Microsoft Office 365 Security Updates Revealed - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Productivity/Collaboration Apps
08:06 AM
Connect Directly

Microsoft Office 365 Security Updates Revealed

New features for Office 365, announced during the RSA Conference 2015 in San Francisco this week, aim to enhance data privacy.

Windows 10: Your PC Is Headed For The Cloud
Windows 10: Your PC Is Headed For The Cloud
(Click image for larger view and slideshow.)

Microsoft Office 365 will receive a range of new features later this year and into 2016 that are aimed at enhancing customer controls and adding transparency in service operations.

The new features were announced by Microsoft during the 2015 RSA Conference, taking place this week at San Francisco's Moscone Center.

Mobile and cloud trends are profoundly influencing how people do their jobs, said Vijay Kumar, Microsoft's senior product marketing manager, in an interview with InformationWeek. Delivering improved service capabilities and customer controls for Office has been a priority, but such changes have to be made with security in mind, he said.

Of its announcements this week, the most significant is Customer Lockbox for Office 365, says Kumar. The new feature will give customers greater control over their data when a Microsoft engineer has to access their private content to solve a problem.   

Office 365 was designed to minimize interaction between Microsoft employees and customer content, so service operations are already mostly automated. The instances during which a Microsoft engineer has to access user content are rare, for instance when there is an issue with mailbox or document content.

[ Wondering what's in store for the next edition of Windows Server? Read: Microsoft Offers Azure Service Fabric For Distributed Apps.]

When such cases arise, Microsoft employees get permission to view customer content through an access control technology called Lockbox. They're given just-in-time access, with limited windows of authorization, and all activities are logged and audited. It's already pretty secure, but Microsoft is taking things up a notch.

Its most recent update will give customers those Lockbox approval rights to grant access permission to Microsoft employees. With Customer Lockbox, Microsoft will not be able to access user content without explicit approval from the customer, who will have the option to reject the request. This capability will be available for Exchange Online by the end of 2015, and for SharePoint Online by Q1 2016.

To boost transparency in service operations, Microsoft has announced a new Management Activity API and preview program for security and compliance monitoring within Office 365. The goal is to provide greater visibility into user and administrative transactions within Office 365.

Its new Management Activity API will grant access to more than 150 transaction types, with activity logs from SharePoint Online, Exchange Online, and Azure Active Directory. Microsoft notes that more Office 365 services will be included in the future. There will also be a consistent schema throughout all activity logs in the service with a common core, and an on/off option for customers to control instrumentation for activity logs.

View of Customer Lockbox. 
(Image: Microsoft)

View of Customer Lockbox.

(Image: Microsoft)

Partners have already started to build solutions using the new API in accordance with a pre-release program. These solutions provide reports, interactive visualizations, and operational dashboards. If you want to test the Management Activity API, a preview program is available.

On the security front, we'll also be seeing more advanced email encryption in the months ahead. Office 365 already has advanced encryption. In 2014, Microsoft boosted its BitLocker drive-level encryption with per-file encryption across OneDrive and SharePoint Online.

The latest plans include adding content-level encryption to email in Office 365, an update that will increase security by further separating server administration and data stored within Office 365. Kumar noted that the new encryption advancements will be available by the end of 2015.

In 2016, the goal is for Microsoft customers to be able to create and control their own content encryption keys. This idea was sparked through customer conversation, which shed light on the different capabilities that would make sense for them and how they could have more control over their information, according to Kumar.

Attend Interop Las Vegas, the leading independent technology conference and expo series, designed to inspire, inform, and connect the world's IT community. In 2015, look for all-new programs, networking opportunities, and classes that will help you set your organization's IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/24/2015 | 9:01:17 PM
Office 365 web email
This is good news. Office 365 web email system is not user friendly at all. This is my personal view for it.
User Rank: Strategist
4/23/2015 | 3:55:04 PM
SAP support has been doing this for over a decade
This may be news for Microsoft, but SAP has had this type of system in place for well over 10 years, only instead of it being in a "cloud", it was SAP's support system connected over the Internet (and private lines like Frame Relay and MPLS) to enteprise customer's systems.  Every access was logged, tracked, and could be audited at any time by customers in near real time.

My question is, why wasn't a support system like this in place years ago for Microsoft's enterprise customers?  Why is it restriced to Office365 today?
User Rank: Ninja
4/22/2015 | 2:57:47 PM
is security the responsibility of the CSP? It should be!
Nice to see some advocacy for upping security controls in these types of services.  Not only will features like Lockbox make it easier to ensure better auditing when it comes to who can access the customer environments when it comes to support, but building in overall encryption for the service is something that many users will be happy about. 

Since Exchange 360 came out, a lot of confusion has been voiced from customers who expect security controls to be in place, and who were still seeing malware and other security risks.  By pushing the responsibility back to Microsoft, and then proactively starting to layer in these controls, we should see better overall adoption, and less confusion about where security responsibilities lie.
How to Create a Successful AI Program
Jessica Davis, Senior Editor, Enterprise Apps,  10/14/2020
Think Like a Chief Innovation Officer and Get Work Done
Joao-Pierre S. Ruth, Senior Writer,  10/13/2020
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
Flash Poll