Microsoft has the broadest set of tools for real-time communications

1. Microsoft offers both a consumer and an enterprise-grade service.

Microsoft offers both consumer-grade and enterprise-class services to our customers. With over 300 million connected users, Skype has one of the largest communities on the planet. Microsoft also offers Lync Online as part of Office 365, and it is a communication service that responds to the security, compliance, and communication needs of large organizations. Skype and Lync connect to each other — so users on Skype can call users on Lync and vice-versa.

Google offers a single consumer-grade communication service that lacks enterprise features that many businesses require. From its marketing to its feature set, Hangouts was designed with consumers in mind, not businesses. When the new Hangouts service was announced at Google I/O in May, Google Apps for Businesses wasn’t even mentioned. The focus was on how Hangouts connects you “with the people you love” — not the people with whom you do business. The scenario that exemplifies the value of Hangouts is a wedding engagement announcement, not team collaboration or better business meetings. The most discussed features in Hangouts are easy photo sharing and emoticons (“emoji”) that “make conversations more fun.” Paired with features like Google Effects, which lets you add animated pirate hats and snorkeling masks to your face during video conferences, Google’s focus is clearly not the business experience with Google Apps.

By contrast, Office 365 and Lync Online were designed from the ground up with a focus on what enterprises expect from their unified communications platform. Employees get a rich set of business-appropriate features, such as presenting directly from PowerPoint into a Lync meeting, sharing robust meeting notes in OneNote with meeting details automatically populated by Lync, sharing specific applications, whiteboarding, and choosing an optimal arrangement of meeting participants and content. Organizations benefit from the robustness of capabilities such as administration with Active Directory, archiving and compliance tools, integration with Microsoft Office, extensibility from public APIs based on industry-standard technology, and interoperability with other systems and devices (from headsets to Lync Room Systems).

2. Microsoft provides the best support and security options.

Office 365 provides 24/7 technical support and the added benefits of a 99.9% financially backed uptime guarantee for all of its services, including Lync. A customer using Lync Online and Office 365 can take advantage of a broad range of support options, starting from the basic one-by-one incident support, to comprehensive and ongoing support through Microsoft Premier Support programs. This enables customers to trust Microsoft to be there and help when something needs troubleshooting or fixing.

On the other hand, Hangouts is a feature in Google+, and Google+ is not a core service of Google Apps — it is considered an additional service. That means Hangouts is not supported under Google’s Technical Support Services Guidelines, and it is not covered by any support or service level agreement. What if you have a problem with Hangouts? You only get to check Google’s web help center or help forums. What if you have a favorite communications feature you like to use in a certain way? Google might change your experience without warning and force you to use it differently.

Beyond just Google’s planned changes, what if Hangouts has an outage? Hangouts is not on the Google Apps Status Dashboard so your organization doesn’t have visibility into the issue. And since Hangouts is not protected as part of the SLA, Google doesn’t have a financial responsibility to get you back online quickly, nor an obligation to compensate you for downtime with service credits. You just don’t know what will happen, whether on purpose or unintentional, with the Hangouts service.

3. Microsoft lets you talk to the broadest set of users on the planet.

Sometimes in the course of doing business, your enterprise’s partners, vendors, and customers don’t have the same infrastructure as you do. Office 365 and Lync allow you to connect with Lync users inside and outside of your company whether they have Lync installed or not. You can also include anybody with an HTML5 browser in the rich Lync meeting experience (including group video and content sharing). And as mentioned earlier, any Lync user can connect with the over 300 million connected Skype users as well. Imagine the possibilities: collaborating on a joint marketing plan with a partner. Conducting status calls with a small business vendor you’re working with. Explaining your medical diagnosis to a patient and discussing their case.  Or simply getting in touch with your family while you’re on a business trip. Office 365 and Lync let you collaborate naturally, seamlessly across borders, with more options.

If you use Google Apps for Business, Hangouts only lets you collaborate with other users who also have Hangouts. And you only get the premium Hangouts web experience if you use the Chrome Browser.

