Customer lockbox the most interesting feature in Office 365 security announcements

Customer lockbox the most interesting feature in Office 365 security announcements

It’s the conference season. RSA, the big gathering for the security industry, is this week. Microsoft Build is next week and Ignite the week after. Anyone who goes to all three conferences will be battle-weary and exhausted when they’re done.

But conferences demand news and because RSA is a security event, it follows that Microsoft would release some announcements of what they plan to do to enhance security within Office 365. After all, some still view the cloud as an insecure place to store anything, even when they might cheerfully store personal data in a variety of cloud services.

As it happens, Office 365 has a pretty good track record of security that is backed up by independent audits. The Office 365 Trust Center is a good place to learn about how customer data is isolated and protected against access by another tenant or Microsoft employees. But you can always do better, which brings us to the post announcing increased transparency and control written by Rajesh Jha, the corporate VP who oversees Office 365.

The most interesting capability is the customer lockbox. Millions of operations are performed daily within Office 365, most flowing through a very sophisticated workflow engine that removes the need for human intervention. Those heading to Ignite might take the opportunity to listen to Vivek Sharma and Perry Clarke discuss this topic among others in their “Behind the Curtain; Running Exchange Online” session at 5PM on Tuesday, May 4.

Sometimes a human has to get involved, often to troubleshoot a tricky problem that requires engineers to examine some customer data. Anyone who has ever worked through a support problem for Office 365 knows the highly structured approach that Microsoft support personnel follow and that first- and second-level personnel are not allowed to change anything that might affect customer data. A relatively small number of engineers, some of whom work for development, are allowed to access customer data when necessary to address escalated problems, and only after several levels of approval are gained. Today, Office 365 uses a lockbox process to ensure that an engineer is allocated the necessary administrative permissions for the time required to fix the problem and no more. Compare this situation to what often happens on-premises when some accounts might hold elevated permissions for no good reason for years.

The customer lockbox takes the current situation one step forward by giving tenant administrators the opportunity to give explicit approval before their data can be accessed by Microsoft. Approval will be sought and granted through the Office 365 Admin Center and will be in place for Exchange Online by the end of 2015 and SharePoint Online in the first quarter of 2016. All access will be captured in records that can be later interrogated by the new Management Activity security service, which provides a REST API to allow developers and third party developers to submit queries about more than 150 different transactions. Initially, the primary sources of the information are Exchange Online, SharePoint Online, and Azure Active Directory. Other sources such as Yammer are likely to be harvested in the future.

In many respects this is the security equivalent the regular Office 365 reporting web service that’s already in use and it’s unsurprising to find that many of the ISVs who exploit the reporting web service for their products have signed up to create new solutions for security and compliance reporting and analysis. It will be interesting to see what the ISVs can do with the data, which I also expect to show up as new (but basic) reports in the Office 365 Admin Center.

The third announcement covers advanced encryption for email stored within Office 365. As described in the recent series by Nathan O’Bryan, Exchange Online already makes use of a wide range of encryption technologies, but the difference here is that the databases holding the email at rest will be secured using the same kind of technology already employed for per-file encryption in SharePoint Online. Interestingly, Microsoft plans to allow customers to generate and control their own encryption keys from 2016, adding a further layer of isolation between the owners of the data and those who manage the data in the cloud.

All of this is good stuff, even if we will have to wait to see it in action. But the laws of the conference season have been satisfied by the announcement, so that’s just fine. And if you get to Ignite and want more information, the "Office 365 Security and Control" session at 1:30PM on Monday seems like the place to be.

Follow Tony @12Knocksinna

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.