One of the concerns that keeps many companies from adopting software-as-a-service for e-mail and other collaboration services has been the issue of who has control over the security of the content. Today at the RSA Conference, Microsoft is announcing changes to its Office 365 service that will allay some of those concerns, giving customers greater visibility into the security of their applications and control over what happens with them. At the same time, it will potentially be harder for government agencies and law enforcement to secretly subpoena the contents of an organization’s e-mail.
In an interview with Ars, Microsoft’s general manager for Office 365 Julia White outlined the three new features, which are being announced in a blog post from Office 365 team Corporate Vice President Rajesh Jha today. Office 365 will now include a “Customer Lockbox” feature that puts customer organizations in control of when Microsoft employees can gain access to their data, requiring explicit permission from a customer before systems can be accessed to perform any sort of service on their Office 365 services. The capability will be turned on by the end of 2015 for e-mail and for SharePoint by the end of the first quarter of 2016.
“We have automated everything we can to prevent the need for our people having to touch customer data,” White told Ars. “It’s almost zero—there are very rare instances when a Microsoft engineer has to log in to a customers’ services. Now we’re going to, in those rare instances, make customer approval mandatory to do so.” That would also apply to law enforcement requests for access, White acknowledged. “When the customer opts into the Lockbox, all requests would go into that process. So it’s a customer assurance of transparency. We want to systematically look at what kind of control and transparency customers want and provide it to them,” White said.
Microsoft is also extending its file-level encryption of data at rest in Office 365 to Exchange e-mail; previously, only files in SharePoint had file-level encryption. And the implementation of that file-level protection is an intermediate step to Microsoft’s next big security improvement—the ability for customers to provide their own encryption keys for content, to be delivered sometime in 2016. “File-level encryption is the foundation for that capability,” White said. “Ideally, the customer would load their key up to Office 365, but we want to work with customers to see how they want to do it. It’s part of an overall defense in depth approach.”
And while Microsoft has provided Office 365 customers with a variety of activity logging, the company is preparing to release an application programming interface that will allow customers and third-party developers to tap more deeply into management and security event data to both visualize activity and automate workflow for security tasks. The new Office 365 Management Activity API will allow developers to use logs as “security and compliance signals,” White said, that can be pulled into system management tools. Several third-party developers have already built integration hooks for their platforms based on the API, which will be made more widely available in a private preview program this summer.