Security considerations & assessment for using Office365 (MS Cloud?)

Posted on 2016-08-24
Medium Priority
Last Modified: 2016-09-15

The above link gives many security features/compliance about Office365 but
I still have doubts on:

a) I suppose to use Office365, we'll run a link from our office to MS Cloud, right?
    Is this a point-to-point leased circuit link that is encrypted (hardware encryption
    or software?) or via public Internet (site to site VPN?) .  How many bit encryption
    is used here?

b) how is SharePoint service provided by Office365 safer/more secure than we
    using our own SharePoint?  I've always heard in defense projects, they won't
    trust to host their data offsite but only within their own local DC

  referring to above link,

c) does MS offers continuous backup so that we can restore to a specific point
    in time (up to a specified minute) ?

d) does the above service offers NIDS & endpoint IPS protection ?

e) do we still use our own Data Loss Protection (to prevent leakage) or
    the above service provides it?

f) how is MS Exchange via this service more secure compared to hosting our
    MS Exchange server?  Is it more effective against spam, phishing & 

g) in some clouds, data of numerous tenants/customers are backed up to
    a common tape via a shared tape drives ie data are co-mingled on the
    tape.  In the event a tenant wants to exit this service, how does the
    service provider ensure data is securely erased from the tapes or they
    do offer dedicated tapes (& tape drives) for each customer?   Can't be
    a tape holding multiple tenants' data need to be degaussed or securely
Question by:sunhux
LVL 46

Accepted Solution

Vasil Michev (MVP) earned 1800 total points
ID: 41769105
You've already found the whitepaper, now start looking at the links therein. Here are the short answers:

a) Data is always encrypted in transit, but that will not help you against MITM attacks. You need to trust your ISP and all the network equipment in between.

b) you know there's a separate O365 instance that the USA gov is using, right? Obviously it's secure enough for them.

c) they don't offer point-in-time backups, if you have specific needs for such, you need to use 3rd party services/products

d) it "offers" it on the datacenter level, not many details are given usually as they can pose potential security risk. again, half the world is using O365 now, including governments, big banks, huge enterprises... it's secure

e) you can either use your own, or the one that comes with the service, at additional price.

f) already covered above. spam/malware effectiveness can vary, but you can always use 3rd party service if you are not happy with what you get with O365

g) again, covered above, also check the links in the document.

I'd also recommend checking the Trust center (https://products.office.com/en-us/business/office-365-trust-center-security) and if you have an existing O365 (even trial), the documents in the Service assurance portal (https://protection.office.com/#/serviceassurance/othertrust). You can always talk to your Microsoft representatives as well.
LVL 21

Assisted Solution

by:Walter Curtis
Walter Curtis earned 200 total points
ID: 41769138
You have very good questions, indicating some cloud doubts. If you have doubts, then stick to what you can control, on premise. Always remember, Microsoft and other cloud providers are in the business of making money, which I am not against, but their marketing will be geared towards that goal, which could be more important to them than your security goals....

Just saying...

Author Comment

ID: 41769696
A couple more questions:

h) for users who VPN in, they VPN direct to our office & then connect to O365
    or they VPN direct to O365 at MS Cloud?

i) in some Cloud Service Provider, their sysadmins could login to tenants' servers;
   could MS login to their O365 tenants environmt or access their tenants' data?

j) does MS uses any sort of virtual firewall that segregates one tenant from the

k) should there be data leaks due to use of O365, does MS provide any provision
    to take up the liability?

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

The Super Bowl is just days away. Millions of advertising dollars will be spent in just a few hours to drive people to websites around the globe. Optimizing your site in anticipation of a big event like this (and the traffic surges that follow) will…
Data security in the cloud is very much like a security in an on-premises data center - only without costs for maintaining facilities and computer hardware.
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question