Security Advisor
Microsoft Announces New Office 365 Security and Transparency Features
Unveiled at this year's RSA security convention, Customer Lockbox will force any data access by Microsoft to be approved by customers.
Looking to return some trust in its cloud, Microsoft has announced Customer Lockbox for Office 365 feature that aims at providing enterprises control over what private data stored in Microsoft datacenters can be accessed by the company.
Scott Charney, corporate vice president for Microsoft's Trustworthy Computing, announced the new feature today during an opening keynote at this year's RSA security conference, currently underway in San Francisco, Calif.
"In the very rare instances when a Microsoft engineer needs to log into the Office 365 service to resolve a customer issue, they need to go through multiple levels of approval within Microsoft," said Charney during his on-stage speech. "By the end of this year, we will enable a new Customer Lockbox for Office 365, which brings the customer into the approval loop so that they can approve or reject a Microsoft engineer's request to log into the Office 365 service. Customer Lockbox significantly enhances both transparency and customers' control over their content in Office 365."
In a blog post following up on the announcement, Microsoft said the new privacy control feature will be live in Office 365 for Exchange Online by the end of the year and will arrive for SharePoint Online sometime early in 2016.
How the system works: if it is an occurrence where Microsoft employees need to access user cloud-stored data, a request will be sent to the network administrator and will not continue until approval is granted. All approval will be handled through the Office 365 Management Activity logs. The requests will last for 12 hours and, if gone unanswered, the request will automatically be denied.
Charney said in a follow-up blog released today that the new feature is a way for Microsoft to bring accountability and trust back to its cloud partners in a post-Snowden and post-PRISM world. "As I stated last year at RSA, we strongly support a more open discussion on current data access policies. It is vital that the industry remains principled in its approach to security, privacy and transparency. But it is also important that we bring to life features and functionality that extend our transparency."
Further looking to harden e-mail security in Office 365, Charney announced that new encryption features will be added to the service. Coming later this year, the new security features will aim at strengthening the file-level encryption for data at rest.
Commenting on the feature, Rajesh Jha, corporate vice president for the Office 365 team, said that Microsoft will start rolling out in the coming months encryption strengthened by its BitLocker service. "Implementing this feature will increase the separation of server administration from the data stored in Office 365, resulting in an added layer of security," said Jha in a blog post. "This new layer of content level encryption uses keys that are protected using hardware security modules certified to FIPS 140-2 Level 2. This new advanced encryption for email will be provided in Office 365 by the end of 2015."
Microsoft rolled out the same level of encryption protection last year in SharePoint Online and OneDrive for Business.
Microsoft also announced that the company is working on an additional privacy feature that, by 2016, will allow Office 365 customers to fully control their encryption keys.