Customer Lockbox: Beef up your Office 365 Security

Customer Lockbox: Beef up your Office 365 Security

by

Let us introduce you to the new Office 365 Customer Lockbox, the latest addition (and improvement) to Microsoft’s cloud based family. Say “hi”!

Customer Lockbox gives you an additional layer of control over ‘back door’ access to your company’s documents and folders. In the (very) rare event that Microsoft engineers need to view your company’s content when solving a problem, the Customer Lockbox will give you even greater control over what that engineer does when they’re inside your systems. This does, however, come at a cost.

Customer Lockbox was announced in April 2015, before being released this past December. While Microsoft have consistently maintained that they don’t snoop on your content and that the cloud is totally private, Edward Snowden’s leaks revealed that the company has in the past given the NSA back-door access to their services. Some customers were, understandably, pretty spooked by this kind of possibility – which is part of the reason Microsoft created their Office 365 Trust Center.

So, what does the Customer Lockbox mean for you, and, given the fact that Microsoft says Office 365 is secure anyway, do you actually need it?

Office 365 Customer Lockbox: Business Case

Office 365 Customer Lockbox: Business Case

If you don’t have Customer Lockbox, this doesn’t mean Microsoft can read any of your content whenever they like. There are very few occasions when the firm would want to view your data, and no Microsoft employee has standing access to your data in Office 365.

At present, most engineering and maintenance in Office 365 is done remotely and impersonally. Updates and fixes are fed through to your systems automatically, and Microsoft admins should really have no reason to access your environment.

Nonetheless, there's the odd situation that arises which calls for a Microsoft engineer to enter your environment and view content. For this to happen, you – or someone on your team – needs to contact Microsoft and ask for help.

Now, at present, the process goes like this:

  • You call or email Microsoft, explaining the problem.
  • An engineer is notified and he or she attempts to troubleshoot your problem.
  • If the engineer realizes that they’re going to have to enter your environment, they have to request access from senior Microsoft staff who will make sure this is the only possible solution.
  • The engineer then has a limited timeframe to enter your environment and solve the problem.

Now, while that seems pretty secure to us, Customer Lockbox gives you the final level of control.

What Customer Lockbox Offers

What Customer Lockbox Offers

Simply put, Customer Lockbox means that whenever Microsoft wants to access your content, they have to notify you and gain your express consent. Procedures will follow the process outlined above within Microsoft, but the engineer dealing with your specific problem will also have to email you first and make sure you're absolutely happy for them to enter your environment.

In an interview with ARS Technica last year, Julia White (Microsoft’s general manager for Office 365) explained that

"We have automated everything we can to prevent the need for our people having to touch customer data… …there are very rare instances when a Microsoft engineer has to log in to a customers' services. Now we're going to, in those rare instances, make customer approval mandatory to do so."

Customer Lockbox offers exactly this.

Julia explained that this also goes further and includes requests for access from law enforcement agencies too:

“When the customer opts into the Lockbox, all requests would go into that process. So it's a customer assurance of transparency. We want to systematically look at what kind of control and transparency customers want and provide it to them”.

Customer Lockbox assumes you'll take some responsibility; once a Microsoft engineer has contacted you to ask for access, you have 12 hours to reply or else the request will be cancelled and the engineer won’t be able to work on your problem. So, no hanging around!

So, Do You Need Extra Office 365 Security?

who needs Customer Lockbox

Customer Lockbox has been available for Exchange Online since November and will be made available for SharePoint Online during the first quarter of 2016. Office 365 Security's version of Customer Lockbox is only available as part of a new premium version of Office 365 called E5. You can download that here.

Now, is Customer Lockbox necessary for your company? This is a rather tricky question. On one hand, you naturally want total control over your data, on the other hand E5 is relatively pricey. You’ll have to decide how much of a risk you think a Microsoft engineer accessing your data is. In the end, it’s very rare that Microsoft employees will be looking at your content, and unless you have some very sensitive information in there, it’s worth asking just how necessary this is.

However, for certain companies and organizations, Customer Lockbox will offer the additional level of control which will give them complete confidence in their data’s security. In either case, offering customers total control over their environments is a welcome move from Microsoft, and will be very valuable in certain circumstances.

Vincent Caruana
Vincent Caruana @sharegatetools

Vince dedicates his professional and personal life to informing the masses through literature. If it's worth writing about, he'll put 100% of his experience, education, and personal touch into each project, making sure the information is delivered clearly, comprehensively, and passionately.