How secure is Microsoft 365 really? And how can users protect themselves additionally?
Recently, the German Data Protection Conference (DSK) expressed serious concerns about the legal compliance of Microsoft 365. The main reason is the lack of transparency, which is urgently needed. Which data is used for Microsoft’s own agendas, and which data is actually accessed? The manufacturer leaves its users in the dark about this. Even though Microsoft clearly contradicts the DSK in an official statement and states that customers can use M365 without hesitation and in a legally secure manner, experts advise larger organizations in particular, such as schools and public authorities, but also private users not to use it without additional measures. We took a closer look and consulted a specialist, Florian Tenius, Head of Partner Management at FTAPI Software GmbH.
Read for yourself:
Recently, the DSK has expressed serious concerns about the data protection compliance of Microsoft 365. What’s the real story? How do you assess the situation?
Microsoft 365 is a popular and very common platform in the workplace, however, I share concerns when it comes to data protection. Businesses, government agencies and organizations need to ensure that personal data and intellectual property are secure – whether they are stored in the cloud or on the company’s internal servers. As a certified data protectionist and expert in secure data transfer, I repeatedly find in discussions with customers and partners that data protection is often not considered, especially when sending and exchanging data. In my opinion, the data protection functions of Microsoft Office 365 are not sufficient to meet the legal requirements for data protection.
Should companies continue to rely on MS 365? Are there alternatives?
In particular companies from industries with high security requirements or organizations that work with particularly sensitive data, such as public authorities or hospitals, should look for alternatives. However, doing without MS 365 altogether will not be an option for many companies; the programs are simply too widespread for that. My tip: Try to protect your systems with additional measures and use so-called Data Protection Platforms (DPP): by using various security measures such as Data Loss Prevention (DLP), the end-to-end encryption of corporate communications or measures for secure Identity & Access Management (IAM), a kind of additional security layer can be added that complements and additionally secures common applications, including those of MS 365.
Some companies are subject to particularly high security requirements, for example in the healthcare sector, public authorities, lawyers, tax consultants, to just name a few. Are there measures in place to provide additional protection?
There definitely are! One effective measure to protect information and files from unauthorized access from the outside is end-to-end encryption. Data and information are encrypted before they are sent and can only be decrypted again by the recipient – a so-called man-in-the-middle attack, in which information is intercepted during data transfer, is thus virtually impossible. FTAPI relies on the use of leading encryption technologies for encryption: SecuPass technology enables end-to-end encryption of the entire data transfer without the exchange of certificates or manual key exchange.
In addition to the secure exchange of data, a secure storage location also plays an important role. Virtual data rooms, such as FTAPI SecuRooms, offer an alternative here to the free data rooms offered by international hyperscalers. When selecting a provider, companies should ensure that the data rooms are hosted in Europe, or even in Germany as in the case of FTAPI, in order to comply with the strict data protection guidelines. A fine-grained access concept also gives companies a precise overview of who can access which files and when. In addition, a well thought-out, technically automated deletion concept should also be developed.
There are numerous measures to comprehensively protect the so-called data workflows. Let’s talk about them!
The Munich-based software company FTAPI offers a comprehensive platform for simple and secure data workflows and automation. FTAPI connects people, data and systems securely, quickly and easily. Since 2010, more than 2,000 companies, public authorities and medical institutions with more than one million users trust in the products SecuMails, SecuRooms, SecuForms and SecuFlows – no matter whether it is about sending or receiving data, structured data input, sharing confidential information or secure automation of data workflows: with FTAPI’s Secure Data Workflow Platform, sensitive data is protected at all times. www.ftapi.com