Hi,
Could you confirm that my below understanding is correct?
Microsoft Forms, Power Automate, and SharePoint are products of the Microsoft Corporation. Microsoft Forms and Power Automate are hosted on the Microsoft Azure cloud platform, and SharePoint is also a cloud service managed by Microsoft.
Microsoft provides security, backup, and server management for these cloud services, ensuring that your data is stored and managed securely.
To protect your data, Microsoft 365 requires two-step verification of your identity. This prevents credentials from being used without a second factor and mitigates the impact of a compromised password.
- How to protect data in transit and at rest
When a user uploads a document in Microsoft SharePoint, the data is transferred from the user's device over the Internet to a Microsoft data center, or between Microsoft data centers in different geographic regions. These data transfers are protected using encryption and only allow secure access. We don't make authenticated connections over HTTP, but instead redirect to HTTPS.
Data at rest is protected in the following ways
- Physical protection: Only a limited number of essential personnel have access to the data center and their identities are verified with multiple authentication factors, including smart cards and biometrics. There are on-premises security personnel, motion sensors, and video surveillance, and intrusion detection alerts monitor for unusual activity.
- Network protection: Networks and identities are separated on Microsoft's network.
Dedicated Active Directory domains are used to manage services, test and production domains are separated, and the production domain is divided into multiple isolated domains for reliability and security.
- Application security: Engineers who build features follow a secure development lifecycle. Automated and manual analysis helps identify possible vulnerabilities, and the Microsoft Security Response Center helps triage incoming vulnerability reports and assess mitigations.
- Content protection: Data is encrypted at the disk level using BitLocker encryption and at the file level using keys.
The Microsoft 365 Anti-malware engine, software for detecting and removing malicious code from computer systems, scans documents upon upload to check for content that matches anti-virus signatures (pattern data for detecting malware), which are updated in real time. To limit the risk of content being downloaded to untrusted devices, synchronization is limited to devices in the specified domain.
- To manage content at rest
Configure information rights management policies to restrict content downloads from SharePoint document libraries.
Evaluate your use of Azure Information Protection. Azure Information Protection is a cloud-based information protection service for identifying, classifying, and protecting confidential information created and shared within an organization. With Azure Information Protection, you can classify information such as documents, emails, and files created in your organization and control access to that information. It also provides a plan of action in the event of a breach, which can help keep confidential information safe.
- Highly available, always recoverable
Data centers are geographically distributed and fault-tolerant. Data is mirrored in at least two data centers to mitigate the impact of natural disasters or service-impacting outages. Metadata backups are retained for 14 days and can be restored to any point in time within 5 minutes, and in the event of a ransomware attack, can be rolled back using version history (enable and configure versioning for lists or libraries) and restored using the Recycle Bin or Site Collection Recycle Bin. If an item is removed from the Site Collection Recycle Bin, you can access the backup by calling Support within 14 days.
To keep your data center secure, we continuously monitor it, and it starts with inventory. An inventory agent scans each subnet looking for neighbors and performs a state capture for each machine. Once you have an inventory, you can monitor the health of your machines and remediate issues. The inventory security patch train applies patches, updates antivirus signatures, and stores known good configurations. There is role-specific logic to ensure that only a certain percentage of machines are patched or replaced at a time. Have automated workflows to identify machines that don't meet policy and queue them for replacement.
The "red team" in Microsoft 365 is made up of intrusion specialists who look for every opportunity to gain unauthorized access. The "blue team" consists of defense engineers who focus on prevention, detection, and recovery. They build intrusion detection and response technologies.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 23%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYY%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 51%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EED%3C/text%3E%3C/svg%3E)