Microsoft's Office 365 Lockbox Gives Users More Control Over Their Data
Looking to capitalize on security concerns about third-party access to data stored in the cloud, Microsoft has announced a new service called Customer Lockbox that will be made available for the Office 365 platform. The new functionality will give clients explicit control over when a Microsoft engineer can access client data stored on the cloud, while automating the majority of interactions with customer data to limit access by Microsoft employees.
“In our efforts to maximize data security and privacy for Office 365 customers, we have engineered the service to require nearly zero interaction with customer content by Microsoft employees,” the company said in a blog post announcing the new capability. “Nearly all service operations performed by Microsoft are fully automated and the human involvement is highly controlled and abstracted away from customer content.”
Multiple Levels of Approval
As a result of these changes, Microsoft engineers will only have reason to access client data in certain instances, such as to troubleshoot specific issues within Office 365, according to the company. Instead of having standing access to data, Microsoft engineers will be required to obtain access through Lockbox, which will enforce all access control.
The Lockbox process will require multiple levels of approval within Microsoft, and will result in limited authorization to access the data for certain periods of time. Explicit approval will have to be obtained from clients before engineers can access their data.
In addition, all access control activities in the service will be logged and audited. Clients will be able to review these records through the Office 365 Management Activity logs, which can be integrated into existing customer security monitoring and reporting systems that currently provide records of all interactions with their data.
Increased E-Mail Encryption, New API
Microsoft also said it would also be providing an Office 365 Management Activity API through which customers and partners will be able to use the logs as security and compliance signals within third-party products that provide monitoring, analysis and data visualization. A private preview of the program will begin this summer, the company said.
Redmond will also be adding e-mail encryption for Office 365, similar to the content encryption tools the company already provides to clients. That includes rights management, S/MIME (secure/multipurpose Internet mail extensions), and per-file encryption for documents on SharePoint Online and OneDrive for Business.
The company said that implementing advanced encryption for e-mail in Office 365 will increase the level of separation between server administration and the data stored in Office 365, creating an additional layer of security. This new layer of content level encryption will use keys that are protected using hardware security modules. This feature will go into effect by the end of 2015.
Lockbox will be available for Exchange Online by the end of 2015, and for SharePoint Online by the first quarter of 2016. Microsoft said that the service will be available on all Office 365 commercial plans, although users will be required to opt in to the service.