One of the concerns that keeps many companies from adopting software-as-a-service for e-mail and other collaboration services has been the issue of who has control over the security of the content. Today at the RSA Conference, Microsoft is announcing changes to its Office 365 service that will allay some of those concerns, giving customers greater visibility into the security of their applications and control over what happens with them. At the same time, it will potentially be harder for government agencies and law enforcement to secretly subpoena the contents of an organization's e-mail.
In an interview with Ars, Microsoft's general manager for Office 365 Julia White outlined the three new features, which are being announced in a blog post from Office 365 team Corporate Vice President Rajesh Jha today. Office 365 will now include a "Customer Lockbox" feature that puts customer organizations in control of when Microsoft employees can gain access to their data, requiring explicit permission from a customer before systems can be accessed to perform any sort of service on their Office 365 services. The capability will be turned on by the end of 2015 for e-mail and for SharePoint by the end of the first quarter of 2016.
"We have automated everything we can to prevent the need for our people having to touch customer data," White told Ars. "It's almost zero—there are very rare instances when a Microsoft engineer has to log in to a customers' services. Now we're going to, in those rare instances, make customer approval mandatory to do so." That would also apply to law enforcement requests for access, White acknowledged. "When the customer opts into the Lockbox, all requests would go into that process. So it's a customer assurance of transparency. We want to systematically look at what kind of control and transparency customers want and provide it to them," White said.