Office 365™ Security
© 2013 Microsoft Corporation. All rights reserved. This document is provided "as-is." Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.
Office 365™ Security3
24-Hour Monitored Physical Hardware4
Isolated Customer Data4
Microsoft Security Best Practices5
Security Development Lifecycle5
Traffic Throttling to Prevent Denial of Service Attacks5
Prevent, Detect, and Mitigate Breach5
Enabling Advanced Encryption6
Enabling User Access6
Customer-End Federated Identity and Single Sign-On Security Provisions6 Two-Factor Authentication6
Data Loss Prevention (DLP)7
Auditing and Retention Policies7
Data Spillage Management7
Independent Verification and Compliance8
EU Model Clauses8
Cloud Security Alliance9
The ability for organizations to control and customize security features in cloud-based productivity services, such as email, calendars, content management, collaboration, and unified communications, is becoming an essential requirement for virtually every company. Today, IT teams are being required to deliver access to productivity services and associated documents and data from more devices, platforms, and places than ever before. While user benefits are undeniable, broader access makes security management more challenging. Each endpoint represents a potential attack surface and another point of management for security professionals. At the same time, organizations face ever-evolving threats from around the world and must manage the risk created by their own users accidentally losing or compromising sensitive data. For these reasons, organizations require a cloud service that has both (a) built-in robust security features and (b) a wide variety of customizable security features that organizations can tune to meet their individual requirements. Organizations expanding remote access while maintaining security best practices may find it difficult and expensive to add this combination of security functionality if they deploy productivity services solely on-premises.
Office 365™ Security
Microsoft is an industry leader in cloud security and implements policies and controls on par with or better than on-premises data centers of even the most sophisticated organizations. Office 365 security consists of three parts. First, Office 365 is a security-hardened service that has security features built into the service by default. Office 365 customers benefit from in-depth security features that Microsoft has built into the service as a result of experience gained from two decades of managing online data and significant investment in security infrastructure. Office 365 has implemented and continues to invest and improve processes and technologies to proactively identify and mitigate security threats before they become risks for customers.
Second, Office 365 offers security controls that enable customers to customize their security settings. Office 365 is trusted by customers of all sizes across virtually every industry, including highly regulated industries such as healthcare, finance, education, and government. Since Office 365 manages productivity services for such a wide range of industries and geographies, it offers feature choices that customers can control to enhance the security of their data. Third, Office 365 has scalable security processes that allow for...