4. Microsoft has a more comprehensive feature set.

While Hangouts On Air allows public audiences to watch a Hangout via YouTube, only up to 15 people can actually participate in the video chat itself and have the full Hangouts collaborative experience. Everybody else is just a viewer. But we know that in many enterprises, teams are larger than 15 people, and more than 15 people need to collaborate on content in real time with each other. That is the true power of real time communications with the cloud. Office 365 and Lync support fully participatory experiences for 250 people in virtual meetings. Everybody — not just a small handful of people — gets the full power of interactive presentations, content sharing, instant messaging, voice, and video. That means everybody can speak up in that weekly status meeting, or comment on those latest product designs, or ask questions about that graph in a business report. Office 365 and Lync don’t just make you watch a broadcast — you can be in the “studio” itself.

5. Microsoft has robust security and compliance.

Organizations often wish to enforce policies for collaborating with and sending information outside the company. That is why with Office 365 and Lync, not only can you turn off Lync-Skype connectivity if you wish, but all Lync instant message conversations can be archived to Exchange regardless of user behavior. Office 365 lets IT enforce its policies to help keep the organization safe and secure.

However, if you’re using Google Hangouts, “there is no setting that prevents Hangouts with users outside your domain [and] Hangouts does not yet support warnings informing users that they’re messaging outside of the domain.” That means with Hangouts, IT must rely upon users to check and abide by company policy for external communication. But, as we’ve seen with a similar lack of enforcement capabilities for Google+ posts, employees sometimes make mistakes with external communication. This can be risky for organizations, and that’s why IT should be able to enforce external collaboration policies. But with Hangouts, you can’t.

What if your company wants to archive all instant message conversations? Sorry, with Hangouts, users can still communicate off the record by turning off message history. So much for compliance. And speaking of compliance, the new Hangouts is not compatible with Vault. So organizations face a costly tradeoff and have to give up Vault’s email archiving and e-discovery capabilities in order to get the new Hangouts.

Microsoft’s approach — from the living room to the boardroom.

We at Microsoft offer the best of both worlds — communications products that serve consumers, small businesses of all sizes, and enterprises. We believe people are users both at home and at work, so we believe in providing solutions that scale to the needs and requirements of both the living room and the boardroom, not just building a single product for both. Our business product, Lync Online with Office 365, provides the features, seamless integration, management capabilities, and robustness that enterprises expect when it comes to business productivity. We are excited for you to give Lync a try in your enterprise so you can collaborate effectively with a product designed with your business needs in mind.

What’s new in Office 365 Groups for April 2017

With over 85-million monthly Office 365 users, there’s no such thing as a typical customer. That’s why we built Office to embrace the diverse needs of the modern workplace by giving teams their choice of tools. Even within a single organization, different teams often have different demands for the productivity tools they use every day. What’s unique about Office 365 is the ability to deliver tools that meet these diverse needs—all on a single, manageable platform.

Supporting these teams is Office 365 Groups, a membership service leveraged by millions of users, which helps teams collaborate in their app of choice, including: Outlook, SharePoint, Skype for Business, Planner, Yammer, OneNote and Microsoft Teams. Office 365 Groups helps to structure, format and store information in a way that is accessible across different applications, but remains secure and easily manageable.

Enhancements to help admins manage groups

A key benefit of Office Setup 365 Groups is that any user in your organization can create a group and start collaborating with others in seconds. Self-service creation is great for users, but we know IT admins need to be able to easily manage groups, gain insight into their use, control their directories and ensure compliance of group data. Today, we are announcing new enhancements for administering Office 365 Groups to support these needs:

  • Restore deleted groups—If you deleted an Office 365 group, it’s now retained by default for a period of 30 days. Within that period, you can restore the group and its associated apps and data via a new PowerShell cmdlet.
  • Retention policies—Manage group content produced by setting up retention policies to keep what you want and get rid of what you don’t need. Admins can now create Office 365 Groups retention policies that apply to the group’s shared inbox and files in one step using the Office 365 Security & Compliance Center.
  • Label management—With labels, you can classify Office 365 Groups emails and documents across your organization for governance, and enforce retention rules based on that classification.

