As a Solution Architect for CDW Microsoft Services I am often asked “How secure is Microsoft Office 365?” I have also heard concerns of downtime, data not being secure and more. What we rarely hear is how a large number of customers are satisfied with Office 365. In this article, I look to discredit some rumors and hopefully instill confidence in Microsoft Office 365 and to help understand why Microsoft is the leader is Software Services for productivity, communications and collaboration.

The most widely adopted version of Microsoft’s cloud services, Office 365 is used by millions of people every day. Customers big and small use Office 365 as their critical application for email, collaboration and communications. Microsoft is heavily invested in what is now the second-largest part of their company – being a devices and services company.

I often liken Office 365, also known as O365, to a cellular provider. Many complain about their cellular provider far more often than they will brag about them. Typically speaking, most cellular providers are good and the top few provide little disruption in most cases, but still many feel they have to find something to complain about. A common example would be “I remember that one time a call dropped in the middle of a meeting”. These things happen and even in the business world we have learned to live with them. No service is perfect and there are always going to be issues. The question to ask yourself is can you handle email being down for a few minutes? Would you or your employee’s even notice? Are Microsoft security and datacenters more secure and reliable than yours? Do you have resources and support in place if something happens?

Below are some questions I typically hear and how I respond.

Is Microsoft Office 365 HIPAA Compliant?

Microsoft developed Office 365 to provide physical, administrative, and technical safeguards that comply with HIPAA. Microsoft will also sign a HIPAA Business Associate Agreement (BAA) with customers. You can see a list of other Office 365 compliances here.

How Secure is Microsoft Office 365?

This is a question that cannot be answered with a simple yes or no.  I often ask what their major concern is.  The most common answer is “Who can access my data other than me” or “Where will my data be stored and/or do I have a say in where it will be stored”?  First things first as to who can access your data.  The answer is spelled out on Office 365 Trust Center. You can see very few people would have access to your data with exceptions provided by you. Microsoft is transparent about where your data is located. For companies in the U.S. and EU, on request, Microsoft offers a regionally locking capability. For more information, please visit where is my data in the Office 365 Trust Center.

What Are Microsoft Office 365’s Privacy Features?

Verified by third-party auditors, Office 365 works with and meets many key world-class industry standards and certifications. The below are pulled directly from Microsoft’s website.

  • We restrict physical data center access to authorized personnel and have implemented multiple layers of physical security, such as biometric readers, motion sensors, 24-hour secured access, video camera surveillance, and security breach alarms.
  • We enable encryption of data both at rest and via the network as it is transmitted between a data center and a user.
  • We don’t mine or access your data for advertising purposes.
  • We use customer data only to provide the service; we don’t otherwise look in your mailbox without your permission.
  • We regularly back up your data.
  • We won’t delete all the data in your account at the end of your service term until you have had time to take advantage of the data portability that we offer.
  • We host your customer data in-region.
  • We enforce “hard” passwords to increase security of your data.
  • We allow you to turn off and on privacy impacting features to meet your needs.
  • We contractually commit to the promises made here with the data processing agreement (DPA).

For more information about the DPA, visit the Data Processing Agreement section of their independently verified page.

What Major Companies Use Office 365?

Companies such as Toyota, American Red Cross, New Belgium Brewery, Hyatt, CDW and many more use Office 365 including many major Universities, Medical Centers and Hospitals as well as Federal, Local and State Governments.

How Does Microsoft Protect My Business from Outages?

Since launching Office 365 two years ago, Microsoft has continued to invest deeply in their infrastructure to ensure a highly available service.  While information has been available in detail for current customers, they have been making this information available to all companies considering Office 365 as well.   They measure availability as the number of minutes that the Office 365 service is available in a calendar month as a percentage of the total number of minutes in that month.  Within this calculation, they include business, government and education services. With Cloud Services you can trust, the worldwide uptime number for Office 365 for the last four quarters beginning July 2012 and ending June 2013 has been 99.98%, 99.97%, 99.94% and 99.97% respectively.

As you can see Microsoft has put a lot of effort, money and resources into making O365 the leader in cloud services for business productivity, communications and collaboration according to the Gartner Magic Quadrant. Microsoft is dedicated to a secure and reliable service with a financially backed SLA and up times of 99.9%.

Are you using O365 in your office? If so, what are your thoughts? If not, why? Comment below.


Please visit the following for more information.


3 thoughts on “Is Office 365 Security Safe Enough For Your Needs?

  • Rob MacKinnon says:

    In 3.E, you state that you back up data. I believe that’s only for your purpose of DLP and not for the service users’ to restore from an earlier time. Correct?

    • Don Pistulka says:

      Hi Rob,

      Deleted items are recoverable in O365 and DR is the main point of backup discussed in the article

      Users can restore items that have been deleted from any email folder. Here’s how the process works: When an item is deleted, it is kept in a user’s Deleted Items folder. Items remain in this folder until manually removed by the user, or automatically removed by retention policies. (The default retention policy removes items from the Deleted Items folder after 30 days, but organizations can customize this setting). After an item has been removed from the Deleted Items folder, the item is kept ina Recoverable Items folder—where it can be restored by an administrator—for an additional 14 days before being permanently removed. (Please note that if an administrator has placed a user’s mailbox on legal hold, purged items are retained indefinitely and the
      14-day window does not apply.)
      When an Exchange Online mailbox is deleted, its contents are recoverable for 30 days using the Exchange Control Panel. The mailbox
      contains all of the data stored in it at the time it was deleted. After 30 days, it is not recoverable.

      I hope this helps
      Don Pistulka

  • our company is moving to Office365 and already provided access to “Box”

    are the documents stored to “MyDocuments” accessible to our company’s Admins (of Office 365)?

    is above Box same as Office 365 cloud? if not, is Office-365 cloud that comes with Company’s Office-365 accessible to Admins (items saved to “My Documents” folder – not referring to items saved to shared documents).

Comments are closed.