It is definitely Microsoft they are the most worried about as there doesn’t seem to be a lot of things standing in the way of someone at Microsoft gaining access. I’m sure there are internal controls (I mean logically this is a risk for Microsoft and a severe data breach would be catastrophic for them as a company at this point). How do you push them past that cynicism though? I’ve heard a little about the BYOK solution. I’m going to look in them further. I see so many things that could be made better with Azure and O365 I really want to get a convincing argument put together.

Procedurally, I believe pretty strongly that Microsoft's operational integrity exceeds that of many other organizations. From facility security all the way down to the software in each region, they deploy/manage/secure at a scale that few other organizations in the world do.

 

If it's breaches they're concerned about, then BYOK/HYOK are probably the right places to start in terms of "backing in to confidence", as it were.

 

Over the next several years, I expect the company to continue focusing on security/isolation/compliance, although many will likely require E5 tiers of service (usually for all users). 

 

The concerns are real concerns to consider - I'm not trying to short-sell them at all. In fact, we hear similar at my work pretty regularly when large customers are kicking the tires on M365, Azure, AWS, or GCP. But there's a point where you (the org) need to figure out what position the GRC sliders need to be in vs. the unique value that Microsoft's services can offer.

 

Wes