Forum Discussion

Daniel Winters's avatar
Daniel Winters
Copper Contributor
Sep 26, 2018

Trusting Microsoft with Your Data

What is your take on turning your data over to Microsoft? Theoretically, any data you store on O365 or M365 is in the possession of Microsoft. This means that they have access to the data completely....
compliance
migration
office 365
security
Wes Miller's avatar
Wes Miller
Brass Contributor
Sep 26, 2018

I'd turn this around and ask, "What's your primary fear in your data living on Microsoft's servers?" While your question emphasizes Microsoft being able to access it - is it Microsoft, or... others that you're worried about?

 

I'd take a look at Customer Key and BYOK. Nothing is perfect, but I think you may be able to allay some of your fears by implementing those, and I fully expect that Microsoft will continue to add capabilities for organizations to even more tightly control exactly how their data is encrypted.

 

https://docs.microsoft.com/en-us/office365/securitycompliance/service-encryption-with-customer-key-faq

Daniel Winters's avatar
Daniel Winters
Copper Contributor
Sep 27, 2018
It is definitely Microsoft they are the most worried about as there doesn’t seem to be a lot of things standing in the way of someone at Microsoft gaining access. I’m sure there are internal controls (I mean logically this is a risk for Microsoft and a severe data breach would be catastrophic for them as a company at this point). How do you push them past that cynicism though? I’ve heard a little about the BYOK solution. I’m going to look in them further. I see so many things that could be made better with Azure and O365 I really want to get a convincing argument put together.
  • Wes Miller's avatar
    Wes Miller
    Brass Contributor
    Sep 27, 2018

    Procedurally, I believe pretty strongly that Microsoft's operational integrity exceeds that of many other organizations. From facility security all the way down to the software in each region, they deploy/manage/secure at a scale that few other organizations in the world do.

     

    If it's breaches they're concerned about, then BYOK/HYOK are probably the right places to start in terms of "backing in to confidence", as it were.

     

    Over the next several years, I expect the company to continue focusing on security/isolation/compliance, although many will likely require E5 tiers of service (usually for all users). 

     

    The concerns are real concerns to consider - I'm not trying to short-sell them at all. In fact, we hear similar at my work pretty regularly when large customers are kicking the tires on M365, Azure, AWS, or GCP. But there's a point where you (the org) need to figure out what position the GRC sliders need to be in vs. the unique value that Microsoft's services can offer.

     

    Wes