This adds to our broad set of group management tools recently rolled out to Office 365 customers:

  • Guest access—Guest access in Office 365 Groups enables you and your team to collaborate with people from outside your organization by granting them access to group conversations, files, calendar invitations and the group notebook.
  • Upgrade Distribution Groups to Office 365 Groups—The Exchange Admin Center now offers an option to upgrade eligible Distribution Groups to Office 365 Groups with one click.
  • Data classification*—You can create a customizable data classification system for Office 365 Groups, such as unclassified, corporate confidential or top secret.
  • Usage guidelines*—You can define usage guidelines for Office 365 Groups—to educate your users about best practices that help keep their groups effective, and educate them on internal content policies.
  • Azure AD Connect*— Enables group writeback to your Active Directory to support on-premises Exchange mailboxes. See “Configure Office 365 Groups with on-premises Exchange” for more information.
  • Dynamic membership*—Admins can define groups with rule-based memberships using the Azure Management Portal or via PowerShell. Group membership is usually updated within minutes as users’ properties change. This allows easy management of larger groups or the creation of groups that always reflect the organization’s structure.
  • Hidden membership—If you want group membership to be confidential (for example, if the members are students), you can hide the Office 365 group members from users who aren’t members of the group.
  • Creation policies—There may be some people in your organization that you don’t want to be able to create new groups. There are several techniques for managing creation permissions in your directory.
  • Setup Microsoft Office 365 Groups activity report—These reports includes group properties, messages received and group mailboxes storage over time. Note you can also leverage the SharePoint site usage report to track groups’ file storage.

A look at upcoming features

Because Office 365 is a subscription service, we’re able to continue improving the admin capabilities based on customer feedback. Here’s a look at some of the enhancements on our Roadmap for the next three months:

  • Expiry policy*—Soon, you will be able to set a policy that automatically deletes a group and all its associated apps after a specific period. The group owner(s) will receive an email notification prior to the expiration date, and they will be able to extend the expiration date if the group is still in use. Once the expiration date is reached, the group will be soft deleted for 30 days (and hence can be restored by an administrator if needed).
  • Azure AD naming policy*—Admins will be able to configure a policy for appending text to the beginning or end of a group’s name and email address no matter where the group is created, such as Outlook, Planner, Power BI, etc. Admins will be able to configure a list of specific blocked words that can’t be used in group names and rely on the native list of thousands of blocked words to keep their directories clean.
  • Default classification and classification description—Will enable admins to set default Office 365 Groups classification at the tenant level using PowerShell cmdlets. In addition, admins will be able to provide a description for each of the defined classifications.
  • Classification is available when creating or modifying a group across apps—Selecting a group classification will be available when creating or editing a group across the following Office 365 applications: Outlook, SharePoint, Teams, Planner, Yammer and StaffHub.

Introducing Groups in Outlook for Mac, iOS and Android

More than 10 million people rely on Groups in Outlook every month to work together and get things done. Groups is proving useful to our customers. And for that, we couldn’t be more thankful. Groups in Outlook offers huge improvements over traditional distribution lists, with a shared space for group conversations, calendars, files and notebooks, the convenience of self-service membership and much more.

Today, we’re pleased to announce Groups is now rolling out to Outlook for Mac, iOS and Android. Groups is already available in Outlook for Windows and on the web—so now you can access your group conversations and content no matter which platform you use.

With these updates, you can:

  • View your group list.
  • Read and reply to group conversations.
  • Add group events to your personal calendar.
  • View unread messages sent to the group.
  • View group details within the group card (Outlook for iOS and Android only).

There is more to come as we continue to work on making Groups better in response to your input, so stay tuned.

Recently released updates for Groups in Outlook

In addition to bringing groups to more Outlook apps, we’ve released several new features for Groups in Outlook on other platforms, too.

Give guest access—Last fall, we updated Outlook on the web to give you the ability to set up guest access for people outside your organization, set group classification as defined by Office 365 admins, and view usage guidelines. Now, these same capabilities are available in Outlook for Windows.

Invite people to join—One of our most requested improvements was an easier way to invite multiple people to join a group. We’ve released the Invite to join feature to Outlook on the web, which lets you create invitation links and share them with others via email or other channels, giving them a quick way to join the group.

Multi-delete conversations—Group owners can now multi-select conversations and delete them from the group conversations space in Outlook for Windows.

Send email as a groupOffice Setup 365 admins can grant send-as and send-on-behalf-of permissions to members of a group using the Exchange admin center. Group members who have these permissions can then send emails as the group, or on behalf of the group, from Outlook for Windows and Outlook on the web.

What’s next

We’re always listening to your feedback as we deliver new Groups capabilities to Outlook. Here are a few of your key requests we are going to tackle next:

  • Add appointments to a group calendar in Outlook for Windows—When adding an event to a group calendar, you will have the option to do so without sending an invite to everyone in the group.
  • Addition of Mail Contacts as guests—You will be able to easily add Mail Contacts in your company’s directory as a guest in a group.

