August 23, 2017
By David Branscome
In the partner organization at Microsoft, we get lots of requests from partners that are in the process of responding to an RFP for Office 365 or Azure deployments. Maybe the partner has described the Microsoft datacenters to their customers as being ISO 27001 or FedRAMP compliant. But now the customer has stated that they need to know how certain controls are implemented in Microsoft’s datacenters. In many cases, the customer is audited regularly, and they have to be able to provide evidence that their data is stored in a specific manner or that access is controlled in a specific way.
The problem is, getting access into the Microsoft datacenters is REALLY difficult. Most Microsoft employees haven’t even been in one of the cloud datacenters – including myself. (There’s a decent virtual tour here, but I’d sure like to see all the blinky lights someday.)
In any case, partners don’t have to get a datacenter tour to respond to these types of information requests from customers. The information is literally at their fingertips in the Office 365 portal – just go to the Security & Compliance section and on the left side, find the Service Assurance section.
Wait…I Don’t See it!
But wait a second.
This data isn’t available to everyone. So, a compliance officer with no special permissions in Office 365 would see something like this:
They don’t even see the Admin or Security & Compliance application icons – let alone the Service Assurance menu. Now what?
As you’d expect, not everyone with an account in Office 365 needs to see that organization’s security configuration. If there are some users who need to be able to access the Service Assurance Center, here’s how to grant those permissions:
Log in to the Office 365 portal with Global Admin credentials.
Go to the Security and Compliance app and select Permissions.
In Permissions, check the box for Service Assurance User.
Select Edit role group and in the Members area, click on Edit.
Select Choose members to add the people who should have these permissions.
Click Add and then find the user.
Finish the wizard and you’ll see the user as a member of the Service Assurance User permissions group.
When the user logs in again, they will be able to go to https://protection.office.com and see the Service Assurance center:
Now that you have the necessary permissions, you can start digging into the content in the Service Assurance center. You could start off by looking at all the controls and audited elements, but maybe you want to be more specific in your approach.
Let’s say you want to see how Office 365 meets ISO 27001 standards.
The first thing I’d recommend is to go to the Settings area and define the region whose controls are relevant – in this case, Europe. You’ll also need to select at least one of the industries whose regulations would be relevant to your search, then click Save.
As the green box indicates, you can now go into the Compliance Reports, Trust Documents and Audited Controls and review the content for the relevant region and industry. So, let’s take a look at what’s there.
If you look in the Compliance Reports area, you’ll see the listing of the certificates that Microsoft cloud datacenters have achieved, and you can click on and download the certificate itself.
For example, if I expand the ISO reports section and scroll down, I see a report named “Office 365 Germany ISO 27001 ISO 27017 and ISO 27018 Audit Assessment Report”. If I click on it, I can open the PDF file itself, which provides me with the final report stating that Office 365 meets the expectations for compliance.
But this only tells me if Microsoft complied with the controls or not. It doesn’t tell me what was actually tested as part of the process.
For that, I can go to the Audited Controls section, where I see the ISO 27018-2014 audit report and I can download it for review.
In this case, the report is an Excel spreadsheet which details things like the title of the control, the implementation and testing details, when it was tested and who performed the testing. This kind of information is generally enough for a customer’s audit team to be reassured of Microsoft’s compliance with the standard.
Don’t forget – if you want to change the scope of the controls (the region/country where the controls are relevant, which industry regulations apply, etc..) you can change the parameters in the Settings tab.
The Trusted Cloud
Microsoft is constantly working to achieve, maintain and even exceed compliance standards in order to secure customer data and make our cloud the most trusted one on the planet. The Service Assurance section of Office 365 is one evidence of that effort. Make sure to take advantage of it!
Additionally, check out the resources in the Microsoft Trust Center for information about GDPR, security, protection of user’s personally identifiable information and Microsoft’s commitment to providing customers with the controls necessary to secure their environment and user identities.