We’re back with another edition of the Modern Service Management for Office 365 blog series! In this article, we review the function of IT with Office 365 and evolution of IT Pro roles for the cloud. These insights and best practices are brought to you by Carroll Moon, Senior Architect for Modern Service Management.
In this installment of the blog series, we will dive into the “Business Consumption and Productivity” topic. The whole point of the “Business Consumption and Productivity” category is to focus on the higher-order business projects for whatever business you are in. If you are in the cookie-making business, then the focus should be on making cookies. The opportunity is to use Office 365 to drive productivity for your cookie-making users, to increase market share of your cookie business, or to reduce costs of producing or selling your cookies. This category is about the business rather than about IT. We all want to evolve IT to be more about driving those business-improvement projects. However, in order for IT to help drive those programs with (and for) the business, we need to make sure that the IT Pros and the IT organization are optimized (and are excited) to drive the business improvements. We all need to look at the opportunities to do new things by using the features and the data provided by the Office 365 service to drive business value rather than looking at what we will no longer do or what we will do differently. I always say that none of us got into IT so we could manually patch servers on the weekends, and none of us dreamed about sitting on outage bridges in the middle of the night. On the contrary, most of us got into IT so we could drive cool innovation and cool outcomes with innovative use of technology. I like the idea of using Office 365 as a conduit to get back to our dreams of changing the business/world for the better using technology.
For IT Pros
If you are an IT Pro in an organization who is moving to Office 365 (or to the cloud, or to a devops approach), I would encourage you to figure out where you want to focus. In my discussions with many customers, I encounter IT Pros who are concerned about what the cloud and devops will mean to their careers. My response is always one of excitement. There is opportunity! The following bullets outline just a few of the opportunities that are in front of us all:
Business-Value Programs. If I were a member of the project team for Office 365 at one of our customers, I would not be able to contain my excitement for driving change in the business. I would focus on one or more scenarios; for example, driving down employee travel costs by using Skype for Business. Such a project would save the company money, but it would also positively impact people’s lives by letting them spend more time at home and less time in hotels for work, so such a scenario would be very fulfilling. I would focus on one or more departments or business units who really want to drive change. Perhaps it would be the sales department because they have the highest travel budget and the highest rate of employee turnover due to burnout in this imaginary example. I would use data provided by the Office 365 user reports and combine it with existing business data on Travel Cost/user/month. I would make a direct impact on the bottom line with my project. I would be able to prove that as Skype for Business use in the Sales Department went up, Travel Costs/user/month went down. That would be real, measurable value, and that would be fun! There are countless scenarios to focus on. By driving the scenarios, I would prove significant business impact, and I would create a new niche for myself. What a wonderful change that would be for many IT Pros from installing servers and getting paged in the middle of the night to driving measurable business impact and improving people’s lives.
Evolution of Operations. In most organizations, the move to cloud (whether public or private), the move towards a devops culture, the move towards application modernization, and the growth of shadow-IT will continue to drive new requirements for how Operations provides services to the business and to the application development and engineering teams. As an operations guy, that is very exciting to me. Having the opportunity to define (or at least contribute to) how we will create or evolve our operational services is very appealing. In fact, that is a transformation that I got to help lead at Microsoft in the Office 365 Product Group over the years, and it was very fulfilling. For example, how can the operations team evolve from viewing monitoring as a collection of tools to viewing monitoring as a service that is provided to business and appdev teams? That is a very exciting prospect, and it is an area that will be more and more important to every enterprise over the next N years. The changes are inevitable, so we may as well be excited and drive the changes. We must skate to where the [hockey] puck is going to be rather than where it is right now. See this blog series and this webinar for more on the monitoring-as-a-service example.
Operations Engineering. In support of the evolution of operations topic covered in the previous bullet, there will be numerous projects, services and opportunities where technical prowess is required. In fact, the technical prowess required to deliver on such requirements likely are beyond what we see in most existing operations organizations. Historically, operations is operations and engineering is engineering and the two do not intertwine. In the modern world, operations must be a series of engineering services, so ops really becomes an engineering discussion. Using our monitoring-as-a-service example, there will be a need to have someone architect, design, deploy, and run the new service monitoring service as described in this blog series.
Operations Programs. In further support of the evolution of operations†topic, there will be the need for program management. That’s great news because there will be some IT Pros who do not want to go down the deep bits and bytes route. For example, who is program managing the creation and implementation of the new service monitoring service described this blog series? Who is interfacing with the various business units who have brought in SaaS solutions outside of IT’s purview (shadow IT) to convince them that it is the business best interest to onboard onto IT’s service monitoring service? Who is doing that same interaction with the application development teams who are moving to a devops approach? Who is managing those groups expectations and satisfaction once they onboard to the service monitoring service? Answer: Operations Program Manager(s) need to step up to do that.
Modern Service Desk. Historically, Service Desks have been about “taking lots of calls†and resolving them quickly. The modern service desk must be about enabling users to be more productive. That means that we need to work with engineering teams to be about eliminating calls altogether and when we cannot eliminate an issue, push the resolution to the end-user instead of taking the call at the service desk. The goals should be to help the users be more productive. And that means that we also need to assign the modern service desk the goal of “go seek users to help them be more productive. As discussed in the Monitoring: Audit and Bad-Guy-Detection blog post, wouldn’t it be great if the service desk used the data provided by the service to find users who are having the most authentication failures so they could proactively go train the users? That is just one example, but such a service would delight the user. Such a service would help the business because the user would be more productive. And such a change of pace from reactive to proactive would be a welcome change for most of us working on the service desk. One of my peers, John Clark, just published a two-part series on the topic of Modern Service Desk: Part 1 and Part 2.
Status Quo. Some people do not want to evolve at all, and that should be ok. If you think about it, most enterprises have thousands of applications in their IT Portfolios. Email is just one example. So, if the enterprise moves Email to the cloud, that leaves thousands of other applications that have not yet moved. Also, in most enterprises, there are new on-premise components (e.g. Directory Synchronization) introduced as the cloud comes into the picture; someone has to manage those new components. And, of course, there are often hybrid components (e.g. hybrid smtp mailflow) in the end-to-end delivery chain at least during migrations. And if all else fails, there are other enterprises who are not evolving with cloud and devops as quickly. There are always options.
The bullet list above is not exhaustive for Office 365. The bullets are here as examples only. My hope is that the bullets provide food for thought and excitement. The list expands rapidly as we start to discuss Infrastructure-as-a-Service and Platform-as-a-Service. There is vast opportunity for all of us to truly follow our passions and to chase our dreams. When automobiles were invented, of course some horse and buggy drivers were not excited. I have to assume, however, that some horse enthusiasts were very excited for the automobiles too. For those who were excited to change and evolve, there was opportunity for them with automobiles. For those who wanted to stay with the status quo and keep driving horse-drawn-buggies, they found a way to do that. Even today in 2017, there are horse-drawn-carriage rides in Central Park in New York City (and in many other cities). So, there is always opportunity.
For IT Management
In the ~13 years that I have focused on cloud services at Microsoft since our very first customer for what is now called Office 365 the question that I have been asked the most is “how do I monitor it? The second most frequent question comes from senior IT managers: How do I need to change my IT organization to support Office 365? And a close third most frequent question is from IT Pros and front-line IT managers: How will my role change as we move to Office 365?
Simplicity is a requirement. As you continue on this journey with us in this blog series, I encourage you to push yourself to keep it simple from the service management perspective. Change as little as possible. For example, if you can monitor and integrate with your existing monitoring toolset, do so. We will continue to simplify the scenarios for you to ease that integration. From a process perspective, there is no need to invent something new. For example, you already have a great Major Incident process you have a business and your business is running, so that implies that you are able to handle Major Incidents already. For Office 365, you will want to quantify and plan for the specific Major Incident scenarios that you may encounter. You will want to integrate those scenarios into your existing workflows with joined data from your monitoring streams and the information from the Office 365 APIs. We have covered those examples already in the blog series, so the simplistic approach should be more evident at this point.
From an IT Pro Role and Accountability perspective, it is important to be intentional and specific about how each role will evolve and how the specific accountabilities will evolve in support of Office 365. For example, how should the “Monitoring role change for Email? And how will you measure the role to ensure that the desired behaviors and outcomes are achieved?
What about the IT Organization?
Most of the time, when I get the IT organization question, customers are asking about whether they should reorganize. My answer is always the following: there are three keys to maximizing your outcomes with this cloud paradigm shift:
Assign granular accountabilities…make people accountable, not teams. For example, if we miss an outage with monitoring, senior management should have a single individual who is accountable for that service or feature being adequately covered with monitoring.
Ensure metrics for each accountability…#1 will not do any good if you cannot measure the accountability, so you need metrics. Most of the time, the metrics that you need for this topic can easily be gathered during your existing internal Major Problem Review process.
Hold [at least] monthly Rhythm of the Business meetings with senior management to review the metrics. At Microsoft, we call these meetings Monthly Service Reviews (MSRs). In these meetings, the accountable individuals should represent their achievement (or lack of achievement) of their targets so that senior management can a) make decisions and b) remove blockers. The goal is to enable the decisions to be made at the senior levels without micro-management.
I tell customers that if they get those three things right, the organizational chart becomes about organizing their talent (the accountable people) into the right groups. If one gets those three bullets right, the org chart does not matter as much. However, no matter how one changes the IT Organizational chart, if one gets those three bullets wrong, the outcomes will not be as optimized as we want them to be. So, my guidance is to always to start with these three bullets rather than the org chart. The combination of these three bullets will drive the right outcomes. The right outcomes sometimes drive an organizational chart adjustment, but in most cases, organizational shifts are not required.
Think of it this way, if you move a handful of workloads to the cloud, the majority of your IT portfolio will still be managed as business-as-usual, so a major organizational shift just for the cloud likely will not make sense. If I have 100 apps in my IT portfolio and I move 3 apps to the cloud, then would I re-organize around the 3 apps? Or would I keep my organization intact for the 97 apps and adapt only where I must adapt for the 3 cloud apps?
The IT Organization is about the sum of the IT Pros
From a people perspective, the importance of being intentional and communicative cannot be overstated. Senior management should quantify the vision for the IT organization and articulate how Office 365 fits into that vision. It is important to remember that IT Pros are real people with real families and lives outside of work. Many IT Pros worry that the cloud means that they do not have a job in the future. That, of course, is not true. Just as the centralization of the electrical grid did not eliminate the need for electricians, the centralization of the business productivity grid into the cloud does not eliminate the need for the IT Pro. But just as the role of an electrician evolved as the generation of power moved from the on-premise-water-wheel to the utility grid, the role of IT Pro will evolve as business productivity services move to the cloud. The electrician’s role evolved to be more focused on the business-use of the electrical grid. So too will the IT Pro’s role evolve to support the business value realization of the business productivity services. We intend to help with that journey in future blog posts focused on the Consumption and Productivity category.
As senior management plans through the cloud, we recommend that they dig into at least the following role groupings to plan how each will evolve with respect to Office 365 workloads:
Engineering / Tier 3 / Workload or Service Owners…will we still support servers, or will we focus on tenant management and business improvement projects?
Service Desk Tiers and Service Desk Managers…will we support end-users in the same way? With the same documentation? Will our metrics stay the same, or should they evolve?
Major Incident Managers…will we still run bridges for the Office 365 workloads? How will those bridges be initiated? Will our team’s metrics evolve? Given that many of the MSR metrics come from our Major Problem Reviews, is our team’s importance increasing?
Monitoring Engineers and Monitoring Managers…will we accountable for whether we miss something with monitoring for Office 365 workloads? Or perhaps do we support the monitoring service with the Tier 3 engineers being accountable for the rule sets? Should we focus on building a Service Monitoring Service?
Change and Release Managers…how are we going to absorb the evergreen changes and the pace-of-change from Microsoft and still achieve the required outcomes of our Change and Release Management processes?
As you spend time in the Monitoring and Major Incident Management content in this blog series, I encourage you to think through how implementation of the content may change things for the IT Pros using that example. If you implement the monitoring recommendations, will it be simply business-as-usual for your monitoring team? What about the Tier 3 workload team? Or, perhaps is it a shift in how things are done? Perhaps for your on-premise world, the monitoring team owns the monitoring tool and the installed Exchange monitoring management packs. Perhaps in practice, when there is an outage on-premise, the Service Desk recognizes the outage based on call patterns, and then they initiate an incident bridge. Perhaps once the bridge is underway, someone then opens the monitoring tool to look for a possible root cause of the outage. Will that same approach continue in the cloud for Exchange Online, or should we look to evolve that? Perhaps in the cloud we should have the Tier 3 workload team be accountable for missed by monitoring for any end-to-end impact for Exchange regardless of where root cause lies. Perhaps we should have the monitoring team be accountable for the monitoring service with metrics like we describe here. And perhaps we should review both the Exchange monitoring metrics and the Monitoring Service metrics (and any metric-misses) every month in a Monthly Service Review (MSR) with the IT executive team as covered in #3 above. What I describe here is usually a pretty big, yet desirable, culture shift for most IT teams.
Some customers want hands-on assistance
As I mentioned, I get these questions often. Some customers want Microsoft to help guide them on the IT Pro and organizational front. In response to customer requests, my peers and I have created a 3-day, on-site course for IT Executives and IT Management to help them plan for the people side of the change. The workshop focuses on the scenarios, personas and metrics for the evolution discussed in this blog post. The workshop also helps develop employee communications and resistance management plans. The workshop is part of the Adoption and Change Management Services from Microsoft. Ask your Technical Account Manager about the “Managing Change for IT Pros: Office 365†workshop, or find me onTwitter @carrollm_itsm.
Looking ahead
My goal with this blog post is to get everyone thinking. I hope that the commentary was helpful. We’ll jump back into the scenarios in the next post which will focus on Evergreen Management.
Announcing the public preview of the Office 365 Adoption Content Pack in PowerBI
Understanding how your users adopt and use Office 365 is critical for you as an Office 365 admin. It allows you to plan targeted user training and communication to increase usage and to get the most out of Office 365.
Today, we’re pleased to announce the public preview of the Office 365 Adoption Content Pack in Power BI, which enables customers to get more out of Office 365.
The content pack builds on the usage reports in the Office 365 admin center and lets admins further visualize and analyze their Office 365 usage data, create custom reports, share insights and understand how specific regions or departments use Office 365.
It gives you a cross-product view of how users communicate and collaborate making is easy for you to decide where to prioritize training efforts and to provide more targeted user communication.
Read the blog post on Office blogs for all details:
If you have questions, please post them in the Adoption Content Pack group in the Microsoft Tech Community. Also, join us for an Ask Microsoft Anything (AMA) session, hosted by the Microsoft Tech Community on June 7, 2017 at 9 a.m. PDT. This live online event will give you the opportunity to connect with members of the product and engineering teams who will be on hand to answer your questions and listen to feedback. Add the event to your calendar and join us in the Adoption Content Pack in Power BI AMA group.
Announcing the public preview of the Office 365 Adoption Content Pack in PowerBI
Understanding how your users adopt and use Office 365 is critical for you as an Office 365 admin. It allows you to plan targeted user training and communication to increase usage and to get the most out of Office 365.
Today, we’re pleased to announce the public preview of the Office 365 Adoption Content Pack in Power BI, which enables customers to get more out of Office 365.
The content pack builds on the usage reports in the Office 365 admin center and lets admins further visualize and analyze their Office 365 usage data, create custom reports, share insights and understand how specific regions or departments use Office 365.
It gives you a cross-product view of how users communicate and collaborate making is easy for you to decide where to prioritize training efforts and to provide more targeted user communication.
Read the blog post on Office blogs for all details:
If you have questions, please post them in the Adoption Content Pack group in the Microsoft Tech Community. Also, join us for an Ask Microsoft Anything (AMA) session, hosted by the Microsoft Tech Community on June 7, 2017 at 9 a.m. PDT. This live online event will give you the opportunity to connect with members of the product and engineering teams who will be on hand to answer your questions and listen to feedback. Add the event to your calendar and join us in the Adoption Content Pack in Power BI AMA group.
We are excited to announce our second major update of Office Online Server (OOS), which allows organizations to deliver browser-based versions of Word, PowerPoint, Excel and OneNote to users from their own datacenters.
In this release, we officially offer support for Windows Server 2016, which has been highly requested. If you are running Windows Server 2016, you can now install OOS on it. Please verify that you have the latest version of the OOS release to ensure the best experience.
This release includes the following improvements:
Performance improvements to co-authoring in PowerPoint Online
Equation viewing in Word Online
New navigation pane in Word Online
Improved undo/redo in Word Online
Enhanced W3C accessibility support for users that rely on assistive technologies
Accessibility checkers for all applications to ensure that all Office documents can be read and authored by people with different abilities
More about Office Online Server
Microsoft recognizes that many organizations still value running server products on-premises for a variety of reasons. With Office Online Server, you get the same functionality we offer with Office Online in your own datacenter. OOS is the successor to Office Web Apps Server 2013 and we have had three releases starting from our initial launch in May of 2016.
Office Online Server scales well for your enterprise whether you have 100 employees or 100,000. The architecture enables one OOS farm to serve multiple SharePoint, Exchange and Skype for Business instances. OOS is designed to work with SharePoint Server 2016, Exchange Server 2016 and Skype for Business Server 2015. It is also backwards compatible with SharePoint Server 2013, Lync Server 2013 and, in some scenarios, with Exchange Server 2013. You can also integrate other products with OOS through our public APIs.
How do I get OOS/download the update?
If you already have OOS, we encourage you to visit the Volume License Servicing Center to download the April 17 release. You must uninstall the previous version of OOS to install this release. We only support the latest version of OOS with bug fixes and security patches, available via the Microsoft Updates Download Center.
Customers who do not yet have OOS but have a Volume Licensing account can download OOS from the Volume License Servicing Center at no cost and will have view-only functionality, which includes PowerPoint sharing in Skype for Business. Customers that require document creation, edit and save functionality in OOS need to have an on-premises Office Suite license with Software Assurance or an Office 365 ProPlus subscription. For more information on licensing requirements, please refer to our product terms.
We are excited to announce our second major update of Office Online Server (OOS), which allows organizations to deliver browser-based versions of Word, PowerPoint, Excel and OneNote to users from their own datacenters.
In this release, we officially offer support for Windows Server 2016, which has been highly requested. If you are running Windows Server 2016, you can now install OOS on it. Please verify that you have the latest version of the OOS release to ensure the best experience.
This release includes the following improvements:
Performance improvements to co-authoring in PowerPoint Online
Equation viewing in Word Online
New navigation pane in Word Online
Improved undo/redo in Word Online
Enhanced W3C accessibility support for users that rely on assistive technologies
Accessibility checkers for all applications to ensure that all Office documents can be read and authored by people with different abilities
More about Office Online Server
Microsoft recognizes that many organizations still value running server products on-premises for a variety of reasons. With Office Online Server, you get the same functionality we offer with Office Online in your own datacenter. OOS is the successor to Office Web Apps Server 2013 and we have had three releases starting from our initial launch in May of 2016.
Office Online Server scales well for your enterprise whether you have 100 employees or 100,000. The architecture enables one OOS farm to serve multiple SharePoint, Exchange and Skype for Business instances. OOS is designed to work with SharePoint Server 2016, Exchange Server 2016 and Skype for Business Server 2015. It is also backwards compatible with SharePoint Server 2013, Lync Server 2013 and, in some scenarios, with Exchange Server 2013. You can also integrate other products with OOS through our public APIs.
How do I get OOS/download the update?
If you already have OOS, we encourage you to visit the Volume License Servicing Center to download the April 17 release. You must uninstall the previous version of OOS to install this release. We only support the latest version of OOS with bug fixes and security patches, available via the Microsoft Updates Download Center.
Customers who do not yet have OOS but have a Volume Licensing account can download OOS from the Volume License Servicing Center at no cost and will have view-only functionality, which includes PowerPoint sharing in Skype for Business. Customers that require document creation, edit and save functionality in OOS need to have an on-premises Office Suite license with Software Assurance or an Office 365 ProPlus subscription. For more information on licensing requirements, please refer to our product terms.
In the modern world, organizations are transforming how they work with their partners and customers. This means seizing new opportunities quickly, reinventing business processes, and delivering greater value to customers. More important than ever are the strong and trusted relationships that allow for employees to collaborate with partners, contractors and customers outside the business.
At Microsoft, our mission is to empower every person and every organization on the planet to achieve more and we can do this by helping organizations work together, better. Business-to-business collaboration (B2B collaboration) allows Office 365 customers to provide external user accounts with secure access to documents, resources, and applications—while maintaining control over internal data. This let’s your employees work with anyone outside your business (even if they don’t have Office 365) as if they’re a user in your business.
There’s no need to add external users to your directory, sync them, or manage their lifecycle; IT can invite collaborators to use any email address—Office 365, on-premises Microsoft Exchange, or even a personal address (Outlook.com, Gmail, Yahoo!, etc.)—and even set up conditional access policies, including multi-factor authentication. Your developers can use the Azure AD B2B colloboration APIs to write applications that bring together different organizations in a secure way—and deliver a seamless and intuitive end user experience.
B2B collaboration is a feature provided by Microsoft’s cloud-based user authentication service, Azure AD. Office 365 uses Azure AD to manage user accounts and is included as part of your Office 365 scubscription. For more information on Office 365 and the Azure AD version that is included visit the technical documentation.
What you need to know about Azure AD B2B collaboration and Office 365:
Work with any user from any partner
Partners use their own credentials
No requirement for partners to use Azure AD
No external directories or complex set-up required
Simple and secure collaboration
Provide access to any corporate application or resource
Seamless user experiences
Enterprise-grade security for applications and data
No management overhead
No external account or password management
No sync or manual account lifecycle management
No external administrative overhead
Over 3 million users from thousands of business have already been using Azure AD B2B collaboration capabilities available through public preview. When we talk to our customers, 97% have told us Azure AD B2B collaboration is very important to them. We have spent countless hours with these customers diving into how we can serve their needs better with Azure AD B2B collaboration. Today’s announcement would not be possible without their partnership.
In the modern world, organizations are transforming how they work with their partners and customers. This means seizing new opportunities quickly, reinventing business processes, and delivering greater value to customers. More important than ever are the strong and trusted relationships that allow for employees to collaborate with partners, contractors and customers outside the business.
At Microsoft, our mission is to empower every person and every organization on the planet to achieve more and we can do this by helping organizations work together, better. Business-to-business collaboration (B2B collaboration) allows Office 365 customers to provide external user accounts with secure access to documents, resources, and applications—while maintaining control over internal data. This let’s your employees work with anyone outside your business (even if they don’t have Office 365) as if they’re a user in your business.
There’s no need to add external users to your directory, sync them, or manage their lifecycle; IT can invite collaborators to use any email address—Office 365, on-premises Microsoft Exchange, or even a personal address (Outlook.com, Gmail, Yahoo!, etc.)—and even set up conditional access policies, including multi-factor authentication. Your developers can use the Azure AD B2B colloboration APIs to write applications that bring together different organizations in a secure way—and deliver a seamless and intuitive end user experience.
B2B collaboration is a feature provided by Microsoft’s cloud-based user authentication service, Azure AD. Office 365 uses Azure AD to manage user accounts and is included as part of your Office 365 scubscription. For more information on Office 365 and the Azure AD version that is included visit the technical documentation.
What you need to know about Azure AD B2B collaboration and Office 365:
Work with any user from any partner
Partners use their own credentials
No requirement for partners to use Azure AD
No external directories or complex set-up required
Simple and secure collaboration
Provide access to any corporate application or resource
Seamless user experiences
Enterprise-grade security for applications and data
No management overhead
No external account or password management
No sync or manual account lifecycle management
No external administrative overhead
Over 3 million users from thousands of business have already been using Azure AD B2B collaboration capabilities available through public preview. When we talk to our customers, 97% have told us Azure AD B2B collaboration is very important to them. We have spent countless hours with these customers diving into how we can serve their needs better with Azure AD B2B collaboration. Today’s announcement would not be possible without their partnership.
We say this all the time, but it’s worth repeating here: we believe that transparency is key to earning customer trust. When you entrust your data to the Microsoft Cloud, we use advanced security technology and cryptography to safeguard your data. Our compliance with US and international standards is independently audited, and we’re transparent on many levels—from how we handle legal demands for customer data to the security of our code.
We do these things not just to be transparent, but to also make it easier for you to perform your own risk assessment of our cloud services. And we do these things to help you understand how the controls within our cloud services meet the security, compliance, and privacy requirements of your organization.
Service Assurance
Many of our customers in regulated industries are subject to extensive compliance requirements. To perform their own risk assessments, customers often need in-depth information on how Office 365 maintains the security and privacy of their data. Office 365 is committed to the security and privacy of customer data in its cloud services and to earning customer trust by providing a transparent view of its operations, and easy access to independent compliance reports and assessments.