Thanks for the feedback, and please keep it coming via our UserVoice site.

—The Outlook team

 

Frequently asked questions

Q. Now that Groups support is being added to Outlook for iOS and Android, what happens to the standalone Outlook Groups app?

A. Customers gave us feedback that they wanted Groups available directly in Outlook for iOS and Android. The Outlook Groups app will still be available while we continue to enhance Groups experiences in Outlook, such as adding support for group files, calendar and notebooks.

Q. Why am I not seeing Groups yet?

A. Groups is rolling out to Outlook for Mac, iOS and Android and will be available for eligible users in the coming weeks. Even if you are using the latest build of Outlook for Mac, iOS and Android, Groups will only be available to those who have joined or been added to a group. Once we add the ability to create and join groups on Mac, iOS and Android, every Office 365 user will see Groups in Outlook.

Q. Is Groups available to Outlook.com users?

A. Groups is for commercial users of Office 365 and is not available for Outlook.com.

Q. Why am I not seeing all my groups in Outlook for Mac?

A. Outlook for Mac currently shows the top 10 most active groups in Outlook for Mac. We’re working on making all groups visible in a future update.

Q. What about Outlook for Windows 10 Mobile?

A. We’re working on the best way to integrate Groups in Outlook for Windows 10 Mobile. In the meantime, the Outlook Groups app for Windows 10 Mobile helps customers stay on top of all group activities, including conversations, files, calendar and notebook.

Q. Where can I find more about managing Groups in Outlook for my organization?

A. If you are responsible for managing and supporting Outlook for your company, take a look at our IT pro documentation and check out our recently released improvements for administering Groups.

Q. What is coming next for Groups?

A. Stay tuned to the Setup Microsoft Office 365 Roadmap to see what is on the way.

Announcing general availability of Office 365 from local datacenters in South Korea

Today, as part of our deep and continued commitment to make Office Setup 365 the most trusted cloud service for productivity, we are announcing the general availability of Office 365 from our new cloud datacenters in Seoul and Busan, South Korea. We are pleased to be the first global cloud productivity provider offering customer data residency in South Korea.

Since October 2014, we have expanded our global cloud footprint and opened new datacenter regions in Japan, Australia, India, Canada, U.K. and now South Korea. In addition to the same highly secured productivity capabilities already enjoyed by Office 365 customers all over the world, these new datacenter regions add local data residency, failover and disaster recovery to help effectively address the legal and regulatory needs of customers in industries like banking, public sector and healthcare.

To learn more about Office 365 and our security and compliance capabilities, please visit our website and the Office 365 Trust Center. To easily access Microsoft Cloud audit reports, security assessments and technical white papers, please visit our Service Trust Preview webpage.

Advice to help prevent data breaches at your company

A data breach can be your worst nightmare. Not only could it be disastrous for your company’s brand, it could lead to significant revenue losses and regulatory fines. Office.com/Setup

Watch the latest Modern Workplace episode, “Cyber Intelligence: Help Prevent a Breach,” to get advice on how to best approach cyber security at your company from two chief information security officers (CISO)—Vanessa Pegueros, CISO at DocuSign, and Mike Convertino, CISO at F5 Networks. Learn how these seasoned security executives make decisions on security spending and how they justify security investments to skeptical executives who may not have ever experienced a security breach.

Every company has cyber security risks and needs to be aware of them—but understanding your company’s risk profile is just the beginning. You also need to know what you are trying to protect. As Convertino explains, “The value proposition of the company needs to be the thing that you base your protections and recommendations on.” When you have a clear goal for security, it becomes easier to demonstrate the value of your security investments in tools and talent.

You’ll also see a preview of the protection available from Office 365 Threat Intelligence, which lets you monitor and protect against risks before they hit your organization. Using Microsoft’s global presence to provide insight into real-time security threats, Threat Intelligence enables you to quickly and effectively set up alerts, dynamic policies and security solutions for potential threats.

Thanks for one notable decade

This month OneNote celebrates 10 years of helping users capture notes at home, school, work and anywhere in between. In that time, OneNote has grown and added features for managing everything from recipe collections, to class notes, to projects and events–across phones and tablets, as well as the PC.

Here are just a few stories that highlight the amazing things people are doing with OneNote.

Writing The Conjuring : The Hayes Brothers

Screenwriting twins, Chad and Carey Hayes, wrote this summer’s blockbuster horror film The Conjuring, using OneNote. Using tablets and inking, the Hayes brothers were able to develop the killer script. See how OneNote made The Conjuring a success, and why the Hayes twins can’t imagine working without it.

Calling the plays: Joe Block

Milwaukee pro baseball announcer, Joe Block, uses OneNote to keep track of 750 players over 162 games every season. See how Joe keeps tabs on stats, player information, and fun facts in OneNote so he’s able access them in a moment’s notice, and call the perfect game.

Planning a wedding: Ambir and George

Wedding planning can be stressful under normal circumstances, but add 300 miles between any recently engaged couple, and you’ve got a whole different challenge. See how Ambir and George were able to overcome distance to plan the wedding of their dreams.

We’d love to hear how you use OneNote at home, school, or work or anywhere in between. Share your OneNote story with us in the comments below, and who knows; maybe you’ll be the focus of our next OneNote video profile.

Office 365 compliance controls: Data Loss Prevention

When was the last time you asked your employees to carry your company’s handbook containing all the company policies with them? Do your IT workers know whether a particular email message they’re sending may violate company policy and run the risk of being noncompliant? Are they sure whether an email they’re sending contains sensitive information? Almost every IT worker faces compliance questions like these daily. Learn how you can help your IT workers achieve compliance without disrupting their normal routine or yours.

A recent blog post laid out the two dimensions of Office 365 security, compliance, and privacy: built-in capabilities and customer controls. This post focuses on a key feature under customer controls in compliance: data loss prevention (DLP).

DLP Policy Tips inform your workers in real time

With the new DLP Policy Tips in Office 365, admins can inform email senders that they may be about to pass along sensitive information that is detected by the company’s policies-before they click Send. This helps your organization stay compliant and it educates your employees about custom scenarios based on your organization’s requirements. It accomplishes this by emphasizing in-context policy evaluation. Policy Tips not only analyzes email messages for sensitive content but also determines whether information is sensitive in the context of communication. That means you can target specific scenarios that you associate with risk, external communication for example, and configure custom policy tips for those scenarios. Reading those custom policy tips in email messages keeps your workers aware of your organization’s compliance policies and empowers them to act on them, without interrupting their work.

DLP Policy Tips is supported only in Outlook 2013, but even if your users don’t have the latest version of Outlook, you are still protected from disclosing sensitive data through back-end processing. Admins can configure rules and take actions by setting up DLP rules in the Exchange Administration Center (EAC). This ensures that a single DLP policy controls both the client and server endpoints, minimizing the admin administrative overhead.

How do Policy Tips work? Consider a real-life scenario. Contossoplay is a company that has an internal policy to warn its employees any time they include sensitive information like a credit card number in email communications. Sara Davis is a Contossoplay employee composing an email to Dan, who works outside her organization. She includes credit card information in the mail, and immediately a DLP policy tip shows up in the message in Outlook.

When you include sensitive information in an email message, a DLP policy tip alerts you before you send the message.

At this point Sarah can decide to: send the email message with the credit card information, send the message with the credit card information and click Report to report a false positive, or delete the credit card information before sending the message. If she’s unsure what to do, she can click Learn more to understand her company’s policy, which her admin may have customized.

Let’s  look at another scenario. Contossoplay has recently set up a policy that blocks emails containing multiple credit cards or that need to be overridden with a business justification. Sara starts an email message to book the travel for multiple employees in the company and attaches a document that includes the personal credit card information of the employees. A different policy tip shows up, highlighting the new compliance requirement. In Outlook 2013, the attachment that is the cause of concern is also highlighted, making it easy for her to locate the information being questioned.

 

A custom DLP policy tip alerts you about an attachment that may contain high-count sensitive information.

As these two scenarios show, data loss prevention empowers end users, making them part of the organization’s compliance process and ensuring that the business flow is not interrupted or delayed, because achieving compliance does not get in users’ way. At the same time, data loss prevention simplifies compliance management for admins, because it enables them to maintain control easily through the Exchange Administration Center in the Office 365 admin portal.

