My fascination with compliance issues and Office365 is not abating. A few months ago I blogged about a data breach at the State of Utah. I was doing a bit more research about this breach and the fact that Utah’s Governor fired the State’s CIO over the breach and it got me thinking more specific to Office365: Is there a capability to enforce “at-rest” encryption of data stored in Office 365?
As far as I can tell from all the documents I’ve read there is no “at-rest” encryption of data except potentially within e-mail. I did download Microsoft’s “Security in Office 365” whitepaper and didn’t find anything that really addressed at-rest encryption but the whitepaper was written in June, 2011 so perhaps things have changed since then. Apparently you can copy RMS/IRM protected files to Office365 but that seems rather hackish and not subject to a general policy like “everything in Office 365 must be encrypted.”
So in a situation like what happened in Utah there’d be no difference if the data was stored in Office365.
More on this topic later – like maybe a punch list of what a customer might want for compliance.