Follow me on Twitter @AntonioMaio2

Wednesday, October 7, 2015

How does Microsoft Protect Our Data in Office365?

I’ve received this question many times over the last year – clients who are considering Office 365 to store their corporate data asking:

How does Microsoft really protect our data as it sits within their data center?

Given the nature of my past security work, this is always a question that I’m happy to share the details about.  I often start by telling people that Microsoft has implemented an extremely robust, multi-layered security strategy for protecting data at rest in Office 365.  That sounds great, but what does that really mean?

Well, specific to SharePoint, OneDrive for Business and other solutions, Microsoft uses a multi-leveled encryption strategy with keys that are rotated (ie. regenerated) on a regular basis.  Actually the strategy is broader than that – it uses a combination of multiple levels of encryption, automatic key rotation, random distribution of data, drive level encryption and data spread across multiple systems each with their own network, OS, malware and physical protection.

In the on premise world, SharePoint data sits within content databases inside SQL Server.  You can certainly configure SSL communication between clients and SharePoint and between SharePoint and SQL to secure data in motion.  You can even enable Transparent Data Encryption (TDE) within SQL to secure your SharePoint data while at rest within the SQL Server database.  However, in the online world how exactly does Microsoft use encryption and other techniques to protect our corporate information?

Let’s look at how the strategy is applied in detail to your content within SharePoint and OneDrive for Business:

  • Files within SharePoint Online and OneDrive for Business are shredded into fragments and each fragment is encrypted with a different key, using AES 256 bit crypto.  When files are modified, each delta is encrypted with a different key.
  • Encrypted fragments are randomly distributed and stored across multiple Azure storage accounts.  These storage accounts are generated on demand and stored in separate systems.
  • The keys used to encrypt fragments are regenerated once per day (key rotation).
  • These keys are themselves encrypted using a master key that is specific to the customer.
  • The master key is stored in a highly secured and monitored “key store” which is completely separate from SharePoint content databases.  The key store is the most secured asset in the Microsoft data center.
  • The keys used to encrypt fragments, which are themselves encrypted with the master key, are stored in the SharePoint & OneDrive content databases along with a map to the fragments.
  • Microsoft also uses BitLocker to encrypt all of the disks on all systems.

So let’s consider scenarios where the data center is attacked:

  • If a content database is attacked, the attacker only gets access to a bunch of keys, which are encrypted and therefore unusable, and a map to the encrypted chunks that are stored in a different system with its own protections (the Azure storage accounts).  
  • If the Azure Storage Accounts are attacked, the attacker only gets access to a bunch of random fragments, which are encrypted… and did I mention that the distribution of those fragments is random.  Even if they could decrypt the fragments, they will not be able to put a file back together due to the random distribution.
  • Again, the key store is the most secure asset in the Microsoft data center.  Even if an attacker could get to the key store and attack it, at most they can get a key.  
  • If the physical environment is attacked, and drives are physically removed and stolen, none of the data on the disk will be accessible due to BitLocker drive encryption.

Keep in mind all of the physical, network level, malware protections and internal procedures which strictly limit access to internal employees in the data center which are also in place.  In addition, Microsoft works every day to improve the security of their Office 365 offering by attacking and defending their own environments:

  • They have a dedicated RED team, which sits outside of the Office 365 environment whose job it is to constantly attack the Office 365 environment looking for vulnerabilities and holes.
  • They have a dedicated BLUE team which sites within the Office 365 environment whose job it is to constantly defend the Office 365 environment looking for ways to better protect our data from would be attackers.

Don’t those sound like the coolest jobs in the world?!

In The Future…

The next thing that Microsoft is working on to further enhance this strategy is to allow customers to bring their own master key, so that even if an insider wanted to access your data or a government request is made to Microsoft to access your data, Microsoft will not be able to retrieve it themselves.

You can find a great video on this topic here:

As well, there was a great session at the Microsoft Ignite conference on this topic here:



  1. Nice post!
    In fact, there are many ways to backup your files. Even manual copies (like saving a copy to a USB drive) are a kind of backup, they just aren’t a very good kind, because you have to do it manually, you have to do it repeatedly, and you have to manage things like deleting and renaming files. A good backup system is as easy as possible (so you’re more likely to use it) but the best backup systems automatically perform incremental backups so you don’t need to think about it or remember to do anything about it once the system is set up.
    Also, if you want to share your secure files you'd better use vdr. online data room providers

  2. Regardless of at what corner of the world you are. With the assistance of ISP (Internet Service Provider) you regularly attempt to get help while various of issues happen. Click here

  3. This includes all of the programs and software currently installed on your computer, settings, etc. Each of these different types of data may be suited for different types of data storage devices depending on your business data structure. Self Storage

  4. Hello there! I could have sworn I've visited this blog before, but after looking at a few of the posts I realized it's new to me. Nonetheless, I'm certainly pleased I found it and I'll be bookmarking it and checking back frequently!
    Click Here: How To Password Protect Folder In Less Than Four Minutes Using These Amazing Tools.

  5. bulk Compound Sulfamethoxazole Injection
    Compound Sulfamethoxazole Injection Wholesale Supplier Factory,Bulk Manufacturer

    The main indications of compound sulfamethoxazole injection are the following infections caused by sensitive strains: 1. Urinary tract infections caused by Escherichia coli, Klebsiella, enterobacter, Proteus mirabilis, Proteus vulgaris and Morganella. 2. Acute otitis media in children over 2 years old caused by Streptococcus pneumoniae or Haemophilus influenzae. 3. Acute attack of adult chronic bronchitis caused by Streptococcus pneumoniae or Haemophilus influenzae. 4. Intestinal infection and Shigella infection caused by sensitive strains of Shigella flexneri or sonnei. 5. This strain is the first choice for the treatment of Pneumocystis carinii pneumonia. 6. The prevention of Pneumocystis carinii pneumonia can be used in patients with at least one episode of Pneumocystis carinii or HIV infected adults, whose CD4 lymphocyte count is less than or equal to 200 / mm or less than 20% of the total lymphocyte count. 7. Diarrhea caused by enterotoxigenic Escherichia coli (ETEC).

  6. As a startup founder, I was looking for a Custom webdesign agency that could help me create a unique online presence. I found exactly what I was looking for with this agency. Their team was attentive, innovative, and willing to listen to my ideas.