TO: AC Transit Board of Directors
FROM: Michael A. Hursh, General Manager
SUBJECT: Security of Microsoft Office 365 Applications
BRIEFING ITEM
RECOMMENDED ACTION(S):
Title
Consider receiving a report on the security of the Microsoft Office 365 cloud applications. [Requested by Director Peeples - 7/22/20].
Body
STRATEGIC IMPORTANCE:
Goal - Safe and Secure Operations
Initiative - Service Quality
The District is committed to maintaining best practices to secure personally identifiable information maintained in the Districts’ Systems of records. Allegations have been made that Microsoft might be collecting and selling personal information without permission. This briefing item provides information regarding Microsoft Corporation’s data security policy, including an audit of the Microsoft 365 (formerly Office 365) platform, and the security and privacy of customer and staff data in Microsoft 365.
BUDGETARY/FISCAL IMPACT:
There is no fiscal impact associated with this report.
BACKGROUND/RATIONALE:
The District subscribes to Microsoft 365 U.S. Government G3 plan, a cloud-based technology, as its main communication and collaboration application. The subscription includes applications such as Word, Excel, PowerPoint, OneNote, Outlook, Publisher, Access and services such as Exchange, OneDrive, SharePoint and Teams.
In 2014, the District decided to move email from on-premise Microsoft Exchange servers to cloud based Office 365 now known as Microsoft 365. This decision was made because of disk storage limitations, system reliability, server availability, system redundancy and resiliency. In November 2019, the District implemented Microsoft Teams to allow voice and text communications from employees’ desktops and mobile devices. In March 2020, the District started moving user and shared documents from the on-premises network servers to cloud based Microsoft OneDrive and SharePoint collaboration platforms. COVID-19 was the driving force behind this decision as many users were unable to access network data from home. Migration to the Microsoft 365 portal made it easier for the District users to collaborate, share files/folders, and access data and emails remotely.
On July 17, 2020, a lawsuit was filed against Microsoft Corporation in the United States District Court for the Northern District of California, alleging that "Microsoft shares its business customers' data with Facebook and other third parties, without its business customers' consent." The complaint also accused Microsoft of sharing business customers' data with third-party developers and with "hundreds of subcontractors without requiring the subcontractors to keep the data private and secure."
The lawsuit insists that Microsoft automatically and without its customers’ knowledge or consent, harvests its business customers’ data into a separate product called Microsoft Graph. The lawsuit further claims that Microsoft’s Graph automatically gathers all business customers’ Office 365 and Exchange Online data, and that Graph does not comply with Service Organization Controls (SOC) standards. Similarly, the lawsuit alleges that Microsoft’s handling and use of business customers’ Office 365 and Exchange Online data is not in compliance with SOC standards.
Deloitte & Touche LLP, an independent service auditor, prepared the Microsoft System and Organization Controls (SOC) 2 Report (SOC-2) dated December 24, 2020. SOC reports are verifiable auditing reports performed by a certified public accountant designated by the American Institute of Certified Public Accountants. The SOC 2 report explicitly examines a service organization's controls over the ensuing Trust Services Criteria (TSC) established by the Assurance Services Executive Committee (ASEC). The TSC fall into the following categories:
• Security. Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity's ability to meet its objectives.
• Availability. Information and systems are available for operation and use to meet the entity's objectives.
• Processing integrity. System processing is complete, valid, accurate, timely, and authorized to meet the entity's objectives.
• Confidentiality. Information designated as confidential is protected to meet the entity's objectives.
• Privacy. Personal information is collected, used, retained, disclosed, and disposed to meet the entity's objectives.
Deloitte & Touche did not find any non-compliance of Microsoft Graph or other services covered in the SOC-2 reports. The SOC-2 report concludes that Microsoft had sufficient controls in place to achieve specified Trust Services Criteria.
In the section titled, "Principal Service Commitments and System Requirements" the independent report further confirms that Microsoft met its service commitments in maintaining the confidentiality of customers’ data through data classification policies, data encryption, and other relevant security controls.
The District additionally received the following written statement from Microsoft’s representative:
“Microsoft is aware of the suit and is reviewing it carefully. The allegations are not very specific, but as we understand them, we don’t believe they have merit. We have an established history of both robust privacy protections and transparency, and we’re confident that our use of customer data in connection with providing Online Services has been and remains consistent with the instructions of our customers, our contractual commitments, and the law.”
Microsoft has filed a motion to dismiss the lawsuit. The court has not yet held a hearing or ruled on this motion.
Given limited access Microsoft’s platform and documents, , staff’s initial assessment, based on the information set forth above, is that Microsoft has not violated its privacy policy or shared District users’ data with Facebook or other third-party vendors.
ADVANTAGES/DISADVANTAGES:
There are no disadvantages to receiving this briefing.
ALTERNATIVES ANALYSIS:
There is no alternative to receiving this briefing.
PRIOR RELEVANT BOARD ACTION/POLICIES:
None
ATTACHMENTS:
None
Prepared by:
Tasawar Jalali, IT Manager, Cybersecurity
In Collaboration with:
Mike Carvalho, Enterprise Network Engineer
Approved/Reviewed by:
Ahsan Baig, Chief Information Officer
Jill A. Sprague, General Counsel