Security and compliance in SharePoint Online: A primer

The SharePoint community has been debating the respective advantages and disadvantages of SharePoint Server and SharePoint Online for a long time now, and which of the two platforms has the brighter future is anyone’s guess. On the one hand, Microsoft’s public cloud offering lacks the rich feature set and extensibility of its on-premise counterpart. On the other, it gets the faster updates and can feed off other Office 365 innovations such as Power BI.

But before an organisation can start to weigh up whether SharePoint Server or SharePoint Online is the better investment in terms of functionality, it’s important that it considers where they differ in terms of security and compliance. SharePoint Online and Office 365 are public cloud solutions, and as such, they require users to give up control over some of the parameters they’d be able to change were the solution running in their own data centres.

Here’s a quick look at some of the security and compliance implications of migrating from SharePoint Server to SharePoint Online, and how they may impact your business.

Office 365’s security credentials

It’s sometimes assumed that cloud-based platforms and applications are fundamentally less secure than their on-premise counterparts, but this is a misconception. Sure, there’s always a degree of apprehension that comes with putting your data – including intellectual property and confidential customer and employee records – into someone else’s hands. But the security built into Office 365 as standard is typically stronger than what the typical small or medium-sized business would otherwise have at their disposal.

Out of the box, SharePoint Online supports multi-factor authentication, email encryption and data loss prevention tools, and because it stores user accounts in Azure Active Directory, it’s very easy to integrate with an existing Active Directory deployment. Additionally, encryption comes as standard – not only for data in transit via the familiar SSL protocol, but also for data at rest.

It shouldn’t be overlooked, furthermore, that Microsoft’s data centres might well offer better security than most organisations’ in-house server rooms. In the Office 365 Trust Center, it claims that its facilities are protected with 24-hour monitoring, multi-factor authentication and biometric scanning, and role separation that “renders location of specific customer data unintelligible to the personnel that have physical access”.

Other considerations and caveats

Some aspects of Office 365 may, however, render SharePoint Online a poor option for organisations with specific compliance obligations. The end user can’t dictate the country in which their data is stored, for example, which is a barrier in certain sectors even despite Microsoft’s rather impressive EU data protection credentials.

Office 365 also won’t provide the necessary security to store payment card data in compliance with PCI DSS (although US organisations have the option to store regulated healthcare records, should their internal policies and processes support this).

As such, the question of whether to go with SharePoint Server or SharePoint Online isn’t just one of licensing costs, setup and maintenance time, and the trade-off between extensibility and cloud-specific features. Security and compliance are also major considerations, so if you’re mapping out a migration, your updated governance plan should stipulate what data can be moved where without risk.