You control your data. When you put your data in OneDrive, you remain the owner of the data. For more info about the ownership of your data, see Office 365 Privacy by Design.
How you can safeguard your data
Here are some things you can do to help protect your files in OneDrive:
Create a strong password. Check the strength of your password.
Add security info to your Microsoft account. You can add info like your phone number, an alternate email address, and a security question and answer. That way, if you ever forget your password or your account gets hacked, we can use your security info to verify your identity and help you get back into your account. Go to the Security info page.
Use two-factor verification. This helps protect your account by requiring you to enter an extra security code whenever you sign in on a device that isn’t trusted. The second factor can be made through a phone call, text message, or app. For more info about two-step verification, see How to use two-step verification with your Microsoft account.
Subscribe to Office 365. An Office 365 subscription gives you advanced protection from viruses and cybercrime, and ways to recover your files from malicious attacks.
How we treat your data
Microsoft engineers administer OneDrive using a Windows PowerShell console that requires two-factor authentication. We perform day-to-day tasks by running workflows so we can rapidly respond to new situations.
No engineer has standing access to the service. When engineers need access, they must request it. Eligibility is checked, and if engineer access is approved, it's only for a limited time.
Protected in transit and at rest
Protected in transit
When data transits into the service from clients, and between datacenters, it's protected using transport layer security (TLS) encryption. We only permit secure access. We won't allow authenticated connections over HTTP, but instead redirect to HTTPS.
Protected at rest
Physical protection: Only a limited number of essential personnel can gain access to datacenters. Their identities are verified with multiple factors of authentication including smart cards and biometrics. There are on-premises security officers, motion sensors, and video surveillance. Intrusion detection alerts monitor anomalous activity.
Network protection: The networks and identities are isolated from the Microsoft corporate network. Firewalls limit traffic into the environment from unauthorized locations.
Application security: Engineers who build features follow the security development lifecycle. Automated and manual analyses help identify possible vulnerabilities. The Microsoft Security Response Center helps triage incoming vulnerability reports and evaluate mitigations. Through the Microsoft Cloud Bug Bounty Terms, people across the world can earn money by reporting vulnerabilities.
Content protection: Each file is encrypted at rest with a unique AES256 key. These unique keys are encrypted with a set of master keys that are stored in Azure Key Vault.
The Windows Defender anti-malware engine scans documents at download time for content matching an AV signature (updated hourly).
Highly available, always recoverable
Our datacenters are geo-distributed within the region and fault tolerant. Data is mirrored into at least two different Azure regions, which are at least several hundred miles away from each other, allowing us to mitigate the impact of a natural disaster or loss within a region.
In the case of a ransomware attack, you can restore deleted files from the OneDrive recycle bin or restore a previous version of a file in OneDrive. As a premium user, you can also restore your entire OneDrive to any point within the past 30 days.
We constantly monitor our datacenters to keep them healthy and secure. This starts with inventory. An inventory agent performs a state capture of each machine.
After we have an inventory, we can monitor and remediate the health of machines. Continuous deployment ensures that each machine receives patches, updated anti-virus signatures, and a known good configuration saved. Deployment logic ensures we only patch or rotate out a certain percentage of machines at a time.
The Office 365 "Red Team" within Microsoft is made up of intrusion specialists. They look for any opportunity to gain unauthorized access. The "Blue Team" is made up of defense engineers who focus on prevention, detection, and recovery. They build intrusion detection and response technologies. To keep up with the learnings of the security teams at Microsoft, see Security Office 365 (blog).
Need more help?
Go to the OneDrive UserVoice.