You’ve Migrated to the Cloud – Who’s Responsible for the Data?

You've Migrated to the Cloud

Who's Responsible for the Data?

You've Migrated to the Cloud - Who's Responsible for the Data?

When Microsoft first introduced Microsoft 365, they had two goals: 1) improve the customer experience and 2) deliver the most secure platform ever. In the era where cyber security threats loom large in the minds of CISOs and other leaders charged with safeguarding modern workplaces, it is that second goal which resonates with compelling force. The security features that Microsoft implemented into their product are well-fitted to serve the goals of organizations making the move to the cloud – customers like BP, Lilly, and Gap have seen as much as triple-digit seat growth after launching.

But what those corporate giants have learned along the way – and what smaller organizations need to know, too – is that they still have their own parts to play when it comes to securing their data.

What Microsoft covers and what the customer needs to cover is not always as clear as it should be. The key is knowing what is included by Microsoft 365 and where security must be augmented in order to ensure data security and compliance. With this in mind, here is a guide to who is responsible for what when it comes to cloud security in the 365 cloud environment.

What is Microsoft’s Responsibility with Security?

Microsoft 365 has security features built into it that cover critical infrastructure, and the M365 security and compliance centers offer platforms for visibility and control. But organizations are responsible for the security of their own data. Let us break that down a bit.

Here is what Microsoft is responsible for:

  • Physical security
  • Security components that are a shared responsibility between Microsoft and its customers:
    • User/admin controls
    • Logical security
    • App-level security
    • Data privacy, regulatory controls, and industry certifications (such as HIPPA, for example)

Everything else is the responsibility of the customer. This means that customers must take responsibility for all matters related to access and control of all their data residing in Office 365.

For starters, that entails implementing supporting technology beyond what is provided by Microsoft – namely, an Office 365 Backup solution. The old days, when security strategies were based on building a perimeter around your applications, are over. Today’s businesses need richer security based on an “assume breach” mentality. Going beyond perimeter control, this means a number of things but a backup solution for your cloud data is key. That way, if a security breach does occur, you will be glad to know that you have clean backups from which you can restore your data.

The data loss recovery solutions that come built into Office 365 offer only a short-term solution, which has limitations. In today’s world of ultra-high standards of data protection and compliance, a “limited” solution simply will not do.

You will also want to ensure full data retention with multiple recovery options. That entails taking data-level security matters into your own hands to handle critical functions like:

  • Malware, ransomware, hackers
  • Malicious internal behavior
  • Corporate and industry regulatory requirements for data owners
  • Satisfying internal legal and compliance officers
  • Negligent internal behavior (e.g. accidental deletion)
  • Security Awareness

What Resources Does Microsoft Provide?

Microsoft does provide a significant bank of resources. Their 365 security center, for example, is where security teams can get an overall snapshot of the security health of their organization. It provides visibility, sends alerts, reports, and advanced hunting of bad agents in an organization like malware and suspicious files. It also classifies organization data and applies labels that can be used to encrypt files and control user access, among other actions that contribute to overall cyber security. The security center is also a place to manage permissions in an organization’s M365 environment.

In addition, the Microsoft Compliance Center speaks to the risk management aspect of data. It does this by serving as a central location for governing data, offering better visibility and hence, a better ability to meet regulatory requests. And much like the Microsoft Security center, it offers help with data labeling, an essential function for efficient compliance.

In addition, the Microsoft Compliance Center speaks to the risk management aspect of data. It does this by serving as a central location for governing data, offering better visibility and hence, a better ability to meet regulatory requests. And much like the Microsoft Security center, it offers help with data labeling, an essential function for efficient compliance.

Microsoft also integrates cloud app security into the compliance center, to help security teams identify risk in their applications, monitor user behavior, and unearth the growing problem of shadow IT. They also recently announced the release of identity and threat protection, information protection and compliance.

Both centers offer a full range of helpful tools and services but they do not provide everything you need to keep your company’s data secure after you’ve moved to the cloud. In other words, they offer analytics, visibility, and data that teams need to ensure security but what happens if you do not have a security team, or if your team is understaffed and overwhelmed?

Determine Where You Need to Increase Security

Leverage the Microsoft and security expertise of SoftwareONE to find out where you need to make improvements in your data security strategy. Your workplace transformation depends on a cloud adoption experience that is swift enough to start enjoying cloud benefits now, but secure enough to allow you to realize the full benefits of Microsoft 365. Maximizing productivity with today’s leading technology platform is a little simpler and a little easier with help from us. Our 365Simple solution  coupled with our Security for Azure service offers single, comprehensive solution for managing your end of the shared responsibility model for data management in the cloud with:

  • Anywhere-anytime access to data by allowing employees to work on the device of their choice
  • Better collaboration with the tools employees need to effectively work with data and draw insights from it
  • Maximum levels of data security and privacy standards set by Microsoft

And when you also choose SoftwareONE’s Managed Security Services, you can add proactive protection against the ever-changing and growing cyber security threats of today’s world. You also get help with the increasingly stringent regulations designed to protect information and consumer data, like the General Data Protection Regulation (GDPR) that’s causing sweeping changes in the way data is collected, stored, and managed throughout the world.

Managed Security Services enable all of those types of protection, allowing you to safeguard your Microsoft 365 environment using state-of-the-art tools and services for critical functions like these:

  • Identity management
  • Cloud access management
  • Mobile device security
  • Detection and response to targeted attacks and insider threats
  • Malware protection
  • Protection against Phishing Attacks through email
  • Data Leakage Prevention through Azure Information Protection
  • Protection against unauthorized disclosure
  • Help with other M365 compliance matters such as transparency, record keeping, and accountability

Breaking the Myth: Cloud Security is Not the Provider’s Responsibility

If the shared responsibility model outlined here is news to you, you are not alone. In fact, many IT professionals still struggle to decipher the boundaries between customer and provider when it comes to securing a cloud infrastructure. In a nutshell, it is “someone else’s network” but it is still your data. Microsoft gives you the right tools so you can create security measures for your cloud workflows, but inherent in the use of those tools is that the responsibility is still yours for a number of different functions – above all, those that circle around secure data management. And with our help, your end of the agreement is covered.

Secure Your Microsoft365 Cloud Migration

Learn where to increase security controls to enable compliance and data management in the cloud with 365Simple.

Discover 365Simple

Comment on this article

Leave a comment to let us know what you think about this topic!

Leave a comment


Bala Sathunathan

Bala Sethunathan

Director, Security Practice & CISO


Related Articles


Windows 7 Extended Support: Now Is the Time to Take Action!

Microsoft ended support for Windows 7. Find out which far-reaching impact this will have on your environment.

  • 31 March 2020
  • Managed Cloud, PyraCloud
  • Management, Tips, Transformation

Cloud Cost Management Tips for Your Cloud Transition

It can be difficult to reel in cloud spending after you’ve already deployed cloud assets. Let’s take a look at key ways to control your cloud costs.


How to Improve Consistency with DevOps & Automated Patch Management

IT teams face compliance and budget challenges when handling access and user rights. DevOps services can help them rise to those challenges with better overall efficiency.