Decoding the Microsoft Office 365 Shared Responsibility Model

On-premises Responsibility Model

In an on-premises implementation, you owned the whole stack. From the Data center (DC), network, applications, and Operating System (OS) to endpoints, access management, and customer data – the responsibility of it lay with your organization. The move to the cloud does transfer some of the responsibility to Microsoft, but not all. 

Microsoft Office 365 Shared Responsibility Model 

Microsoft Office 365 Shared Responsibility Model: A Visual Nutshell

Microsoft clarifies that its responsibility only extends to its applications/servers and you are responsible for the data within the cloud. You still primarily hold responsibility for customer data, endpoints, account, and access management.  

“For all cloud deployment types, you own your data and identities. You are responsible for protecting the security of your data and identities, on-premises resources, and the cloud components you control (which varies by service type).” 

– Microsoft Documentation 

To understand the Shared Responsibility Model better, let’s divide it into three aspects: Infrastructure and Data Responsibility, Security Onus, and Regulatory Obligations

#1 Microsoft Office 365 Shared Responsibility Implication: Infrastructure and Data Responsibility

Infrastructure and Data Implications

Whereas with the on-premises model, the entire responsibility of the Infrastructure and Data lay with your organization, the SaaS Microsoft 365 platform now shares the responsibility.

Microsoft’s Infrastructure Responsibility

• Host Infrastructure (DC, Operating System, Virtualization): This includes the management, and securing of the virtual hosts, containers, storage, and platform services.
• Network Controls (Virtual networking, load balancing, DNS, and gateways): The entire network infrastructure is abstracted from you with the Microsoft 365 SaaS platform.
• Applications (Platform-managed applications and services): This includes web services, batch, docDb, IoT, analytics, media services, and others. While robust identity management and comprehensive security capabilities are provided by Microsoft, the identity and access configuration of these services lies with you and will be covered in the Access Management point below.

Your Data Responsibility

• Customer Data and Information: Microsoft makes it clear that the responsibility of data remains unchanged, no matter what the implementation type. There is no difference between an on-premises model or a SaaS model when it comes to the customer’s responsibility for their information and data.
• Endpoint devices: With the shift to the remote workforce, an increasingly diverse set of endpoint devices access the Microsoft 365 platform. Microsoft with its Endpoint Manager does help, but the responsibility lies with you.
• Account and Access management: Identity and access management is a shared responsibility between Microsoft and your organization. Microsoft provides the framework of multifactor authentication (MFA), identity protection, role-based access control, and provisions to integrate with third-party applications using Azure Active Directory. However, you have the onus of configuration, management, and monitoring of user identities and access control.

#2 Microsoft Office 365 Shared Responsibility Implication: Security Onus

Shared Responsibility of Security

Microsoft’s Security Responsibility

• DC Protection and Replication: Microsoft shoulders the responsibility of the protection of the DC, network, and OS with built-in data replication. In the event of a software failure/outage/tornado impacting a global data center, the DC to DC geo-redundancy allows Microsoft to failover to the replication target. Note that
• Short-term Data Recovery: Microsoft only offers limited, short-term data loss recovery.

Your Security Responsibility

• Data protection: Organizations assume that as their data is on the cloud, Microsoft has the onus of protecting it from data loss. Microsoft cannot protect you from data loss at your end due to accidental or malicious deletion/corruption, malware, ransomware, or sync errors. Network monitoring, firewalls, anti-virus software, and other security checkpoints and processes lie with you.
• Data backup and Business continuity/disaster recovery (BCDR) planning: Microsoft only offers time-bound recovery options with no provision for unlimited, point-in-time recovery. If no retention policy is set, you can only recover items from the past ~45 days. Even with Litigation Hold and eDiscovery, recovery is manual and contains outdated data. What about Microsoft’s replication? Well, data that is deleted or corrupted is replicated too and hence cannot be depended upon to recover from data loss. Essentially, if you require easy and accurate data recovery from any point-in-time – a central requirement for any robust BCDR plan, you need to backup your Microsoft data. Read our free ebook: Why Backup SaaS data?

#3 Microsoft Office 365 Shared Responsibility Implication: Regulatory Obligations

Shared Regulatory Obligations

Microsoft’s Regulatory Responsibility:

Microsoft holds the role of a Data Processor (DP). As a DP it has to explicitly process the customer’s data as per the controller’s (your) instructions. Microsoft also needs to inform its customers about breaches to its data centers and implement transparent security policies. Microsoft’s Trust Center details their extensive compliance with US national security laws, GDPR, and other international export control laws and regulations. It also offers considerable guidance to help your organization comply with industry-specific and local regulations.

Your Regulatory Responsibility:

You hold the role of a Data Controller. This entails that you have the complete onus of consent, access, privacy, and protection of data. You need to manage, classify, and configure best practices and solutions to meet your unique legal and compliance requirements. This includes both configuring Microsoft archive and retention policies, and ensuring you have verifiable data recovery solutions in place.

The Last Word to Microsoft

Securing your Microsoft 365 data is a must from the standpoint of data loss (one out of three organizations have lost SaaS data), the devastating impact of data loss (the global average is $3.83 million), and compliance requirements (most regulations mandate that data controllers have the ability to recover data). Native Microsoft 365 archival tools offer cumbersome time-bound recovery options and none of them allow for unlimited point-in-time recovery – a must both for recovery from data loss and compliance reasons.

“We strive to keep the Services up and running; however, all online services suffer occasional disruptions and outages, and Microsoft is not liable for any disruption or loss you may suffer as a result. In the event of an outage, you may not be able to retrieve Your Content or Data that you’ve stored. We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.”

– Microsoft SLA

Ensure you meet all the requirements of the Microsoft Office 365 Shared Responsibility model with CloudAlly’s top-rated, secure, and easy cloud-to-cloud Microsoft 365 backup and recovery.

Try a full-feature, 15-day free trial now – No payment details required | Unlimited AWS storage | Zero Setup