Wednesday, October 06, 2010

Is My Data Secure In SharePoint Online?

"Is My Data Secure In SharePoint Online?". This is a question that is frequently asked by our customers that are considering a migration to SharePoint Online. This question was also raised by a Microsoft partner during my Q&A on stage at Microsoft's "Transitioning to the cloud" event at the International Convention Centre in London yesterday and it also came up on the SharePoint Online forum recently.

The approach I always take with my customers when asked the question is to provide them the relevant information they need to make an informed decision about security. Ultimately, it's up to them to decide - I am just the facilitator. But, to make that right decision, it's important the customer has all the relevant information to hand.

So the purpose of this post is to bring that information together in one place to help you answer that question.

Global Foundation Services

First up, let's start with Microsoft Global Foundation Services. This is the team that operate, and secure, Microsoft's data centres worldwide. Microsoft spun out this separate group specifically for this task.

Understanding how GFS works and the standards they adhere to is key to understanding data security in SharePoint Online.

This is one of the most significant documents from GFS: Securing Microsoft's Cloud Infrastructure. Just a quick browse of the contents page in that document will show you security is ingrained in to GFS procedures.

Microsoft calls their initiative for security in the cloud as "trustworthy cloud", achieved through focus on three areas:

  • Utilizing a risk-based information security program that assesses and prioritizes security and operational threats to the business
  • Maintaining and updating a detailed set of security controls that mitigate risk
  • Operating a compliance framework that ensures controls are designed appropriately and are operating effectively
This document goes in to detail how GFS deals with compliance and the certifications they have attained: Microsoft Compliance Framwork

GFS make the point that since 1994 Microsoft have been running online services. So you can imagine they'd have vast experience by now.

SharePoint Online Service Description

The SharePoint Online Service Description document is a good place to start for SharePoint Online specific security information. These are the choice pieces from that document that specifically reference security:

Secure access: Microsoft Online Services are accessed via 128-bit Secure Sockets Layer (SSL) encryption. Anyone who intercepts a communication sees only encrypted text

Security audits: Ongoing assessment of the Microsoft Online Services infrastructure ensures installation of the latest compliance policies and antivirus signatures, along with high-level configuration settings and required security updates

Virus filtering: Microsoft Online Services helps guard against online threats. Microsoft Forefront™ Online Security for Exchange automatically removes viruses and spam in incoming and outgoing e-mail. Microsoft Forefront Security for SharePoint scans for viruses in intracompany e-mail and in all documents that reside in SharePoint Online sites

Tips for Microsoft Partners

If you are selling SharePoint Online to your customers and get confronted with the same question, here some tips to help you:
  • Legal considerations. Your customer may be bound by law or contractual agreements that means their data cannot be migrated to SharePoint Online. In these circumstances, there is still potential for a sale. Why? Because it's not always the case that all your customer's data will be bound by those restrictions. SharePoint Online can still give your customer a whole heap of benefits for the rest of their data. Also, there is no reason why SharePoint Online could not provide a link through to that information for convenience: so although it is not held in SharePoint Online, users can still find their way to it from SharePoint Online. We have exactly this situation for a successful UK law firm
  • Few companies can meet the same level of standards as Microsoft can. Even the largest of companies would find it hard to get even close to the security standards that Microsoft has adopted for their data centres. Just about every box that can be ticked has been ticked. I challenge my customers to compare their data security to that which Microsoft provide. I haven't had a case yet where a customer has bettered Microsoft
  • Building trust takes time. One of the best ways to convince your customer about security of their data is to get them to use SharePoint Online in some limited way. The sooner they begin using SharePoint Online, the sooner they can start building up trust in the platform. For example, migrating a single department, or a project team from your customer to SharePoint Online is a great way for them to build up that trust but with minimal perceived risk. If you make the initial conversations too big then your customer is going to feel very uncomfortable about taking that step in to SharePoint Online


Sol Alogaga said...

Hi There,

I have written a blog about a vulnerability with COntrary to what you have stated here about AV protection for SharePoint there is none based on my test.


Tee Chess said...

One of my friend also wanted to know the same thing because he just planned to use SharePoint. I appreciate the way you have answered this question which can please all. Thanks.
electronic signature for sharepoint

Richard Hubert said...

I don't see much real security here. Where is data-integrity & security (does sharepoint guarantee no loss of data) and where is the protection from data theft (is the data encrypted? or what other sort of protection used?) Interesting topic in any case...

Benny Skogberg said...

Great article to start your jurney toward the cloud. This was just what I needed to recommend SPO to our customers from a security perspective. Thanks! <>

Julia Patrick said...

Recently I consider to purchase a electronic signature for sharepoint for a small to average scale business and still have a big doubt about it's cost-effectiveness.

lee woo said...

The opportunity to secure ourselves against defeat lies in our own hands, but the opportunity of defeating the enemy is provided by the enemy himself. See the link below for more info.


Cindy Dy said...

Thank you for the information. You have a very good article. I found it informative and useful. Keep up the good work and God bless!


Prologic Corporation said...

This is a good article & good site.Thank you for sharing this article. It is help us following categorize:
healthcare, e commerce, programming, multi platform,inventory management, cloud-based solutions, it consulting, retail, manufacturing, CRM, technology means, digital supply chain management, Delivering high-quality service for your business applications,
Solutions for all Industries,
Getting your applications talking is the key to better business processes,
Rapid web services solutions for real business problems,
Web-based Corporate Document Management System,
Outsourcing Solution,
Financial and Operations Business Intelligence Solution,

Our address:
2002 Timberloch Place, Suite 200
The Woodlands, TX 77380


Leslie Lim said...

First time I commented in a blog! I really enjoy it. You have an awesome post. Please do more articles like this. I'm gonna come back surely. God bless.

David Smith said...

This articale very usefull to me.
Sharepoin developer

Anonymous said...

Data in the cloud is, by definition, not on your servers but someone else's.
That very fact means the answer to your Title Question is a most definite NO.