1

Is it safe to put a client's personally identifiable information on Microsoft's Office-365, or another Cloud provider storage?

HashHazard
  • 5,105
  • 1
  • 17
  • 29
AlB
  • 11
  • 1
  • 2
    Depends on what it is. If it's HIPAA or PCI, you need to do a lot more investigating with the vendor itself than just asking a question on SE. Many of them have special services to address security concerns related to either standard. – Ivan Sep 22 '16 at 15:32
  • Depends on your location, the location of the data subjects and as such the applicable legislation. E.g. huge difference between Europe and US. – user3244085 Sep 25 '16 at 20:08

2 Answers2

1

Cloud services such as Office 365 can be far safer than using your own or a suppliers data centre facilities.

So yes, you can of course put client data on cloud services. But will they be happy? Hmm. And will you be meeting their regulatory requirements?

Well only you/they can answer that.

Look for security certifications related to the regulatory environment your client has to work in. Get buy in from the Information Owners by carefully explaining the benefits, risks and mitigations. Look for other similar organisations that may have followed the same journey. Check with relevant government agencies on their views.

BTW, Office 365 is particularly good at this. Their certifications are second to none and they have world class security processes. Microsoft really understand government and enterprise security requirements.

Julian Knight
  • 7,092
  • 17
  • 23
  • Thanks for responding. This is a federal agency following FISMA. Sensitive PII is not authorized on our servers. I know that Microsoft says its O365 servers have encryption but still recommend to the system owner to encrypt that sensitive data. Peace of mind! Thanks! – AlB Sep 27 '16 at 12:58
  • No problem. Worth also remembering that O365 now offers additional user specified keys for encryption and a data lockbox capability - at some additional cost - but still, it adds extra security if required. Whatever you may think of them, MS have worked hard to capture the government markets and certified security is very high on their list of things to get right. (In case you are wondering, I *don't* work for them). – Julian Knight Sep 27 '16 at 14:27
0

It depends on what regulatory requirements you have and whether the cloud hosting provider meets those standards. PII is not a standard, it's a classification of data. As a result, you won't find a cloud offering claiming to be PII Compliant.

Instead, determine the regulatory requirements you need to abide by (PCI-DSS, ITAR, HIPAA, GLBA, ISO27K, etc) and base your decision on whether the provider you're looking at complies with those standards.

You'll also need to determine whether you want dedicated hosting or shared hosting. In other words, some standards require dedicated hardware for your services and applications rather than shared-tenant hardware. Keep that in mind as it may affect your decision and definitely affects your cost.

HashHazard
  • 5,105
  • 1
  • 17
  • 29
  • See comment above. Agree with you. This is not a dedicated hosted site so the sensitive data would be somewhere in the Cloud "La-La-land". If encrypted with strong encryption it would be safe. I know encryption is a hassle sometimes but it beats losing the data. – AlB Sep 27 '16 at 13:00