If you are an avid reader of my blog, you may realize that every recent article related to Azure IaaS security these days includes an introduction of my upcoming book titled “Microsoft Azure IaaS Defense in Depth Guide“. This book will cover common security design consideration and guidance on how to apply defense in depth strategy to your system hosted on Microsoft Azure IaaS. You will also learn number of different security practices along with Microsoft Azure built-in features to prevent common attacks (e.g. brute-force attack, DDoS, surface attack). It is not only written for the audience of Azure IT Pro, but also for anyone who is going to move or deploy an infrastructure onto Microsoft Azure. This book will also provide you a serial hands-on lab on building a production-like protected SharePoint Server 2013 farm on Microsoft Azure which can be beneficial to absolute beginner in order to quickly adopt Azure IaaS knowledge before taking off with Microsoft Azure journey.
If you are working with Microsoft Cloud sometimes, you may have heard about Microsoft Trust Center where Microsoft proves to its customers a trustworthy platform. From the center, Microsoft shows not only compliance achievement but also security privacy and its practices. To Microsoft Azure specifically, the Trust Center is here
Cloud computing is heterogeneously broad, relating to variety of software services to hardware infrastructure. Nevertheless, people are still following the U.S. National Institute of Standards and Technology (NIST), defining three service models:
If you happen to see a strange securitydata resource group in your Azure subscription, you would be pretty much surprised what the heck it is. You would be angry on someone in your cloud team if the Azure subscription is shared to every member. Even you think of the subscription being hacked by somebody else then you would delete this resource group then change your password. Congrats on having a seriously security awareness which has to be required today in the digital transformation.
Last year I participated in Singapore Global Azure Bootcamp 2016 as a speaker, talking about planning and deploying SharePoint 2013 on Microsoft Azure. This year should not be a difference from my speaking engagement perspective, as I will also be speaking at the Singapore Global Azure Bootcamp 2017 in Microsoft Singapore. This year is not going to be SharePoint deployment on Microsoft Azure as last time, but the topic is much more interesting I believe so. I will be talking about security principles to designing a secure Azure IaaS in which I will apply Government Cloud model. I’ve been still supporting my companies in public sector, primarily architecting and contributing to troubleshooting large SharePoint farms.
I often ask myself about the future of Office 365 for government or organizations that don’t really trust in cloud computing. When data comes to cloud provider, it is undeniably accessible to cloud provider’s engineers as well as there is no warranty in data leakage. Although Microsoft has claimed a number of different international security compliances applied to its cloud infrastructure, and security features in Office 365 (e.g. Data Loss Prevention, Information Right Management), the pessimistic view of the data in the cloud still exists.
Today, the announcement of the new feature named Customer Lockbox in Office 365 gets my question off for a while. What Customer Lockbox does is provide customer the key that they can decide to give Microsoft cloud engineers to open the door or not. Normally when a tenant’s Office 365 box has problem, Microsoft cloud engineer team has full control to access to the box for investigation. The security becomes breached with this kind of work. The customer who owns the tenant has no choice in this case. To maximize data security and privacy, Microsoft has vastly put its effort into Customer Lockbox feature. The selling point made by Microsoft is as follows
Use of the Customer Lockbox feature ensures that Microsoft engineer does not get access to the customer’s content without customer’s explicit approval. When the customer gets the request for access, they can scrutinize the request and either approve or reject it. Until the request is approved, the Microsoft engineer will not be granted access
According to Microsoft, Customer Lockbox will be available for Exchange Online by the end of 2015, and for SharePoint Online by the first quarter of 2016.
Will Customer Lockbox fill up the trust?
Yes of course! At least Office 365 customers are able to control access to their data in a tenant-level perimeter. However, to me there has been still a missing point here that Microsoft might be under its development roadmap. Imagine if Microsoft engineer team is allowed to have access to your data, they will definitively see all. The data should have been classified and controlled at the highest level. For example, even I give a Microsoft engineer the key to access my room, he still can’t open the cabinet where my valuable stuffs are within. Similarly, with secret classified information, nobody has access until allowed. That’s the ultimate objective!
Government agencies are going to considerably think towards cloud, specifically Office 365. With Customer Lockbox, Office 365 will become much more competitive with other SaaS cloud providers.
To me, I’m going to have this question back: What is the actual future of SharePoint on-premises from now on?
For more information about Customer Lockbox: http://blogs.office.com/2015/04/21/announcing-customer-lockbox-for-office-365/