Sep 26 2018 08:06 PM
What is your take on turning your data over to Microsoft? Theoretically, any data you store on O365 or M365 is in the possession of Microsoft. This means that they have access to the data completely. You can say that the data is encrypted but you typically have to provide the encryption key to Microsoft in the Azure Key Vault if you are the one even providing the key. So how do you justify turning all of your data over to Microsoft? What am I missing that makes this not seem so crazy? I want to move to the cloud because I see a ton of benefits but how are you convincing your CISO that this isn't crazy?
Sep 26 2018 09:52 PM
I'd turn this around and ask, "What's your primary fear in your data living on Microsoft's servers?" While your question emphasizes Microsoft being able to access it - is it Microsoft, or... others that you're worried about?
I'd take a look at Customer Key and BYOK. Nothing is perfect, but I think you may be able to allay some of your fears by implementing those, and I fully expect that Microsoft will continue to add capabilities for organizations to even more tightly control exactly how their data is encrypted.
Sep 27 2018 12:55 PM
Sep 27 2018 02:16 PM
Procedurally, I believe pretty strongly that Microsoft's operational integrity exceeds that of many other organizations. From facility security all the way down to the software in each region, they deploy/manage/secure at a scale that few other organizations in the world do.
If it's breaches they're concerned about, then BYOK/HYOK are probably the right places to start in terms of "backing in to confidence", as it were.
Over the next several years, I expect the company to continue focusing on security/isolation/compliance, although many will likely require E5 tiers of service (usually for all users).
The concerns are real concerns to consider - I'm not trying to short-sell them at all. In fact, we hear similar at my work pretty regularly when large customers are kicking the tires on M365, Azure, AWS, or GCP. But there's a point where you (the org) need to figure out what position the GRC sliders need to be in vs. the unique value that Microsoft's services can offer.
Wes