A thought experiment for everyone reading this blog post: Take out your smartphone and unlock it. Now, give it to the next random person you see.
That's how most businesses feel about moving their corporate IT and accompanying data into the cloud. The smartphone analogy explains why corporate IT leaders appear to be so paranoid about migrating IT services and data to the public cloud. While consumers have gone all-in on public cloud services for storing their personal photos or backing up their smartphone settings, corporate IT leaders are more cautious. A survey of 300 IT decision makers by a top cybersecurity company in 2017 found that while adoption of public cloud IT services is growing rapidly across industries, 74% of them say "security concerns" are restricting their all-out cloud migration. Rather than paranoia, what those corporate IT leaders have is a healthy skepticism about moving company data to the cloud.
Shared responsibility, convenience, and compliance
Organizations that invested in the on-premise versions of Microsoft productivity and collaboration software such as Office 2013 and SharePoint have enjoyed complete control over the employee experience and corporate data. But suppose that company chooses to migrate from on-site software to cloud-based Office 365 and SharePoint Online. Corporate IT leaders see that as unlocking their smartphones then handing it to Microsoft. The company pays Microsoft for the convenience to store their corporate data in the Microsoft-owned cloud. So, does that mean managing the cybersecurity for the corporate data stored in the cloud is the company's responsibility or is it Microsoft's? What about regulatory compliance? What happens now?
Think of the cloud as having a "shared responsibility" model like a safety deposit box at the bank. You own what's in the box and you have a key to that box. The bank doesn't own what's in your box but does everything possible to keep what's in your box safe for you. This is an oversimplified analogy because the delineation of security responsibilities in the public cloud space can be something of a moving target due to industry and governmental regulations (more on that later in the blog). The good news is that cybersecurity fears of data stolen out of the cloud with no recourse against the owner of the cloud are unfounded. When it comes to moving your business into the cloud with Microsoft Office 365 and other Microsoft-owned cloud services, Microsoft is keenly aware of what's expected of them. Microsoft has decades-long experience building enterprise software and use a mandatory development process that embeds security into all their cloud services for business. That means an inherent layer of cybersecurity is built into the Microsoft Office 365 apps your company uses create business documents, the Outlook email and Dynamics 365 customer relationship management services your business uses to communicate with partners and customers, and the Microsoft Teams and SharePoint sites your employees use to collaborate for maximum productivity.
However, not all data security can (or should) be left to that built-in security layer which is why the corporate IT leaders need visibility into and control over into what business data is stored in the cloud. Much of this visibility and control is mandated by industry groups and governmental bodies to ensure the accountability a business has for keeping customer data safe and not misusing that data. Corporate IT leaders are always concerned about these regulations on their businesses because compliance is easy for bureaucrats to define but difficult for companies to manage. But that's why Microsoft built a feature called Compliance Manager into Office 365.
Reducing the compliance burden on your IT department
Remember the delineation of cybersecurity responsibilities when it comes to business data stored in the cloud? It's why the Microsoft Compliance Manager built into Office 365 is so valuable for business IT leaders because it gives hard numbers around who is responsible for data security based on all major regulatory rules. Microsoft built Office 365 apps and cloud services to meet the various compliance across highly-regulated industries, such as healthcare, government, education, and banking. For example, Office 365 adheres to major privacy compliance standards, such as the Health Insurance Portability and Accountability Act (HIPAA), the Federal Information Security Management Act (FISMA), the General Data Protection Regulation (GDPR), and many more. Depending on what industry your business competes in, your cloud-stored data must comply with those regulations—and your corporate IT department bears a level of shared responsibility for ensuring your business' data stored in the Microsoft cloud meets those security standards. Without Compliance Manager, corporate IT teams must carry 60% of the total cybersecurity burden for corporate data in the cloud. However, using Compliance Manager can reduce a corporate IT team's cybersecurity burden by 50%.
Compliance Manager provides you with tools to assign, track, and record compliance and assessment-related activities. You can use it assess the overall regulatory compliance of your corporate data within the shared responsibility model of the cloud.
Visibility and control
Compliance Manager gives you visibility into how your company's deployment of Office 365 complies with the major international regulatory standards. You can use Compliance Manager to run a battery of tests that assess your overall compliance, which shows up in an online dashboard:
You can then drill down into the assessment to learn more about the action items required to fix any compliance issues. For example, here is a sample of an assessment for cloud-based Office 365 documents subject to the GDPR:
The upside of Compliance Manager for your business is that it's a self-service tool that provides you with an extremely detailed look at your Office 365 deployment. The downside is that Compliance Data recommendations are just that; recommendations. For example, according to the highlighted information in this screenshot above, your company needs to take action to achieve GDPR compliance. But… how? Navigating your company's cloud-stored data through an evolving regulatory environment is tricky. Even though Compliance Manager helps expose down your potential weak spots, there's no big green button in the tool to press and fix all those weaknesses. Your corporate IT department will need to waste time and expend effort to get compliant—time and effort that should be used to make your business more productive.
Jumpstart your Office 365 compliance
Amaxra developed our comprehensive Office 365 Security Audit to fill this need for businesses. Companies that have used our Office 365 Security Audit spent
only a few hundred dollars to get a full review of their current security posture along with a simple and practical plan to get compliant quickly—resulting
in a savings of both time and money. Amaxra cybersecurity consultants are certified in the latest techniques to enhance your security posture to combat advanced persistent threats from criminal hackers.
Contact me at firstname.lastname@example.org or call 425 708 8841 if you have any questions or comments on this blog.