To overcome emotional barriers to cloud computing, cloud providers often give customers complete control over their data, including encryption keys. Microsoft has been unveiling features in that vein for Azure, and yesterday, the company took a few more steps in that direction with Office 365.
The features are about more than customer control of data, though. They also address a long-standing problem among most cloud providers: How can the customer be sure the provider doesn't mess with user data -- and what happens when the provider has no choice but to do so?
Microsoft's answer is Customer Lockbox, an Office 365 feature that gives customers highly granular control over their Office 365 account whenever a Microsoft engineer needs to access content stored within.
According to Jake Zborowski, group manager lead for Office 365, engineers by default don't have access to service operations and have to go through a rigorous multistep process to obtain access to customer data. "We did a lot of engineering to abstract ourselves away from the data," Zborowski said in a phone call. "We are only the custodians; it's the customers who own the data."
Customer Lockbox puts key parts of Microsoft's abstraction process into the hands of the customer. If a user has a corrupted mailbox, for instance, she would submit a trouble ticket as usual. An engineer would then be assigned a specific set of credentials valid only for accessing the needed resources for a short time, and they won't work unless the customer explicitly approves the request for said access.
Microsoft's theory is by making the process so transparent, customers can trust Microsoft more and feel less hesitant about committing valuable data to any of its services. "We decided to put the customer in the driver's seat," said Zborowski.
Another addition addresses a slightly smaller, but no less pressing problem: How do I audit all of how my organization uses Office 365? Answer: the Office 365 Management Activity API. Data obtained from that RESTful API describes who's doing what and with whose data in SharePoint Online, Exchange Online, and Azure Active Directory. Customer Lockbox activity, too, is made available through this interface.
Right now, the service is only offered as a preview program starting this summer -- hence the limited scope -- but Microsoft plans to support more services and provide more kinds of transactions over time.
A third new Office 365 feature designed to further drive customer trust is per-file encryption and expanded data-loss prevention technology for data stored in Sharepoint Online and OneDrive for Business. The most likely and obvious point of further integration for those features, and the others unveiled, is with Azure's recently introduced key management technology.
Zborowski said all these new features set the stage to allow customers to manage encryption keys themselves, which the company expects to announce sometime in 2016 for SharePoint Online. But "we don't have a lot of details on that yet," he admitted.
[A previous version of this article misattributed statements by Jake Zborowski to Vijay Kumar, senior product marketing manager for Office 365.]