The Service Assurance area of the Security & Compliance Center provides information about how Microsoft’s cloud services maintain security, privacy and compliance with global standards. It includes independent, third-party audit reports for Office 365, Yammer, Azure, Dynamics 365, and Intune, as well as implementation and testing details for the security, privacy, and compliance controls used by Office 365 to protect Customer Data.
Audited Controls
The Audited Controls area of Service Assurance provides information about how the controls used within Office 365 meet security, compliance, and privacy requirements. With Audited Controls, we have mapped our internal control system to other standards, including International Organization for Standardization (ISO) 27001:2013, ISO 27018:2014, and now NIST 800-53.
Using the Audited Controls feature, customers can perform their own assessment of the risks of using Office 365. Customers view the details of a given control, that includes:
Control ID (as assigned by the mapped standard)
Test status (whether the control has passed testing)
Test date (when the control was last tested)
Tested by (typically third-party auditors or Microsoft)
Control implementation details (how the control is implemented)
Testing performed to evaluate control effectiveness (how the control was tested)
Management responses (for any findings from any audits)
Office 365 Audited Controls for NIST 800-53
Microsoft’s internal control system is based on the National Institute of Standards and Technology (NIST) special publication 800-53, and Office 365 has been accredited to latest NIST 800-53 standard as a result of an audit through the Federal Risk and Authorization Management Program (FedRAMP) using the test criteria defined in NIST 800-53A (Rev. 4).
Today, we are pleased to announce the release of the Office 365 Audited Controls for NIST 800-53.The information we have published for this standard represents the results of a third-party audit of Office 365 and can help you better understand how Microsoft has implemented an Information Security Management System to manage and control information security risks related to Office 365. In addition, this information provides you with insights into the implementation and testing of controls designed to maintain the confidentiality, integrity, and availability of Customer Data in Office 365.
The Office 365 Audited Controls for NIST 800-53 include 695 individual controls across 17 control domains:
Control Domain
Intended to Help You To…
Access Control
Understand how Microsoft addresses access control policies and procedures, account management, access enforcement, information flow enforcement, separation of duties, least privilege, unsuccessful login attempts, system use notification, previous login notification, concurrent session control, session locks and termination, access control supervision and review, permitted actions without identification or authentication, automated marking, security attributes, remote and wireless access, access control for mobile devices, use of external information systems and information sharing, publicly accessible content, data mining protections, access control decisions and reference monitors for Office 365.
Awareness and Training
Understand how Microsoft addresses security awareness and training policies and procedures for Office 365 personnel, and how Microsoft addresses role-based security, security training and security training records, and contacts with security groups and associations.
Audit and Accountability
Understand how Microsoft addresses audit and accountability policies and procedures for Office 365, including audit events, contents of audit records, audit storage capacity, processing failures, review, analysis, reporting, reduction and protection of audit information, non-repudiation, audit generation and record retention, monitoring for information disclosure, session audits, and cross-organizational audits.
Security Assessment and Authorization
Understand how Microsoft addresses security assessments for Office 365, including system interconnections, security certification, security authorization, continuous monitoring, penetration testing, and plans of actions and milestones.
Configuration Management
Understand how Microsoft addresses configuration management for Office 365, including baseline configuration management, change control, security impact analysis, access restrictions for change, information system inventory, configuration management plans, and software-usage restrictions.
Contingency Planning
Understand how Microsoft addresses contingency planning related policies and procedures for Office 365, including contingency plans, plan testing, plan updating, alternate storage and processing sites, contingency plans for telecommunications services, information system backup, recovery and reconstitution, alternate communication protocols and alternative security mechanisms.
Identification and Authentication
Understand how Microsoft addresses identification and authentication in Office 365, including device and user identification and authentication, identifier and authentication management, cryptographic module authentication, service identification and authentication, adaptive identification and authentication, and re-authentication.
Incident Response
Understand how Microsoft addresses incident response, including policies and procedures, training, and testing in Office 365. Also understand how Microsoft addresses incident monitoring, handling, and reporting, incident response plans and assistance, and information spillage response.
Maintenance Control
Understand how Microsoft addresses maintenance in Office 365, including policies and procedures, maintenance tools and personnel, non-local and timely maintenance.
Media Protection
Understand how Microsoft addresses media protection in Office 365, including policies and procedures and media access, marking, storage, transport, sanitization, use, and downgrading.
Physical and Environmental Protection
Understand how Microsoft addresses physical and environment protection for Office 365, including policies and procedures, physical access authorization, access control, access monitoring, visitor control, emergency shutoff, power, and lighting, fire and water damage protection, temperature and humidity, information leakage, and asset monitoring and tracking.
Planning
Understand how Microsoft addresses security planning for Office 365, including system security plans and updates, rules of behavior, security-related activity planning, information security architecture, and central management.
Personnel Security
Understand how Microsoft addresses personnel security for Office 365, including policies and procedures, personnel screening, termination, transfer, and sanctions, access agreements, and third-party personnel security.
