Office 365 and the “fear” of having data hosted in the US

Many years ago, Scott McNealy, former CEO of Sun Microsystems and a “human quote machine” made the comment, “You have zero privacy anyway. Get over it.”  The comment was made in reference to questions about security and privacy on the Web.  While Scott’s comment may have been a bit over the top, there is a nugget of truth in there.  More to the point, he may as well have said, “You have zero security anyway.  Get over it.”; and that is really the core of my argument today.

Many organizations outside of the US freak out about the “security” of their data as pertains to Office 365 amid all the fears about the US Patriot Act, NSA “spying issues” and so on.  This leads to all sorts of complex articulations about how they (the organization) cannot store/have data in the US (at Microsoft or others) because of these concerns.  Granted, there are various pieces of privacy legislation around the globe that could preclude an organization from utilizing Office 365 but I haven’t actually come across very many organizations other than governmental entities and health care providers that can prove they cannot use services like 365 (not that I’m saying they don’t exist …).

My point is that many of these same organizations are probably already violating their own security guidelines without really being aware of it!

  • If you use a front-end email filter service such as those offered by Trend Micro, Barracuda, McAfee and others then chances are your traffic is routing through US-based servers.
  • If you use an online backup or CDP service, unless you KNOW the provider is local then chances are your data is being stored on servers in the US.
  • If you use Dropbox, YouSendIt or any kind of similar service then chances are your data is being stored on servers in the US.
  • If you use gMail chances are your data is being stored on servers in the US.
  • If you use any Google, Amazon or Azure service then your data is probably stored on a server in the US at some point in time.
  • If you use Twitter, Facebook, or other “social connectors” chances are your data is being stored on servers in the US.
  • If you send ANY traffic over the Internet (email, web, other services) there is a decent chance that some of that traffic will route through the US even if the origin and end points are NOT in the US (very true of Canadian traffic, I’m afraid).

I could go on and on but you probably get the drift by now.  And all of the preceding points are referencing what you do as an organization, Lord only knows what your users are doing …

Given all of the above, if you have solid legal advice or guidelines that says “thou shalt not” then Office 365 is not for you.  If that is not the case then I urge you to rethink your concerns.  The Cloud is here to stay, no question of that.  As vendors such as Microsoft expand their Cloud offerings it is only going to get harder, specially from a financial perspective, to resist the overall merits of Cloud services.  Worries about governmental “snooping”, while not unfounded, are going to have to be dealt with in the new reality of the Cloud.  To be blunt, most national governments can make a data grab if they want to; we “smug” Canadians need to remember that the Feds in this country actually have more legal rights to “snoop” than do their American counterparts.

Your data security is only as good as your overall security controls but your security “cloak” can only go so far.  Services like Office 365 are probably better at security than most organizations (they have one massive security team and tools in the background); certainly security controls will be better than most small to medium businesses can muster.  There is a possibility that some governmental agencies might be able to “see” your data in some fashion but is that truly an issue?  I’d be more worried about some form of industrial espionage myself.  The new reality is that there really is no totally “secure” data anymore other than that stored on a server that is locked inside a vault, that has no network or USB connections and that is powered off.  When you consider how “leaky” most organization’s security actually is, the chance that your data will be breached through a user’s negligence or simple “ignorance” is probably far higher than the risk you face from Office 365 or other Cloud services.

So, I’ll say it again: if you are wavering on the move to the Cloud services, specifically Office 365, due to any of the above-mentioned concerns, get over it!  Get a legal opinion in order to clear the air and if there are no legal roadblocks then go for it.