Should I be concerned about the security or privacy of my email in Office 365, stored in the cloud?
This is best answered with references taken from the Office 365 Trust Center at https://www.microsoft.com/en-us/trustcenter/cloudservices/office365
This basically sets the expectation that Microsoft does not own your data. Furthermore, upon reviewing the site you will find the levels of security Microsoft follows to ensure security and privacy of your data. These levels are Physical Security, Logical Security, and Data Security.
Physical security
- 24-hour monitoring of data centers
- Multi-factor authentication, including biometric scanning for data center access
- Internal data center network is segregated from the external network
- Role separation renders location of specific customer data unintelligible to the personnel that have physical access
- Faulty drives and hardware are demagnetized and destroyed
Logical security
- Lock box processes for strictly supervised escalation process greatly limits human access to your data
- Servers run only processes on whitelist, minimizing risk from malicious code
- Dedicated threat management teams proactively anticipate, prevent and mitigate malicious access
- Port scanning, perimeter vulnerability scanning, and intrusion detection prevent or detect any malicious access
Data security
- Encryption at rest protects your data on our servers
- Encryption in transit with SSL/TLS protects your data transmitted between you and Microsoft
- Threat management, security monitoring, and file/data integrity prevents or detects any tampering of data
With additional information, Microsoft recently published an article to the Office 365 blog titled What does it mean to own your data in Office 365? How we aim to raise the bar on visibility and control of your organization’s data with Office 365 that may also answer your questions and concerns about data ownership in the cloud.