UPDATE – In early October, 2016, Go West IT was approved by Microsoft as a Tier One Microsoft Cloud Solution Provider (CSP) and we are actively moving Microsoft cloud customers to this new CSP model to mitigate data privacy concerns associated with 3rd party distributors being granted access to customer data. Now customers can enjoy the benefits of Microsoft cloud services without granting data access to an undisclosed 3rd party distributor.
Microsoft Office 365 is a solid business platform but Microsoft’s new Cloud Solution Partner (CSP) model has a HUGE security control gap that is bad for Microsoft, bad for Microsoft Partners, and worst of all is bad for business customers.
Microsoft’s initial Office 365 (“O365”) business model was widely perceived as a threat to the Microsoft Partner community. The traditional reseller model was scrapped. Partners were asked to promote a relationship whereby customers contract directly with Microsoft and Partners are paid small recurring advisory fee for promoting, implementing, and supporting O365. Partners got on board, adjusted their business models, and made it work.
Now Microsoft is eliminating the advisory fee and forcing partners to purchase Office 365 services via a select group of distributors for resale to customers. That’s good, right? WRONG! There are huge security control gaps with CSP.
Microsoft has relinquished Global Admin control of O365 tenants (customers) to their CSP distributors. The distributors developed software that interacts directly with O365 via APIs to manage license provisioning and end user support. This gives their front-line help desk personnel full administrative privileges to each O365 tenant they manage. Neither Microsoft nor the distributors have been able or willing to share any information regarding security controls to mitigate this substantial risk.
There is a simple resolution to this problem: Microsoft, as part of a routine vendor management process, should obtain an SSAE 16 SOC II audit from the distributors that describes adequate controls and adherence to the policies and procedures that govern those controls. The distributors should be willing to provide their SSAE 16 SOC II audit report to Partners at a minimum. Partners should be demanding this evidence, and should retain copies of the same as evidence of their due diligence.
Customers are largely unaware of the delegation of rights to their O365 tenant. Without an SSAE 16 SOC II audit report, customers have no way of providing regulatory agencies, auditors, or insurance carriers evidence of controls to protect their hosted data. This renders the Microsoft CSP model infeasible for any customer organization with a regulatory burden.
Go West IT has firsthand knowledge of a CSP distributor changing a Global Admin credential for an O365 tenant without verifying the identity of the individual making the request. Go West IT is not aware of any wrongdoing or any breaches of any kind by the CSP distributors. We do not want that to happen.
Go West IT has proactively discussed this issue with representatives at Microsoft and two of the CSP distributors. Microsoft, in an effort to make CSP HIPAA compliant, has published directions for how to remove the distributor as a Global Admin. Unfortunately, doing so also removes the ability to add, change, or remove any licensing via the distributor platforms and thereby makes this “remedy” impractical at best. To date, neither Microsoft nor the distributors have provided any visibility or assurance that adequate controls are in place as Microsoft presses forward with promotion of CSP.