Risk Assessment
Understand how Microsoft addresses risk assessment for Office 365, including risk assessment planning and updates, vulnerability scanning, technical surveillance and countermeasures.
System and Services Acquisition
Understand how Microsoft addresses system and services acquisitions for Office 365, including allocation of resources, system development lifecycle, information system documentation, supply chain protection, trustworthiness, developer configuration testing and security management, tamper resistance and detection, component authenticity, developer screening, and security engineering principles.
System and Communications Protection
Understand how Microsoft addresses system and communications protection for Office 365, including denial-of-service and boundary protection, transmission confidentiality and integrity, cryptographic key protection, public access protection, protection of information at rest, honeypots, honey-clients, concealment and misdirection, operations security, port and I/O device access, mobile code, secure name and address resolution, and detonation chambers.
System and Information Integrity
Understand how Microsoft addresses system and information integrity for Office 365, including flaw remediation, malicious code protection, information system monitoring, security alerts and advisories, information input handling and restrictions, error handling, memory protections, and fail-safe procedures.
You can use the information published for this control set in two ways:
In the Audited Controls area of the Security & Compliance Center, where you can search controls using keywords and control ID numbers, and filter controls to see only those controls that have findings.
2. You can also download the Audited Controls in Excel format and search them offline.
Accessing Service Assurance and Audited Controls
Anyone—and I mean anyone—can access Service Assurance and Audited Controls, including existing customers of Office 365 for business, new customers, and customers evaluating Microsoft online services. When you access Service Assurance for the first time, the first step is to configure your industry and regional settings. Once you have selected regions and industries, you can review and download content, including compliance reports and trust documents, and Audited Controls. For detailed steps to access Service Assurance, see Service assurance in the Office 365 Security & Compliance Center.
You can also download Audited Controls workbooks from the Compliance Guides section of the Service Trust Preview, which is available to anyone with a paid or trial tenant.
Audited Controls Roadmap
The release of the Office 365 Audited Controls for NIST 800-53 represents another milestone in our efforts to be transparent with you about how we operate our cloud services. Our upcoming journey includes work to develop and release Office 365 Audited Controls for Service Organization Controls (SOC) 2, and to develop and release Audited Controls for both Azure and Dynamics 365. In addition, we are developing tools that will allow you to upload your own control framework and map it to Microsoft’s control framework and various standards.
Tens of thousands of organizations already use Office 365 Service Assurance and have indicated that they are saving a significant amount of time in evaluating the security, privacy and compliance of Office 365. We hope you find the Office 365 Audited Controls for NIST 800-53 useful, and we look forward to your feedback.
— Scott Schnoll, Senior Program Manager, Office 365 Customer Experience
Personal data (also referred to as PII – Personal Identifiable Information) identifies an individual. In that personal data, a name by itself is not enough to identify an individual, however, a name including the address would. For example, when you are called by an operator in a call centre, you will often be asked for your name, address and date of birth. That is an example of personal data. What they do with your personal information goes into data processing, that is, to store, sort, workflow (further processing) and retain till archive (disposal) that data. The controller of that data (that is, the owner of that call centre) is responsible for ensuring that data is stored securely on their system.
However, no matter how secure the system is, or in fact, any data processing system is, social engineering attacks is a key threat vector. The weakest part of an system is the people, since they are the easiest to deceive and manipulate. One of the weakest aspects is through impersonation attacks. Impersonation attacks are where someone plays the role of someone who is likely to be trusted (whose personal information was obtained through data processing). In other words, one of the ways to get enough personal information of an individual to impersonate is through getting their personal information in the first place, and, to a large degree, ‘data processing’ is where that information can be obtained.
Through the data processing, there are three key elements:
The Subject, who owns the data.
The Controller, who is responsible determining how the data is processed.
The Processor, who is responsible for the data processing of the subject data.
This can be represented in virtually any process, let’s take a basic SharePoint example:
The Subject uploads data into a SharePoint site.
The Controller manages the site where the data is uploaded and determines how the data is processed (also known as a data owner on the site)
The Processor holds that data from the point where it has been uploaded, to the point where the data is disposed of (this is generally some technical processes in the repository where the content has been uploaded, e.g. storage, workflow, disposition, security).
There are some assumptions to the above example in terms of the management of Personal information:
The Subject assumes that the data being uploaded is securely managed (it can be security classified, can be readily accessed, and remain intact).
The Controller assumes they are accountable to that data being serviced by making sure the processor is sufficiently set to securely that content and marked with an identifier of the subject. A basic example in SharePoint is that data uploaded gets marked with the name of the individual uploading the data, the time when that occurred and history of working with that data is recorded.
The Processor assumes that it is designed in such a way that personal information is secure; that any alterations, changes, modifications, workflow is known to the subject.
