When selecting Microsoft Office 365 as the platform for Rutgers Connect – the new central email, calendaring, and collaboration solution for the University – the members of the committee tasked with this selection process were keenly aware that data security and privacy ranked among the most important considerations. This series of articles will introduce both University IT staff and interested members of the community to the standards and capabilities of the Office 365 platform designed to ensure data security and privacy. It will also provide an overview of the Rutgers-specific customizations and policies which further this high-priority endeavor.
The first articles in the series will cover the Office 365 platform’s security capabilities and compliance offerings.
Microsoft publishes a vast amount of information detailing their techniques, policies, methodology, and implementations relating to the security of Office 365. Interested users should browse the Office 365 Trust Center for additional information, as these articles will cover only a small portion of what Microsoft has made available.
https://www.microsoft.com/en-us/trustcenter/cloudservices/office365
Data Location, Privacy, and Access by Third Parties
Contractually, Microsoft guarantees that all Rutgers University data is stored exclusively in US-based datacenters. Within these facilities, data which belongs to Rutgers is logically segregated from the data of all other Office 365 tenants owned by other clients. Furthermore, all data is encrypted both at rest and in transit and between the user and all components of Office 365.
Microsoft does not provide any government agency with direct, unfettered access to either customer data or the encryption keys securing the data. Their privacy statement regarding government access to data reads, in part:
If a government entity approaches Microsoft directly with a request related to a Microsoft Online Services customer, Microsoft will first try to redirect the entity to the customer to respond. If Microsoft is required to respond to the demand, Microsoft will promptly notify the customer and provide a copy of the demand (unless legally prohibited).
Microsoft publishes its law enforcement requests report to identify the number and types of requests it receives and its compliance with those requests. Microsoft recently received permission from the U.S government to publish information about Foreign Intelligence Surveillance Act orders and National Security Letters.
The government access reports are available here: https://www.microsoft.com/en-us/about/corporate-responsibility/reports-hub
For more on data privacy, see Privacy in Office 365.
Data Security in Office 365 and Azure
All data in Office 365 and its Rutgers University implementation (Rutgers Connect) can only be accessed over encrypted network protocols, ensuring that no third-party actor can intercept or read any communications between the end user and Office 365.
Once data of any sort is stored in Office 365, it remains at least doubly encrypted while at rest. First, all data is encrypted at the disk storage layers using BitLocker protocols. Second, each file residing in the Office 365 platform is individually encrypted, independently of the underlying storage encryption. As a rule, encryption keys are kept in different datacenters than the data they encrypt.
For more on data encryption, see Content Encryption in Microsoft Office 365.
Data Resiliency
To ensure that no customer data is ever lost, Microsoft ensures that for each user file stored within Office 365 there must exist at least 4 copies, which must reside in 4 separate datacenters within the United States. The architecture of Office 365 and the underlying Azure infrastructure is based on an understanding that failures can (and will) happen due to hardware, software, networking, and human errors. All efforts are made to ensure that none of these failures will ever result in customer data loss. So far, after one year of the platform’s active deployment at the University, we can confirm that we are not aware of any data loss for any Rutgers Connect user.
In addition to the data resiliency standards listed above, Office 365 offers many additional protections. For example, all data is scanned for known malware and viruses whenever entering or leaving Office 365, and data at rest is scanned weekly. Another of the platform’s offerings is the availability of thorough version history for each document uploaded to OneDrive that keeps track of every change. This feature could be used to recover data that has been corrupted or even sabotaged by ransomware infections; a user could simply restore to a previous copy from before the known infection date.
As an additional level of protection, no file can be executed directly (and certain executable file extensions cannot even be stored) in the Office 365 environment.
For more on data resiliency, see Data Resiliency in Office 365.
Monitoring of Irregular Sign-ins and Intrusions:
Adding to the layers of protection mentioned thus far, all user and administrator access to data is logged and monitored for suspicious behavior. System administrators cannot access or modify user data without immutable logs of such activity. User login activity is monitored for access from suspicious locations or IP addresses; when such irregular access is detected, system administrators are notified to ensure a timely response and help prevent any possible compromise of user data.
For more on auditing and reporting, see Auditing and Reporting in Office 365.
Office 365 Compliance with Various Legal and Security Frameworks:
Microsoft Office 365 has been certified as compliant with many legal and security standards spanning a multitude of national and international legal systems. Standards with which Office 365 is compliant include HIPAA, FISMA, FedRAMP, FERPA, and many more.
Of particular interest to the Rutgers community is the Business Associate Agreement Microsoft has signed with regards to HIPAA compliance, as this has enabled Rutgers to proceed with the evaluation and certification of Rutgers Connect for use by RBHS and other departments that handle HIPAA-covered data.
For more on compliance offerings and other security topics see, About Microsoft Cloud Security.
Authors: Vladimir Gabrielescu, Elizabeth McMillion, Rae Clarke
Stay tuned for additional articles in this series, which will cover Rutgers-specific security considerations and features.
If you have any questions, comments or suggestions regarding the Rutgers Connect article series, please write to help@oit.rutgers.edu.