.
4
2015 Data Breach Category Summary, IRTC, 2015
09
U.S. Data Breaches by Industry in 2015⁴
Chapter 3
Stay Secured On The Go
Stay Secured On The Go
Mobile devices like smartphones and tablets are increasingly used to
access work email, calendars, contacts, and documents. In other words,
they play a big part in ensuring that your employees get their work
done anytime, from anywhere.
But as more businesses adopt a “bring your own
device” approach to phones and tablets, keeping
corporate data secure on mobile devices is
becoming a top challenge.
With Office 365, you can keep your personal
and company apps separate using built-in
mobile device management (MDM) features.
These features allow you to set device security
policies and access rules, wipe data, and prevent
unauthorized users from accessing corporate
email and data on lost or stolen mobile devices.
Plus, you can set security policies on all your
devices and establish protocols to manage your
Office 365 apps that are accessed by these
devices. And you can handle all of this through
the easy-to-use interface featuring a wizardbased setup, enabling you to see which devices
are connected to Office 365 and identify devices
that have been blocked due to non-compliance.
11
And to protect the data traveling between
devices, Office 365 message encryption and
rights management services enables any two
parties to communicate securely, regardless of
the servers or services between them, while
protecting your data at every stage.
By managing access to Office 365 data across a
diverse range of phones and tablets, including
iOS, Android, and Windows Phone devices,
you can:
• Help secure and manage corporate
resources: Apply security policies on devices
that connect to Office 365 to ensure
that corporate email and documents are
synchronized only on phones and tablets
managed by your company.
• Preserve productivity: Because MDM is
built directly into the productivity apps your
employees already know and love, you
can protect company data while keeping
employees productive.
According to Consumer
Reports, 5.2 million
smartphones were stolen
or lost in the U.S. in 2014.
Chapter 4
Compliance
Reassurance
Compliance Reassurance
While it’s okay to hope for the best,
it’s always wise to be prepared.
Companies must address the challenges of storing,
organizing, and sifting through vast and exponentially
increasing quantities of data so they can quickly be
responsive to a litigation, internal investigation, or
regulatory data request. Time is of the essence when
responding to legal data requests, especially those
related to your organization’s innovative developments
or a competitor ’s patent. That’s why a smooth
electronic discovery (or eDiscovery) process—the
process of identifying and delivering electronic
information that can be used as evidence—is vital.
After all, most discovery orders today require email to
be produced as part of the discovery process. And the
Federal Rules of Civil Procedure guidelines require you
to do so in a timely manner.
Plan ahead now, thank yourself later.
With the Office 365 Security and Compliance Center, your
organization gains the ability to conduct all eDiscovery
in-house—without the need for external parties or addon compliance tools. The Security and Compliance Center
serves as a portal for managing eDiscovery cases, providing
a central place where you can discover content in Office
13
365 applications, allowing you to control who has access
to the case, place content sources on hold, and conduct
content searches across mailboxes (active or inactive), public
folders, OneDrive for Business sites, SharePoint sites, and
Office 365 groups. Office 365’s Advanced eDiscovery is a
solution that strengthens your capabilities to detect threats
quicker, customize and refine your security policies, and give
you insights faster without the need for an endpoint agent.
It integrates machine learning, predictive coding, and text
analytics to improve the quality and reduce the challenges
that come with eDiscovery capabilities. Finally, you can
also use searches to identify data to be analyzed with
Advanced eDiscovery, which reduces the volume of data
sent for eDiscovery review by finding near-duplicate files,
reconstructing email threads, and identifying key themes
and data relationships.
Overall, Advanced eDiscovery makes the discovery
process run smoother should any case present itself in
your company’s future, and further strengthens the rich set
of eDiscovery capabilities already present in Office 365 to
help you quickly investigate and meet legal and regulatory
obligations from the Security and Compliance Center.
Compliance Reassurance
Near-duplicate detection
Predictive coding
Save time and money by structuring your review in a more
efficient way, giving one person the ability to review a
group of similar documents, rather than multiple people
reviewing different versions of the same document.
Train Advanced eDiscovery to distinguish between relevant
and non-relevant documents using a small sample of
documents. Once the initial training is complete, the system
can apply a relevance score to all other documents in the
data set being examined. Then you can select the right level
of review.
Email threading
Easily identify unique messages in an email thread, so that
time isn’t wasted sifting through repetitive information.
Themes
Group contextually related documents to identify cross
sections or patterns of related data.
Export for review applications
Get a CSV file of document properties and analytics
metadata by exporting data from Office 365, then load
the file into eDiscovery review applications and save the
analytics information.
14
Advanced eDiscovery provides the percentage of documents
required to be reviewed to achieve a certain percentage
of relevant documents. For example, reviewing 20% of
documents may yield 84% of the relevant files present in the
document set.
Decrease the cost and risk associated with the eDiscovery
process. Advanced eDiscovery tools in the Office 365
Compliance Center enable you to quickly analyze and
identify relevant data sets.
Chapter 5
Advanced Security
Management
Advanced Security Management
Protecting Your Office Environment
For many organizations, shadow IT is an ongoing concern. Advanced Security Management gives
you insights into suspicious activity in Office 365 so you can investigate situations that are potentially
problematic and, if needed, take action to address security issues.
Powered by Microsoft’s Cloud App Security, Advanced Security
Management offers:
Threat Detection
• Set up anomaly detection policies that alert
you when suspicious incidents occur, and
evaluates the risk of user activity over 70
different indicators.
• Anomaly Detection will learn normal user
behavior to better detect abnormal activity,
protecting you from possible breaches.
• Customize the notification settings for risky
activity, and control how you’d like IT to
be notified.
• Shut down user access or processes upon
receiving a flagged notification.