Policy Tips are similar to MailTips, and you can configure them to present a brief note in Outlook 2013 that provides information about your business policies to the person creating a message. You can configure policy tips that will merely warn workers, block their messages, or even allow them to override your block with a justification. Policy tips can also be useful for fine-tuning your DLP policy effectiveness, because they allow end users to easily report false positives. If policy tips are not available to a user in Outlook, admins can still control compliance behavior by setting up rules in the Exchange Administration Center. For example, admins can set up an action to generate incident reports if a particular DLP event occurs. Such incident reports can help tracks events in real time, because a report is generated in real time and sent to a designated mailbox, such as the mailbox for incident manager account. The figure below shows a sample incident report.

You can generate incident reports for specific DLP events in Office 365.

What does data loss prevention in Office 365 offer?

Data loss prevention in in Office 365 helps you identify, monitor, and protect sensitive information in your organization through deep content analysis. DLP is increasingly important for enterprise message systems, because business-critical email often includes sensitive data that needs to be protected. Worrying about whether financial information, personally identifiable information (PII), or intellectual property data might be accidently sent to unauthorized users can keep a Chief Security Officer (CSO) up all night. Now you can protect sensitive data more easily than ever before, without affecting worker productivity. Admins can easily set up compliance management in email using the Exchange Administration Center (EAC) in the Office 365 admin portal. In the EAC, you can:

  • Start with a preconfigured policy template that can help you detect specific types of sensitive information such as PCI-DSS data, Gramm-Leach-Bliley act data, or even locale-specific personally identifiable information (PII).
  • Use the full power of existing transport rule predicates and actions and add new transport rules.
  • Test the effectiveness of your DLP policies before fully enforcing them by running the rule in the Test mode.
  • Incorporate your own custom DLP policy templates and sensitive information types.
  • Detect sensitive information in message attachments, body text, or subject lines and adjust the confidence level at which Exchange takes action.
  • Add policy tips, which can help contextually educate your end users by displaying a policy tip in Outlook. This can also enable users to provide feedback via false-positive reporting.
  • Review incident data in message-tracking logs or add reporting by using a new generate-incident report action.
  • Look at the different DLP reports in the Office 365 admin center to drive compliance adoption in the organization.

 

How do I get started with data loss prevention?

Using the Microsoft-supplied DLP policy templates is an easy way to get started. DLP policies are packages of transport rules with new features that you can customize. These rules include classification types that define the type of content you are looking for in the DLP policy. You can use the Exchange management shell, the Exchange Administration Center (EAC), or even your own XML file editor to start incorporating DLP policies into your messaging environment. The screenshot below shows the data loss prevention management interface within EAC.

You can manage DLP from the Exchange Administration Center in the Office 365 admin portal.

DLP is accomplished through what is called “transport rules” in Exchange. The new transport rules include a significant new approach to detecting sensitive information that can be incorporated into mail flow processing. This new DLP feature performs deep content analysis through keyword matches, dictionary matches, regular expression evaluation, internal functions such as validate checksum on credit card numbers, and other content examination to detect specific content types within the message body or attachments. Here is a screenshot for the policy tip rule that triggered the policy tip above in the second screenshot.

You can configure policy tip rules to trigger specific alerts about sensitive content in email.

 

How do I establish policies that protect  sensitive data?

You can start using DLP in one of these three ways:

  1. Apply an out-of-the-box template supplied by Microsoft. The quickest way to start using DLP policies is to create and implement a new policy using a template. This saves you the effort of building a new set of rules from scratch.
  2. Import a prebuilt policy file from outside your organization. You can import policy templates that have already been created outside of your messaging environment by independent software vendors. In this way you can extend the DLP solution to suit your business requirements.
  3. Create a custom policy without any preexisting conditions. Your enterprise may have its own requirements for monitoring certain types of data known to exist within a messaging system. You can create a custom DLP policy to check and act on your own unique message data.

California and Microsoft Sign CJIS Security Policy Agreement

As more and more state and local governments are looking to centralize and adopt cloud productivity solutions across their various agencies, including law enforcement, the need to meet unique requirements like the FBI Criminal Justice Information Systems (CJIS) Security Policy become increasingly important. CJIS stands for Criminal Justice Information System. The CJIS Division of the Federal Bureau of Investigation operates systems that provide state, local, and federal law enforcement and criminal justice agencies throughout the United States with access to critical criminal justice information including, personal information such as fingerprint records, criminal histories, and sex offender registrations.

