SoftwareOne logo

7.1 min to readCloud Services

You've migrated to the cloud - Who's responsible for the data?

Ravi Bindra
Ravi BindraCISO
Seagulls flying over the ocean at sunset.

When Microsoft 365 was first introduced, Microsoft had two goals:

  1. improve the customer experience and
  2. deliver the most secure platform ever.

In an era where cyber security threats loom large, it is that second goal which resonates with compelling force.

In fact, the number of data breaches for the first nine months of 2021 managed to exceed the total number of all data breach events in the full year of 2020 by 17 percent. This provides further evidence that your organization must consider how you plan to mitigate the risk of data loss across your entire business – even for robust, highly resilient technologies like Microsoft 365.

The security features that Microsoft implemented into its product are well-fitted to serve the goals of organizations making the move to the cloud. But what those organizations need to realize is that they still have their own parts to play when it comes to securing their data.

What Microsoft covers and what the customer needs to cover is not always as clear as it should be. The key is knowing what is included by Microsoft 365 and where security must be augmented in order to ensure data security and compliance. This guide outlines who is responsible for what when it comes to security in the Microsoft 365 cloud environment.

What is Microsoft’s security responsibility?

Microsoft 365 has security features built into it that cover critical infrastructure and availability, while the Microsoft 365 security and compliance centers offer platforms for visibility and control. However, organizations are responsible for the security of their own data. Let us break that down a bit.

This is what Microsoft is responsible for:

  • Physical security
  • Security components that are a shared responsibility between Microsoft and its customers:
    • User/admin controls
    • Logical security
    • App-level security
    • Data privacy, regulatory controls, and industry certifications (such as HIPAA, for example)

Everything else is the responsibility of the customer. Cloud Service Providers like Microsoft, Google, AWS, etc. all follow the same model where they own the application infrastructure, availability, and up-time – while the customer is responsible for the data they bring to and house in the application. This means that customers must take responsibility for all matters related to access and control of all their cloud data residing in Microsoft 365.

For starters, that entails implementing supporting technology beyond what is provided by Microsoft – namely, a Microsoft 365 backup solution such as SoftwareOne’s BackupSimple powered by Metallic. The old days, when security strategies were based on building a perimeter around your applications, are over. Now, when the majority of organizations have implemented hybrid or multi-cloud environments, it’s crucial to take a zero day approach. Hackers have become more sophisticated than ever in their attacks, and you need strong cloud workload security whether you’re working within a single cloud or multiple. That is why today’s businesses need richer security based on an “assume breach” mentality. Going beyond perimeter control, this means a number of things, but a backup solution for your cloud data is key. That way, if a security breach does occur, you will be glad to know that you have clean backups from which you can restore your data.

Managed cloud: Make your cloud transformation a reality

The data loss recovery solutions that come built into Microsoft 365 offer only a short-term solution, which has limitations. Companies need extended data retention for SLA compliance, rapid recovery tools to get data back fast and reduce downtime, and air-gapped ransomware protection to separate backup copies from source data. In today’s world of ultra-high standards of data protection and compliance, a "limited" solution simply will not do. You will need a robust backup solution such as BackupSimple powered by Metallic in order to navigate the demands that come with securing your cloud data.

You will also want to ensure full data retention with multiple recovery options. That entails taking data-level security matters into your own hands to handle critical functions like:

  • Malware, ransomware, hackers
  • Malicious internal behavior
  • Corporate and industry regulatory requirements for data owners
  • Satisfying internal legal and compliance officers
  • Negligent internal behavior (e.g. accidental deletion)
  • Security Awareness

What resources does Microsoft provide?

Microsoft does provide a significant bank of resources. Their 365 security center, for example, is where security teams can get an overall snapshot of the security health of their organization. It provides visibility, sends alerts, reports, and advanced hunting of bad agents in an organization like malware and suspicious files. It also classifies organization data and applies labels that can be used to encrypt files and control user access, among other actions that contribute to overall cyber security. The security center is also a place to manage permissions in an organization’s M365 environment.

In addition, the Microsoft Compliance Center speaks to the risk management aspect of data. It does this by serving as a central location for governing data, offering better visibility and hence, a better ability to meet regulatory requests. And much like the Microsoft Security center, it offers help with data labeling, an essential function for efficient compliance.

Microsoft also integrates cloud app security into the compliance center, to help security teams identify risk in their applications, monitor user behavior, and unearth the growing problem of shadow IT. They also recently announced the release of identity and threat protection, information protection and compliance.

Both centers offer a full range of helpful tools and services but they do not provide everything you need to keep your company’s data secure after you’ve moved to the cloud. In other words, they offer analytics, visibility, and data that teams need to ensure security but what happens if you do not have a security team, or if your team is understaffed and overwhelmed?

Determine where you need to increase security

Leverage the Microsoft and security expertise of SoftwareOne to find out where you need to make improvements in your data security strategy. Your workplace transformation depends on a cloud adoption experience that is swift enough to start enjoying cloud benefits now, but secure enough to allow you to realize the full benefits of Microsoft 365. Maximizing productivity with today’s leading technology platform is a little simpler and a little easier with help from us. Our 365Simple solution coupled with our Security for Azure service offers single, comprehensive solution for managing your end of the shared responsibility model for data management in the cloud with:

  • Anywhere-anytime access to data by allowing employees to work on the device of their choice
  • Better collaboration with the tools employees need to effectively work with data and draw insights from it
  • Maximum levels of data security and privacy standards set by Microsoft

And when you also choose SoftwareOne’s Security Services, you can add proactive protection against the ever-changing and growing cyber security threats of today’s world. You also get help with the increasingly stringent regulations designed to protect information and consumer data, like the General Data Protection Regulation (GDPR) that’s causing sweeping changes in the way data is collected, stored, and managed throughout the world.

Managed Security Services enable all of those types of protection, allowing you to safeguard your Microsoft 365 environment using state-of-the-art tools and services for critical functions like these:

  • Identity management
  • Cloud access management
  • Mobile device security
  • Detection and response to targeted attacks and insider threats
  • Malware protection
  • Protection against Phishing Attacks through email
  • Data Leakage Prevention through Azure Information Protection
  • Protection against unauthorized disclosure
  • Help with other M365 compliance matters such as transparency, record keeping, and accountability

Breaking the myth: cloud security is not the provider’s responsibility

If the shared responsibility model outlined here is news to you, you are not alone. In fact, many IT professionals still struggle to decipher the boundaries between customer and provider when it comes to securing a cloud infrastructure. In a nutshell, it is “someone else’s network” but it is still your data. Microsoft gives you the right tools so you can create security measures for your cloud workflows, but inherent in the use of those tools is that the responsibility is still yours for a number of different functions – above all, those that circle around secure data management. And with our help, your end of the agreement is covered.

A green field with a river running through it.

Cloud Services

SoftwareOne Cloud Services ensure your cloud migration and application modernisation initiatives succeed.

Cloud Services

SoftwareOne Cloud Services ensure your cloud migration and application modernisation initiatives succeed.


Ravi Bindra

Ravi Bindra

Ravi holds over 20 years’ experience as a cyber security evangelist, holding multiple leadership roles in the Swiss pharmaceutical industry, such as Global Head of Risk Management, Global Head of Architecture and Global Head of Security Operations.