Despite the progress Microsoft is making with Office 365, its claim to universality won't stand up until it gains traction with government and public bodies. Microsoft obviously understands this.
While Microsoft the company has given Office 365 for private enterprises a lot of love in the past few months, it hasn’t been neglecting the public sector either. And that makes the thorny issue of regulatory compliance even more critical.
Regulatory compliance is important for the private sector, but it is essential for public agencies. As a result, Microsoft is introducing IRS 1075 compliance to Office 365. The goal here is to prevent anyone from walking away with personal financial information, especially tax related data.
What's 1075 Compliance?
Under US law (Internal Revenue Code Section 6103(p)), the IRS must protect all the personal and financial information it receives against unauthorized use, inspection or disclosure. So until Microsoft could guarantee that Office 365 met government-mandated security control baselines for compliance, it was never going to make deep inroads into the lucrative public finance market.
The result is IRS 1075 compliance. To find out what this was all about, we looked at IRS Publication 1075. We lost the will to live around page 2 of a 159-page document, but pushed on in order to shed some light on the issue.
Publication 1075 mandates, among other things, that information systems use mechanisms for authentication to a cryptographic module, and protects the integrity and confidentiality of transmitted information. It also addresses security issues regarding remote access, email, data transfers and employee activity.
To meet these requirements, Microsoft has introduced hundreds of controls across multiple standards for Office 365 Government E1, E3, E4, K1 and K2 SKUs. They are designed to ensure that data accessed through government agencies is secure, and also guarantees data protection across the spectrum of application, platform and data center services.
Office365 and Compliance
Not exactly the stuff of IT dreams, but significant nonetheless. The introduction of these compliance standards reflects a wider approach to regulation that has been built into Office 365 public plans from the beginning.
Our approach to compliance, based on built-in security and privacy by design, involves proactively assessing requirements from customers of various sizes and industries—from public safety, healthcare and finance to government, defense and more. With these requirements as a base set, we have built controls that are then used by Office 365 teams to design, build and run the service," Vijay Kuma, senior product manager at Office, wrote in a blog.
In other words, instead of just tacking a few compliance-related controls on top of Office 365, Microsoft is building these compliance controls into the products as customers need them. Microsoft has over 1,000 controls that it can add according to the needs of the customer.
In fact, it currently offers controls that make Office 365 compliant with some of the most vigorous standards in existence, including ISO 27001 and standards like CJIS, SSAE 16, HIPAA and SOC 2, which are applicable to finance, legal, health and other industry verticals.
The bottom line is that Office 365 can meet your compliance requirements, but you have to ask. There are 10 standards that Office 365 is catering to, but there’s probably more if you scratch a bit deeper.
While Microsoft says that the ongoing introduction of new standards demonstrates its commitment to protecting data — we’re not doubting this — it’s also a sure-fire way into the international public sector, which is probably one of the biggest consumers of IT on the planet.
Title image by Ed Yourdon (Flickr) via a CC BY-NC-SA 2.0 license.