A key requirement law enforcement agencies will place on their cloud service provider is signing the CJIS Security Addendum.  By signing the CJIS Security Addendum, the cloud service provider agrees to comply with the security policies required by the FBI. California Department of Justice (CA DOJ) recently determined that Microsoft Office 365 has implemented technologies and processes that will enable the agencies that use it to meet the latest FBI CJIS Security Policy requirements (CJIS Security Policy version 5.2). This means that government customers in the State of California such as City of San Diego, City of San Jose, City of Oakland, Santa Clara County, and San Mateo County can now have their law enforcement agencies use Office 365 as their cloud productivity solution and comply with CJIS. California becomes the fourth state after Texas, Illinois and New York where Microsoft has signed the CJIS Security addendum.

We are committed to investing in technology, processes and partnerships to win our customers’ trust and help them comply with an evolving set of US and international standards which includes but isn’t limited to ISO 27001, HIPAA, FISMA/FedRAMP, FERPA and EU Model Clauses.

Cloud Services you can trust: Security, Compliance, and Privacy in Office 365

When you make a decision to place your trust in a cloud services provider for productivity services, security, compliance, and privacy are top of mind. With over a billion customers on Office and decades of experience running online services, we understand what it takes to earn and continue to maintain your trust and confidence in Office 365.

Our construct for security, compliance, and privacy in Office 365 has two equally important dimensions: Built-in capabilities that include service-wide technical capabilities, operational procedures, and policies that are enabled by default for customers using the service; and Customer controls that include features that enable you to customize the Office 365 environment based on the specific needs of your organization.

We will look at Built-in capabilities and Customer controls for each of the key pillars of trust – Security, Compliance, and Privacy – in more detail below.

Security

Security of our customers’ information is a key trust principle. We implement policies and controls to safeguard customer data in the cloud and provide unique customer controls that you can use to customize your organizational environment in Office 365.

Built-in capabilities

As an Office 365 customer, you will benefit directly from in-depth security features that we have built into the service as a result of experience gained from years of building enterprise-grade software, managing a number of online services and billions of dollars in security investments. We have implemented technologies and processes that are independently verified to ensure high security of customer data.

Some key aspects of our built-in security capabilities are:

  • Physical security – We monitor our data centers 24/7 and we have technologies and processes to protect our data centers from unauthorized access or natural disasters
  • Security best practices -We use best practices in design like Secure Development Lifecycle and operations like defense-in-depth to keep your data secure in our data centers
  • Data encryption – Every customers’ email content is encrypted at rest using BitLocker Advanced Encryption Standard (AES) encryption
  • Secure network layer – Our networks are segmented, providing physical separation of critical back-end servers from the public-facing interfaces at the same time our Edge router security detects intrusions and signs of vulnerability
  • Automated operations like Lock Box processes – Access to the IT systems that store customer data is strictly controlled via lock box processes. This access control mechanism is similar to a system where two people have to turn the key for an action to be allowed.

Customer controls

As a result of Office 365 offering productivity services to a wide range of industries, we have built both features and choices that you can control to enhance the security of data based on the needs of your organization.

Some key aspects of our customer controls for security are:

  • Exchange Hosted Encryption – Enables delivery of confidential business communications safely, letting users send and receive encrypted email directly from their desktops as easily as regular email.
  • S/MIME – Enables encryption of an email messages and allows for the originator to digitally sign the message to protect the integrity and origin of the message. As part of our continued investment in security technologies that Government and Security conscious customers care about, we are adding support for S/MIME for Office 365 in the first quarter of Calendar Year 2014.
  • Rights Management Services – Enables a user to encrypt information using 128-bit AES and use policies on email or documents so that the content is appropriately used by specified people.
  • Role based access control – Allows administrators to enable access to authorized users based on role assignment, role authorization and permission authorization.
  • Exchange Online Protection – Allows administrators to manage your company’s Anti-virus and Anti-spam settings from within the Office 365 administration console.
  • Identity Management – Provides organizations with various options for identity management such as cloud based identity, identities mastered on-premises with secure token based authentication or hashed passwords to integrate into the Office 365 identity management system based on the security needs of your organization.
  • Two factor Authentication – Enhances security in a multi-device, mobile, and cloud-centric world by using a second factor, such as a PIN, in addition to the primary factor which is identity.

Compliance

Another key principle of Office 365 trust is Compliance.  It is expected that commercial organizations have regulations and policies that they must comply with to operate businesses in various industries. These policies can be a mix of external regulatory requirements that vary depending on industry and geographical location of the organization and internal company-based policies.  Office 365 provides built-in capabilities and customer controls to help customers meet both various industry regulations and internal compliance requirements.

