Friday, May 22, 2015

Office 365 Customer Lockbox


There was a major announcement made at the RSA Security Conference (April 2015) associated to Office 365 and a solution called the Lockbox. In this announcement, it was publically communicated that a new step is being added to this Lockbox process. The new addition of the process gives Office 365 customers explicit control of the rare instances when a Microsoft Engineer may need access to customer content to resolve a customer issue.

So what is the Lockbox?

If you have not read about the Office 365 Lockbox, I highly recommend you learn more about it. There is good information if the Office 365 Security Whitepaper (

In Office 365, Microsoft Engineers do not have any standing permissions into the environment. Access to the environment is controlled through a solution called the Lockbox. The Lockbox require multiple levels of approval and ultimately provides a just-in-time access to the least amount of privileges required to support an activity. All activity is time boxed so the support activity must be completed in the specified period of time. All activity is logged and audited. Remember there are tons of other solutions available in Office 365 to protect customer content. For instance Microsoft strives to automate all access to the environment to reduce human access, there is separation of duties, encryption in transition, encryption at rest, two-factor authentication, etc., etc., etc.

Microsoft has designed the Office 365 service such that access to customer content is not required. Microsoft’s position has always been the customer owns the data and Microsoft does not mine or use customer data for advertising purposes.

So what is the update to the Lockbox process?

The Lockbox will provide engineers access to the environment. Remember just because an engineer is given access to the environment does not mean they need any access to customer content.

Are there rare cases where a support engineer may need access to customer content to troubleshoot an issue? Sure there could be.

With this new announcement customers, now have an approval step in the Lockbox process mentioned earlier. If there is a support request, and rare access to customer content is required, the customer now owns rights to approve or reject access. Logs of this approval activity will also be available to customers. If a customer rejects access, no Microsoft Engineer will have access to continue forward.



This solution is industry changing for cloud SaaS providers. It provides customers additional control to be assured that their data is being protected. Microsoft has provide industry leading data protections solutions to this point, the solution only becomes better with this announcement.

Announcement is here -

No comments: