Microsoft: Office 365 Data Privacy Assured by 'Lockbox'

The software giant opens up about how it handles cloud service requests from customers in lieu of unfettered access to their data.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

cloud security

In the year since ex-National Security Agency contractor Edward Snowden exposed the U.S. government's alleged cyber-spying capabilities, IT companies have been battling the perception that data residing on their clouds is easy pickings for anyone with the right credentials. That's not the case with Office 365, according to Microsoft.

Office 365 is Microsoft's cloud-enabled version of its venerable productivity software suite. In addition to PC, mobile and Web versions of applications such as Word, Excel and PowerPoint, Office 365 encompasses a set of file storage, syncing and collaboration features powered by Microsoft Azure.

Given the sensitive or private nature of the information that flows through Azure's servers and storage systems, businesses are understandably concerned that insiders can expose their data.

"The idea that somehow your data may be more accessible in Office 365 as a cloud service by the people administering and running the service, and therefore more vulnerable, is a common fear," said Vivek Sharma, Microsoft's director of program management in Office Server and Services, in a company blog post.

The Redmond, Wash.-based tech giant is battling that perception with a process it calls "lockbox."

In effect, the company's strict policies and practices prevent administrators from poking around a user's data, inadvertently or otherwise, according to Perry Clarke, corporate vice president in Office Server and Services. "There is literally zero standing access for human beings to your data if it's sitting in our cloud," he said in an accompanying YouTube video.

Lockbox is a "stringent time-based work flow" explained Clarke. Leveraging software, Lockbox allows only "preassigned two-factor-authenticated administrators to request escalation." Sharma likened the approach to "turning the two keys in order to do something dangerous."

The end result is a highly supervised, gated approach to data access on the Office 365 cloud. Clarke said that "all actions related to access to your data go through a formal escalation request and approval process that is highly supervised, logged, and audited," in the co-authored post.

Standing permissions—in essence, the keys to the kingdom—are also a thing of the past.

Clarke revealed that "administrators can only request permission to take actions based on their predefined set of privileges through role-based access control (RBAC)." The approach hails from the company's successful, decade-old RBAC implementation on Exchange and Exchange Online. "All approved access is via a machine-generated password and all activities have a specified time window for completion," he added.

In short, Lockbox works to "ensure that only the right people have only the right access at the right time and no standing permissions ever," said Sharma.

Lockbox aside, Microsoft has other protections in place. Given the company's global footprint, "Microsoft has to meet industry standards such as ISO 27001 and SSAE 16 to protect the privacy and security of your data, determining when, if, and why your data should be accessed if at all," reminded Sharma.

Pedro Hernandez

Pedro Hernandez

Pedro Hernandez is a contributor to eWEEK and the IT Business Edge Network, the network for technology professionals. Previously, he served as a managing editor for the network of...