Office 365 Security

Your people and your Customer Data are your most important assets and so, as you consider Office 365 operated by 21Vianet for your productivity needs, we want to do our best to answer your top questions upfront. The 21Vianet Trust Center is the place where we share our commitments and information on trust-related topics.

Office 365 is a cloud-based service designed to help meet your organization’s needs for robust security, reliability, and user productivity, help save time and money, and free up valuable resources.Through cutting-edge security practices and years of online service experience, the security technologies used in Office 365 operated by 21Vianet deliver the robust security you deserve.

As an Office 365 customer, when you move your organization to cloud services, you must be able to trust your service provider with your most important, sensitive, and confidential data. Because security is paramount for business success, 21Vianet has robust policies, controls, and systems built into Office 365 to help keep your information safe. Office 365 is designed on the principles of the Security Development Lifecycle, a mandatory Microsoft process that embeds security requirements into every phase of development. Meanwhileyou benefit from the Microsoft technologies that we have licensed to deliver the Services. These technologies represent over a decade of investments and deep experience in providing security for online data.

The Services include security features that are scalable and combine 21Vianet’s learnings in different geographies and industry verticals. The built-in security features safeguard Customer Data from the time it is stored to the time it reaches user devices.

At the service level, Office 365 uses the defense-in-depth approach to provide physical, logical, and data layers of security features, and 21Vianet uses operational best practices to provide the service. In addition, Office 365 gives you enterprise-grade, user and admin controls to further secure your environment.

Your Office 365 Customer Data belongs to you; that means you have complete control of it. We give you extensive privacy controls and visibility into where your Customer Data resides and who has access to it, as well as availability and changes to the service. If you end your subscription to the service, you can take your Customer Data with you. 21Vianet-managed service-level security technologies and policies are enabled by default, and customer-managed controls enable you to customize your Office 365 environment to fit your organization’s security needs. Office 365 is continuously updated to enhance security.

Get an overview of Office 365

Office 365 uses Azure Active Directory (Azure AD) to manage users and to provide authentication, identity management, and access control. Azure AD capabilities include a cloud-based store for directory data and a core set of identity services, such as user logon processes, authentication services, and federation services. These identity services easily integrate with your on-premises Azure AD deployments and fully support third-party identity providers.

Office 365 uses Multi-Factor Authentication, managed from the Office 365 admin center, to help provide extra security. Office 365 offers the following subset of Azure Multi-Factor Authentication capabilities as a part of the subscription:

  • Ability to enable and enforce Multi-Factor Authentication for end users
  • Use of a mobile app (online and one-time password) as a second authentication factor
  • Use of a phone call as a second authentication factor
  • Use of a Short Message Service (SMS) message as a second authentication factor
  • Application passwords for non-browser clients (for example, the Skype for Business client software)
  • Default 21Vianet greetings during authentication phone calls

Office 365 operated by 21Vianet uses defense-in-depth security principles to protect against internal and external risks. This enables Office 365 to detect and defend against attacks across a very large surface area.

Physical security

  • 24-hour monitored physical datacenters.
  • Multi-factor authentication, including biometric scanning for datacenter access.
  • Segregation of the internal datacenter network from the external network, plus encryption of Customer Data transmitted across the networks.
  • Role separation renders location of specific Customer Data unintelligible to the personnel that have physical access.
  • Faulty drives and hardware are demagnetized and destroyed.

Logical security

  • Lockbox processes for strictly supervised escalation process greatly limits human access to your Customer Data.
  • Servers run only processes of authentication, minimizing risk from malicious code.
  • Dedicated threat management teams proactively anticipate, prevent, and mitigate malicious access.
  • The anti-malware and anti-spam features are advanced yet easy to use and customize by administrators.
  • Applications built using Microsoft’s Security Development Lifecycle, which ensures that security and privacy are incorporated by design.
  • The security controls based on Microsoft technologies give you options to customize your security features depending on your specific needs.

Data security

  • Logical isolation of Customer Data between tenants.
  • Threat management, security monitoring, and file/data integrity prevents or detects any tampering of Customer Data.

Admin and user controls

  • Multi-factor authentication protects access to the service with a second factor such as phone.
  • S/MIME provides secure certificate-based email access.
  • Office 365 Message Encryption allows you to send encrypted email.
  • Data loss prevention prevents sensitive data from leaking either inside or outside the organization.
  • Administrative access to Office 365, controlled by a role-based access control (RBAC) process.
  • Identity systems and services such as Windows Active Directory, Azure Active Directory, and Active Directory Federation Services can be enabled for highly secure access to Office 365.
  • Features like legal hold, governance, and archiving allow administrators to place a hold on sensitive data for legal and archiving purposes.

Data encryption

Office 365 uses service-side technologies that encrypt customer data at rest and in transit. For customer data at rest, Office 365 uses volume-level and file-level encryption. For customer data in transit, Office 365 uses multiple encryption technologies for communications between datacenters and between clients and servers, such as Transport Layer Security (TLS) and Internet Protocol Security (IPsec). Office 365 also includes customer-managed encryption features. Customer Data stored within Office 365 is protected in all configurations. Validation of cryptographic policy and its enforcement is independently verified through multiple third-party auditors.

Maintaining security in multitenant architecture

Multitenancy is a primary benefit of cloud computing. This is the ability to share common infrastructure across numerous customers simultaneously, leading to economies of scale. 21Vianet continuously works to ensure that the multitenant architecture of Office 365 supports enterprise-level security, confidentiality, privacy, integrity, and availability standards. Based upon the significant experience gathered from Trustworthy Computing and the Security Development Lifecycle, Microsoft cloud services, including Office 365, were designed with the assumption that all tenants are potentially hostile to all other tenants. Thus, multiple forms of protection have been implemented throughout Office 365 to prevent customers from compromising Office 365 services or applications, or gaining unauthorized access to the information of other tenants or the Office 365 system itself.

How 21Vianet accesses your data

21Vianet automates most Office 365 operations, while intentionally limiting its own access to customer content. This enables us to manage Office 365 at scale, and address the risks of internal threats to customer content such as a malicious actor or the spear-phishing of a 21Vianet engineer. By default, 21Vianet engineers have no standing administrative privileges and no standing access to customer content in Office 365. A 21Vianet engineer may have limited, audited, secured access to a customer’s content for a limited amount of time, but only when necessary for service operations and only when approved by a member of senior management at 21Vianet (and, for customers who are licensed for the Customer Lockbox feature, by the customer).

How you access your data

In addition to the controls implemented by 21Vianet, Office 365 allows you to manage your own data in much the same way you manage data in on-premises environments. The admin has access to all features in the admin centers, and can create or edit users, perform administrative tasks, and assign admin roles to others. You can also control how users access information from specific devices or specific locations, or a combination of both.