Wednesday, October 06, 2010

Is My Data Secure In SharePoint Online?

"Is My Data Secure In SharePoint Online?". This is a question that is frequently asked by our customers that are considering a migration to SharePoint Online. This question was also raised by a Microsoft partner during my Q&A on stage at Microsoft's "Transitioning to the cloud" event at the International Convention Centre in London yesterday and it also came up on the SharePoint Online forum recently.

The approach I always take with my customers when asked the question is to provide them the relevant information they need to make an informed decision about security. Ultimately, it's up to them to decide - I am just the facilitator. But, to make that right decision, it's important the customer has all the relevant information to hand.

So the purpose of this post is to bring that information together in one place to help you answer that question.

Global Foundation Services

First up, let's start with Microsoft Global Foundation Services. This is the team that operate, and secure, Microsoft's data centres worldwide. Microsoft spun out this separate group specifically for this task.

Understanding how GFS works and the standards they adhere to is key to understanding data security in SharePoint Online.

This is one of the most significant documents from GFS: Securing Microsoft's Cloud Infrastructure. Just a quick browse of the contents page in that document will show you security is ingrained in to GFS procedures.

Microsoft calls their initiative for security in the cloud as "trustworthy cloud", achieved through focus on three areas:

  • Utilizing a risk-based information security program that assesses and prioritizes security and operational threats to the business
  • Maintaining and updating a detailed set of security controls that mitigate risk
  • Operating a compliance framework that ensures controls are designed appropriately and are operating effectively
This document goes in to detail how GFS deals with compliance and the certifications they have attained: Microsoft Compliance Framwork

GFS make the point that since 1994 Microsoft have been running online services. So you can imagine they'd have vast experience by now.

SharePoint Online Service Description

The SharePoint Online Service Description document is a good place to start for SharePoint Online specific security information. These are the choice pieces from that document that specifically reference security:

Secure access: Microsoft Online Services are accessed via 128-bit Secure Sockets Layer (SSL) encryption. Anyone who intercepts a communication sees only encrypted text

Security audits: Ongoing assessment of the Microsoft Online Services infrastructure ensures installation of the latest compliance policies and antivirus signatures, along with high-level configuration settings and required security updates

Virus filtering: Microsoft Online Services helps guard against online threats. Microsoft Forefront™ Online Security for Exchange automatically removes viruses and spam in incoming and outgoing e-mail. Microsoft Forefront Security for SharePoint scans for viruses in intracompany e-mail and in all documents that reside in SharePoint Online sites

Tips for Microsoft Partners

If you are selling SharePoint Online to your customers and get confronted with the same question, here some tips to help you:
  • Legal considerations. Your customer may be bound by law or contractual agreements that means their data cannot be migrated to SharePoint Online. In these circumstances, there is still potential for a sale. Why? Because it's not always the case that all your customer's data will be bound by those restrictions. SharePoint Online can still give your customer a whole heap of benefits for the rest of their data. Also, there is no reason why SharePoint Online could not provide a link through to that information for convenience: so although it is not held in SharePoint Online, users can still find their way to it from SharePoint Online. We have exactly this situation for a successful UK law firm
  • Few companies can meet the same level of standards as Microsoft can. Even the largest of companies would find it hard to get even close to the security standards that Microsoft has adopted for their data centres. Just about every box that can be ticked has been ticked. I challenge my customers to compare their data security to that which Microsoft provide. I haven't had a case yet where a customer has bettered Microsoft
  • Building trust takes time. One of the best ways to convince your customer about security of their data is to get them to use SharePoint Online in some limited way. The sooner they begin using SharePoint Online, the sooner they can start building up trust in the platform. For example, migrating a single department, or a project team from your customer to SharePoint Online is a great way for them to build up that trust but with minimal perceived risk. If you make the initial conversations too big then your customer is going to feel very uncomfortable about taking that step in to SharePoint Online