Good news, legal.
Earlier this week, Microsoft announced additional security features for Office 365 at the RSA Conference in San Francisco. With cloud adoption taking flight as a whole, Microsoft is focused on enhancing security controls and improving transparency in service operations for Office 365. Currently, adoption within the legal industry remains fairly low as firms do not yet feel comfortable with their clients’ data in the cloud with too many security unknowns. But, as security features continue to be enhanced and made available by Microsoft, we’ll likely see a gradual shift in legal usage over time.
During the feature reveal, Microsoft boasted itself on additional controls such as: Customer Lockbox, Management Activity API and advanced email encryption. While all important, the most significant security enhancement is the Customer Lockbox feature which gives the customer more control over their data when a Microsoft engineer is seeking access to the data in order to solve a specific problem.
Now with Customer Lockbox, engineers are required to receive explicit approval from the customer within a 12 hour time frame – if permission is denied or the request is unanswered, the request then becomes expired. Once approved by the customer, just-in-time access is granted to an engineer who still only has limited authoritative and viewing capabilities in a very controlled manner. This security feature provides transparency and gives customers additional peace of mind of their data’s security at this juncture of vulnerability.
Customer Lockbox activity will be documented in the Office 365 Management Activity Log for further transparency and security reporting. These additional features are an add-on to the existing process controls, creating an additional layer of security to what is already in place.
Customer Lockbox will be available for Exchange Online at the end of this year, and Q1 of 2016 for SharePoint Online.
Just yesterday, my team and I attended a half day session with Microsoft on cloud security. The session, “Transparency & Trust in the Cloud: A Security & Legal Best Practices Summit from Microsoft” highlighted the features mentioned above and much more. The focus on security and transparency for Microsoft is evident and a positive sign for the legal industry.
Additional security cloud features emphasized during this summit, include:
Microsoft has several Transparency Centers located around the globe where government representatives can review the source code used to manage its cloud services. The idea is to build trust by creating a dynamic of checks and balances between world regimes that might have competing interests. More info here…
Microsoft does not sell or mine client data unlike competitor offerings that base their business model on targeted advertising (ex. Google)
Customers have the ability to choose which region hosts both the primary and secondary copies of their data, effectively limiting their datacenter use to within a specific country or continent; caveats may apply so always do your due diligence.
Microsoft actively fights to protect client data and resists third party access requests from federal or international agencies.
Microsoft is the first cloud provider to adopt ISO 27018 Standard, which they helped to develop with other large providers and regulatory agencies.
PFS (Perfect Forward Secrecy) is being adopted to further enhance security. PFS uses a different encryption key for every single connection; this is in addition to the already in place SSL encryption of data in transit, and the use of bitlocker encryption for data at rest.
EU Privacy Approval – Microsoft Azure, O365, CRM and Intune have all been approved by EU member countries. Additional info here…
Microsoft Data Classification Policy – Microsoft internally classifies and protects data using a combination of their own tools and business best practices. More info here…
How do these additional security controls change the readiness and feasibility of Office 365 for your firm?