A conundrum is the sheer collaboration aspect; that is, who has access to that data, and, unfortunately, that some controllers misunderstanding that security is somehow, the product. It is not. Any system can be bypassed using social engineering if that data is compromised. The personal information of the Subject can be accessed by anyone who has the view access to that data. For example, in the case of SharePoint Online, when a Subjects name is clicked in a repository, a list of other documentation recently uploaded / accessed is visible, along with a link to getting more information through Delve. Additionally, on the Delve screen is a further link to the Subjects’ OneDrive, and from there visibility of the Subjects’ team. In terms of technology this example works slightly different in SharePoint On-Premise, however, the outcome is the same.
The challenge is that irrespective of the tools used to provide the nature of storage, availability, integrity of data that there needs to be some thinking in managing the security of the data as well as personal information. Lets’ look at some of the requirements on those three elements:
From the Subject, there needs to be understanding of how much information they enter about themselves using Delve (About Me, Projects, Skills and Expertise, Schools and Education, Interests and Hobbies) as this affects PII.
From the Controller, they need to provide awareness to the subject that the data they provide is secure, and the level of accessibility to that data, and where that data is located.
From Processing, the design of repositories needs to include the management of storage of data, classification, workflow relevant to how personal information is passed. For example, the use of a form to capture information relevant to content uploaded may require the subject to ensure personal information, maybe even beyond what is already supplied in Delve. If this is the case, the Controller should make the subject aware of the kind of information gathered, and what the Processing element will do with that data, and how long that data will exist in the repository. Another example is where the data uploaded includes Personal Information and through machine learning metadata is extracted and posted as viewable column data in a repository. And this does stop at metadata. The very design of code used to carry out further processing through workflow should be scrutinised since the level of Personal Information recorded needs to meet legislative laws; in particular, the Data Protection Act 1998 UK law covers this including sensitive personal information to which you should have the Subjects consent beforehand to process.
Summary.
Managing Personal information is a crucial aspect data security; the key aspect to understanding how to prevent breaches of personal data through impersonation or masquerading.
This short article is designed to get you thinking of the actual service delivery in managing personal information not just for SharePoint (either Online or On-Premise); even beyond to endpoints connected to it; and then even beyond into the roadmap surrounding Office365. In a data processing system, the fundamental requirement is to secure the content through its lifecycle. The challenge is ensuring that the features of the tools involved are fully understood when it comes to the storage of personal information, and that security awareness, policies, and training is provided to subjects and data controllers. Legislation is important to understand in this area and a good checklist to start from is here.
The key element, the Subject, can be made more aware of storing personal information in content they upload. A good article for working say through a Word document and removing personal identifiable information is here.
A distinct point to make is that Microsoft cloud applications are by their very nature tools used to upload and transmit information by customers through their relevant tenants. For example, whilst Azure services covers tools for system maintenance, infrastructure, security, record retention, information management, system development, there are data processing activities which the tenants manage. They must ensure that they are responsible for ensuring that information stored or transmitted through the services is securely managed, in that they at the very least should have carried out a security risk assessment against any data processing / controlling surrounding managing personal Information. The key thing to remember, is that security is not a product – the responsibility of securing data through its processing lies with the Controller of that data – the tenant owner, the SharePoint site owner, and therefore the organisation responsible for providing those sites.
One of the most useful documents in my view in planning implementations of Office365 is understanding data encryption and data backup and the standards applied. Microsoft have provided audit reports covering their cloud stack (Dynamics CRM, Office365, Yammer and Azure). These SOC and ISO reports include testing and trust principles in these areas:
Data Transmission and Encryption
Security Development Lifecycle
Data Replication and Data Backup
To access these reports, you will need to access the Security and Compliance area in your Office365 tenant.
As said, these cover the Microsoft Cloud Stack, however, the two key documents for Office365 are:
Office 365 ISO 27001-ISO 27018-ISO 27017 – this is an audit document confirming whether Office365 fulfils the standards and criteria against ISO 27001, 27018 and 27017.
Key points:
PII is included in Office365 because it is run over Public Cloud for multi-tenant customers.
Cloud Security is included in Office365 because it is defined as a SaaS (Software as a Service)
All encryption adheres to TLS requirements and hashing (specific)
Office 365 SOC 2 AT 101 Audit Report 2016 – this is an audit document looking at the controls relevant to Security, Availability, Confidentiality and Processing Integrity.
Key points:
Details on the services concerning planning, performance, SLAs, hiring process (including background checks of staff) are provided.
Control Monitoring, Access and Identify Management, Data Transmission (encryption between Microsoft, Client and data centres) are described.
Project requirements through to Final Approval concerning the SDLC process is described
Availability, Data Replication and Backup is covered.
Summary
The above SOC and ISO are extremely useful in aiding any risk assessment that you should take to confirm the service assurance of Office365 going forward. Risk assessments are not a ‘one shot’ task. They should be carried out on an annual basis. The Office365 service is a rich offering of Infrastructure, Software, People, Procedures and Data. Each requires security controls and confirmation that they meet standards which can be dovetailed into your organisation. The audits go into great detail concerning the controls (especially things like Data in Transit / Rest – SSL / TLS). A lot of questions is asked by customers concerning security controls – the video below is a good method of getting you to understand (and your clients) how Microsoft ensures proactive protection, and you should definitely check out the Microsoft Trust Centre for great information concerning encryption.
