This post was written by Vijay Kumar, senior product marketing manager, and Raji Dani, principal program manager for the Office 365 Security team.
As a cloud services provider, we recognize that organizations understandably want to have full control over access to their content stored in cloud services. Today at RSA, we announced Customer Lockbox for Office 365, a new capability designed to provide customers with unprecedented control over their content in the service. Customer Lockbox gives customers explicit control in the very rare instances when a Microsoft engineer may need access to customer content to resolve a customer issue.
In our efforts to maximize data security and privacy for Office 365 customers, we have engineered the service to require nearly zero interaction with customer content by Microsoft employees. Nearly all service operations performed by Microsoft are fully automated and the human involvement is highly controlled and abstracted away from customer content. As a result, only in rare cases—such as when troubleshooting a customer issue with mailbox or document contents—does a Microsoft engineer have any reason to access customer content in Office 365.
Microsoft Engineers do not have standing access to any service operation. All access is obtained through a rigorous access control technology called Lockbox. Today, Lockbox enforces access control through multiple levels of approval within Microsoft, providing just-in-time access with limited and time-bound authorization. In addition, all access control activities in the service are logged and audited.
With today’s announcement, we are bringing customers into the Lockbox approval process for instances involving access to customer content. Use of the Customer Lockbox feature ensures that Microsoft engineer does not get access to the customer’s content without customer’s explicit approval. When the customer gets the request for access, they can scrutinize the request and either approve or reject it. Until the request is approved, the Microsoft engineer will not be granted access.
Of course transparency and control are important in achieving trust, and all Customer Lockbox activity will be available to customers via the Office 365 Management Activity logs for easy integration into customer security monitoring and reporting systems.
Customer Lockbox will be available for Exchange Online by the end of 2015, and for SharePoint Online by the first quarter of 2016.
For more information about our trust principles and how we manage security, privacy and compliance, please visit the Office 365 trust center at trust.office365.com.
Frequently asked questions
Q: Is Customer Lockbox available to all customers?
A: Our intent is to make Customer Lockbox available to all Office 365 commercial plans, as described here. Customers interested in using it will have the ability to opt-in.
Q: Who is notified when there is a request to access customer’s content?
A: Administrators in the customer’s Office 365 environment are notified that there is a request for access.
Q: Who can approve or reject these requests in customer’s organization?
A: Administrators in the customer’s Office 365 environment can control who can approve or reject Customer Lockbox requests.
Q: Under what circumstances do Microsoft engineers need access to customer’s content?
A: No one at Microsoft has standing access to customer content in Office 365. Further, we have engineered Office 365 such that majority of service operations are automated and abstracted from Microsoft engineers. An example of a rare circumstance when Microsoft engineers may need access to customer content is if the customer makes a support request that requires access.
Q: What happens if a customer reject the Microsoft engineer’s access to content?
A: Microsoft can only proceed following approval of a Customer Lockbox request. If a customer rejects a Customer Lockbox request, no access to customer content will occur. If a user was experiencing a service issue that required Microsoft to access customer content in order to resolve (though such circumstances are rare), then the service issue might simply persist. Microsoft would inform the customer of this outcome.
Q: What happens to a Customer Lockbox request that was not acted upon by the customer in a timely manner?
A: Customer Lockbox requests have a default lifetime of 12 hours, after which they expire and Microsoft engineer will not get access to customer content.
Source: Office Blog