• Manage the use of third party applications
that access Office 365.
Discovery and Insights
Enhanced Control
• Create security policies from out-of-the-box
templates for your IT to effectively monitor
user activity.
5
• Get a dashboard that allows IT Pros to
visualize your organization’s usage of Office
365 and other productivity cloud services, so
you can maximize investments in IT-approved
solutions.
“Data Breach Protection and Readiness Guide,” OTA - Online Trust Alliance, 2016
16
According to a 2016
report by Online
Trust Alliance, 93%
of data breaches in
the U.S. could have
been prevented,
and 15% were due to
employees.5
Chapter 6
Keep What’s Yours, Yours
Keep What’s Yours, Yours
Worrying about accidental data breaches caused by unaware
employees can keep a chief security officer up all night.
But expecting employees to know every data
security policy—and whether or not sending a
certain file via email is exposing the organization
to risk—is impractical. Now you can protect
sensitive data more easily than ever before and
stop data leakage before it starts, without
affecting worker productivity.
Data loss prevention at work
Imagine being able to identify, monitor, and protect
sensitive data and even help users understand and
manage data risk. Better yet, what if you could
notify workers in the context of where they are
working and empower them to make the right
decisions when dealing with sensitive data?
You can. The data loss prevention (DLP) technology
embedded into Office 365 helps your employees
comply with data protection policies without
disrupting their normal routine. Calling upon built-in
templates, you can set up and execute data-loss
prevention policies with little training. You can
also define and adapt rules and policies to your
organization’s needs, such as restricting viewing to
18
the intended recipient, and limiting forwarding and
printing. Plus, you can quickly respond to any data
loss violations.
Here’s an example of DLP
technology within Office 365
in action:
Picture an employee writing an email that
contains sensitive information, such as a credit
card number. DLP will pick up on the sensitive
information and alert the employee before the
message is sent. You decide which policies to
apply and how to respond. For example, you
could simply warn the employee about sensitive
information before she sends the email. You
could also completely block her from sending
sensitive information, and even quarantine
suspect messages.
Chapter 7
Safety On An
Organizational Level
Safety On An Organizational Level
To empower everyone to do their jobs anytime
and anywhere, cloud-based office productivity
applications need to be accessible from any device
and keep your data and enterprise environment
safe from exposure and vulnerabilities.
• Enable token-based authentication to
services. Integrate Azure Active Directory
with your on-premises Active Directory, other
directory stores and identity systems, or thirdparty systems.
With the built-in protection offered by Office
365, you can be sure that all your data is secure,
whether employees are in the office or working
remotely. Plus, the service enables you to
control access to your environments, data,
• Create additional authentication mechanisms.
Control how users access information from
specific devices or specific locations, or a
combination of both (for example, limiting
access from public computers or from public
open Wi-Fi).
and applications.
Help prevent suspicious activity
To easily manage user access, take advantage
of the cloud-based user authentication
service Azure Active Directory. Simply set
your personalized security policies and run
our advanced thread analytics to identify
and eliminate suspicious activity. Strong
authentication options provide you with
granular control over how users can access
and use Office 365.
20
• Exchange online protection adds advanced
threat protection to safeguard against spam,
malware, and viruses.
Security Checklist
If your organization hasn’t yet moved to the cloud, it’s only a matter of time.
And when you make that move, you want to make sure you and your employees can work without interruption.
That’s why it’s critical to address these top things when choosing a cloud provider. Use the handy checklist below
to vet your options and make the best choice for your organization.
Who owns the data we store in your
service? Will you use our data to build
advertising products? Find out if the service
provider does anything with your data and in
what ways it gives you control over your data.
Do you offer privacy controls in your
service? What privacy controls are enabled
by default and are you allowed to turn off/
on privacy-impacting features? Does the service
provider contractually commit to its privacy and
security promises?
Do we have visibility into where
you store our data in the service?
Ask the service provider where your data is
located, who can access it, and how they
report on data access.
What is your approach to security and
which security features do you offer to
protect your service from external attacks?
What does the service provider do to secure its
hardware, software, and the physical security
of its datacenters? Ask to see its policies and
controls, and security verification by independent
auditors. Find out which security measures the
provider enacts on your behalf and which it allows
you to configure to suit your own needs.
How do you ensure that your service is
reliable? What best practices does the service
provider apply in design and operations, such
as redundancy, resiliency, and distributed
services?
Can we get our data out of your service?
Find out if you can download a copy of your
data at any time, for any reason, without any
assistance from the service provider.
Will you inform us when things change
in the service, and will you let us know if
our data is compromised? Make sure the
service provider informs you of any important
changes to the service with respect to security,
privacy, and compliance.
What standards do you comply
with? Does the service provider comply with
standards like ISO 27001, FISMA, and FedRAMP?
Learn about the 4 ways to prevent security breaches in this infographic:
https://resources.office.com/landing-4-ways-to-prevent-security-breaches-infographic.html
For more information and proof points about how Microsoft Office 365 provides assurance to customers about the questions above,
please visit the Office 365 Trust Center: https://products.office.com/business/office-365-trust-center-welcome
Explore the new enterprise capabilities of Office 365 in an easy,
guided tour at http://aka.ms/O365guidedtour.
Start a free trial of the most comprehensive, most secure Office
365 for your business:
https://go.microsoft.com/fwlink/p/?LinkID=698279.
© 2016 Microsoft Corporation. All rights reserved. This document is for informational purposes only.
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. This document is
provided “as-is.” Information and views expressed in this document, including URL and other Internet
website references, may change without notice.
This document does not provide you with any legal rights to any intellectual property
in any Microsoft product. You may copy and use this document for your internal,
reference purposes.
microsoft.com