Built-in capabilities

Office 365 stays up-to-date with many of today’s ever-evolving standards and regulations, giving customers greater confidence.  To bolster this and to continue earning your confidence, we undergo third-party audits by internationally recognized auditors as an independent validation that we comply with our policies and procedures for security, compliance and privacy.

Some key aspects of built-in compliance capabilities are:

  • Independently Verified – Third party audits verify that Office 365 meets many key world-class industry standards and certifications
  • Control framework – We follow a strategic approach of implementing extensive standard controls that in turn satisfy various industry regulations. Office 365 supports over 600 controls that enable us to meet complex standards and offer contracts to customers in regulated industries or geographies, like ISO 27001, the EU Model Clauses, HIPAA Business Associate Agreements, FISMA/FedRAMP
  • Comprehensive Data Processing Agreement – Our Data Processing Agreement comprehensively addresses privacy and security of customer data, helping customers comply with local regulations

Customer Controls

We provide Compliance controls within the service to help our customers comply based on the policy needs of their organization.

Some key customer controls for compliance are:

  • Data Loss Prevention – Helps customers to identify, monitor and protect sensitive data through content analysis
  • Archiving – Allows organizations to preserve electronically stored information retaining e-mail messages, calendar items, tasks, and other mailbox items
  • E-Discovery – Permits customers to retrieve content from across Exchange Online, SharePoint Online, Lync Online, and even file shares

Privacy

Privacy is our third trust principle.  As more and more customers are relying on online service providers to keep their data safe from loss, theft, or misuse by third parties, other customers, or even the provider’s employees, we recognize that cloud services raise unique privacy questions for businesses.

To meet your needs, we are continually developing technologies to enhance privacy in our services. We call this privacy by design – which is our commitment to use best practices to help protect and manage customer data.

Built-in Capabilities

Key built-in capabilities and principles of Privacy in Office 365 are:

  • No Advertising – We do not scan email, documents, build analytics or data mine to build advertising products. In fact, we do not use your information for anything other than providing you services you have subscribed for.
  • Data Portability – As an Office 365 customer, your data belongs to you, and you can export your data at any time with no restrictions. We act only as a data processor and provider of productivity services, not as a data owner
  • Notice and Consent – When we act upon your data, we let you know why and we ask for permission in advance or redirect any enquiries to our customers unless legally prevented to do so.
  • Breach Response – We have strong, tested and audited processes to inform you if there is a breach and remediate issues if they occur.
  • Data Minimization – We strive to minimize the actual amount of customer data that our internal teams have access to.

Customer Controls

In addition to built-in capabilities, Office 365 enables you to collaborate through the use of transparent policies and strong tools while providing the distinct ability to control information sharing.

Some examples of customer controls for privacy are:

  • Rights Management in Office 365 – Allows individuals and administrators to specify access permissions to documents, workbooks, and presentations. This helps you prevent sensitive information from being printed, forwarded, or copied by unauthorized people by applying intelligent policies
  • Privacy controls for sites, libraries and folders– SharePoint Online, a key component service of Office 365 that provides collaboration functionality has a number of privacy controls. One example is that SharePoint Online sites are set to “private” by default. A second example is that a document uploaded to a SkyDrive Pro is not shared until the user provides explicit permissions and identifies who to share with.
  • Privacy controls for communications In Lync Online, another key component service that provides real time communications in Office 365, there are various administrator level controls as well as user level controls to enable or block communication with external users and organizations. One example is blocking access to federation in Lync. Similarly there are controls throughout the service for the admins and users to ensure privacy of their content and communications.

Department of Defense makes Office 365 available for purchase

The U.S. Army announced an award for Cloud Services email and calendaring, unified capabilities, and collaboration tools has been made to Microsoft for Office 365. The Blanket Purchase Agreement is available to any Department of Defense (DoD) Service, agency and mission partner without additional competitive process. This opportunity gives Microsoft the ability to work at all levels within the DoD to provide commercial cloud services.

Microsoft has a long history of partnering with the Department of Defense. In November 2012, the Army, Air Force and Defense Information Systems Agency (DISA) expanded access to Microsoft solutions in a contract-partnership that ensures standardization, interoperability, and enhanced security through modernized technology infrastructure and virtualization that helps reduce costs and foster new levels of cross-agency collaboration.