Microsoft Office 365 Shared Responsibility Model
Microsoft Office 365 Shared-Responsibility-Model | CloudAlly

Understanding Microsoft’s Shared Responsibility model is essential for your organization to securely and productively work on the cloud. For instance, 35% of the market wrongly assume that their SaaS vendor is responsible for data protection, when it is solely their responsibility. Microsoft is only responsible for the availability of the service itself and not the recoverability of the data contained within the platform. Let’s do a deep dive into Microsoft Office 365 Shared Responsibility Model (and bust a few myths along the way).

You’ve moved to the Microsoft 365 SaaS platform to wash your hands off the nitty-gritty of infrastructure and implementation. Does the migration to the cloud also shift all your previous on-premises workload responsibilities to Microsoft? Emphatically, no. To underline the considerable shift in responsibilities, cloud providers and regulatory laws have rephrased it as “shared responsibility”. The onus of infrastructure, data, security, and regulatory responsibilities is shared between you as a Data Controller and Microsoft as a Data Processor. 

Talk with our Compliance Director

Microsoft Office 365 Shared Responsibility Model

On-premises Responsibility Model

In an on-premises implementation, you owned the whole stack. From the Data center (DC), network, applications, and Operating System (OS) to endpoints, access management, and customer data – the responsibility of it lay with your organization. The move to the cloud does transfer some of the responsibility to Microsoft, but not all. 

Microsoft Office 365 Shared Responsibility Model 

Microsoft Office 365 Shared Responsibility Model

Microsoft Office 365 Shared Responsibility Model: A Visual Nutshell

Microsoft clarifies that its responsibility only extends to its applications/servers and you are responsible for the data within the cloud. You still primarily hold responsibility for customer data, endpoints, account, and access management.  

“For all cloud deployment types, you own your data and identities. You are responsible for protecting the security of your data and identities, on-premises resources, and the cloud components you control (which varies by service type).” 

– Microsoft Documentation 

To understand the Shared Responsibility Model better, let’s divide it into three aspects: Infrastructure and Data Responsibility, Security Onus, and Regulatory Obligations

#1 Microsoft Office 365 Shared Responsibility Implication: Infrastructure and Data Responsibility

Microsoft Office 365 Shared Responsibility

Infrastructure and Data Implications

Whereas with the on-premises model, the entire responsibility of the Infrastructure and Data lay with your organization, the SaaS Microsoft 365 platform now shares the responsibility.

Microsoft’s Infrastructure Responsibility

  • Host Infrastructure (DC, Operating System, Virtualization): This includes the management, and securing of the virtual hosts, containers, storage, and platform services.
  • Network Controls (Virtual networking, load balancing, DNS, and gateways): The entire network infrastructure is abstracted from you with the Microsoft 365 SaaS platform.
  • Applications (Platform-managed applications and services): This includes web services, batch, docDb, IoT, analytics, media services, and others. While robust identity management and comprehensive security capabilities are provided by Microsoft, the identity and access configuration of these services lies with you and will be covered in the Access Management point below.

Your Data Responsibility

  • Customer Data and Information: Microsoft makes it clear that the responsibility of data remains unchanged, no matter what the implementation type. There is no difference between an on-premises model or a SaaS model when it comes to the customer’s responsibility for their information and data.
  • Endpoint devices: With the shift to the remote workforce, an increasingly diverse set of endpoint devices access the Microsoft 365 platform. Microsoft with its Endpoint Manager does help, but the responsibility lies with you.
  • Account and Access management: Identity and access management is a shared responsibility between Microsoft and your organization. Microsoft provides the framework of multifactor authentication (MFA), identity protection, role-based access control, and provisions to integrate with third-party applications using Azure Active Directory. However, you have the onus of configuration, management, and monitoring of user identities and access control.

#2 Microsoft Office 365 Shared Responsibility Implication: Security Onus

Microsoft Office 365 Shared Responsibility Shared Responsibility of Security

Microsoft’s Security Responsibility

  • DC Protection and Replication: Microsoft shoulders the responsibility of the protection of the DC, network, and OS with built-in data replication. In the event of a software failure/outage/tornado impacting a global data center, the DC to DC geo-redundancy allows Microsoft to failover to the replication target. Note that
  • Short-term Data Recovery: Microsoft only offers limited, short-term data loss recovery.

Your Security Responsibility

  • Data protection: Organizations assume that as their data is on the cloud, Microsoft has the onus of protecting it from data loss. Microsoft cannot protect you from data loss at your end due to accidental or malicious deletion/corruption, malware, ransomware, or sync errors. Network monitoring, firewalls, anti-virus software, and other security checkpoints and processes lie with you.
  • Data backup and Business continuity/disaster recovery (BCDR) planning: Microsoft only offers time-bound recovery options with no provision for unlimited, point-in-time recovery. If no retention policy is set, you can only recover items from the past ~45 days. Even with Litigation Hold and eDiscovery, recovery is manual and contains outdated data. What about Microsoft’s replication? Well, data that is deleted or corrupted is replicated too and hence cannot be depended upon to reco