Is Microsoft Office 365 Secure?
Published on : Tuesday 30-11--0001
Every organisation must develop a guide which defines, develops and executes an Office 365 Security Plan, says Ravindra Benday.
When it comes to digital transformation, moving to the cloud is a key. According to Forbes, 83% of enterprise workloads will be in the cloud by 2020 and two thirds of IT professionals responsible for managing the change say that security is their greatest concern. Microsoft Office 365 is rapidly instituting itself as the go-to productivity suite used in most of organisations today. It includes a wide range of services, including Outlook, Yammer, SharePoint, One-Drive, Dynamics CRM, Skype for Business and several others. However, even Microsoft maintains that Office 365 security is a shared responsibility between itself and the customer.
Office 365 provides some capabilities natively, but at the end of the day, Microsoft does not take responsibility for user behaviour, access policies, meeting compliance and many more. Things like protecting user passwords or how employees gain access to Office 365 is always the customer’s responsibility. Since Office 365 is cloud-based, this means there are associated security risks as IT struggles with how to retain visibility and control over cloud apps that are frequently accessed through personal (BYOD) devices. Activities such as downloading sensitive corporate files to untrusted devices and abusing stolen login credentials represent a very small sample of the types of security risks with Office 365 usage.
However, with firm planning and a true assessment of your security posture and objectives, you can position your organisation to fully reap the benefits of Office 365 without compromising your security. Hence every organisation must develop a guide which defines, develops and executes an Office 365 Security Plan. The plan must include the choosing and optimising the appropriate solution to mitigate your Office 365 risk while meeting all of your compliance obligations, be they regulatory requirements or best practice guidelines from organisations such as the Cloud Security Alliance (CSA).
Let’s Understand Security Concerns
I see several concerns that have clearly emerged around the limitations of native Office 365 security capabilities. While each organisation has its unique requirements, the following represent the top “must-haves” that every organisation should consider in its Office 365 security plan.
1. Prevent Data Leakage
With so much sensitive or confidential data stored in Office 365 these days, it’s vital to have a way to identify sensitive or regulated data stored in services like One-Drive, etc., and to be able to take the appropriate measures to remediate risk. A solution should be able to inspect data in real-time (by keywords, phrases, regular expressions, etc) to ensure that sensitive corporate data is not maliciously or inadvertently leaked out of the organisation and should be able to scan stored files for regulatory violations (e.g., PCI DSS, ISO 27001, GDPR, HIPAA). Similarly, if your organisation is standardised on One-Drive, identifying files and data stored in unapproved file sharing services is also critical for compliance and security purposes.
2. Control Data and File Sharing
With the propagation of mobile devices (Windows, iOS, and Android), the risk of data leakage through file sharing becomes even more acute. For example, file sharing via One-Drive bypasses existing DLP systems, and anyone that gets their hands on a shared link can access a shared file, whether that person was an intended recipient or not. And finally, public sharing makes it much too easy to share files with everyone.
All this underscores the importance of granular policy enforcement, such as who can share what and with whom, to protect sensitive business data.
3. Enforce BYOD Access Rules
Automatic data synchronisation from Office 365 services like One-Drive for Business and Outlook makes data propagation easy, perhaps too easy. Given that there are so many untrusted devices, at least from IT’s point of view, a mechanism to prevent data synchronisation would go a long way to preventing the leakage of sensitive information. Therefore, being able to enforce access rules, whether for managed or unmanaged devices, is critical.
4. Monitor Activities in Real-Time
Given that Office 365 hosts so much business-critical data, it’s wise for organisations to monitor user activities across all the Office 365 services. This includes monitoring uploads, downloads, modifications, and sharing – all in real-time.
5. Protect Against Cyber Threats
The misuse of stolen login credentials is one of the most popular techniques to get access to sensitive data stored in Office 365. Office 365 does not distinguish between valid and invalid users, if the credentials used were accurate. To protect against this, strong authentication measures is an effective way to add another layer of security when login credentials have been compromised. Automatic anomaly detection and behavioural learning of a user’s typical usage patterns often go hand-in-hand with protection against cyber threats.
6. Protect ADFS
Active Directory Federation Services (ADFS), Microsoft’s Single Sign-On solution, is closely tied to Office 365. Because ADFS is exposed to the Internet and accessible from any IP address, this means it’s vulnerable to cyber-attacks such as Distributed Denial of Service (DDoS) attacks. As a result, protecting ADFS is of supreme importance to ensure the availability and security of Office 365.
7. Manage Admin Accounts
Office 365 admins, whether they’re Exchange admins or SharePoint admins, exercise much power. They have the ability to access user mailboxes and files and define user permissions. Because their actions can have a large impact, there are several regulations requiring audit trails be maintained for admin activities. In fact, enforcing separation of duties is recommended for enhanced data security.
Why should you perform a Risk Assessment?
Understanding why you need to perform Risk Assessment is imperative. If you are not sure, ask yourselves these questions:
1. Do I know where all the customisations are within my Office 365 Tenant?
2. Do I know how many Script Editor web parts are on the site?
3. Do I know where custom JavaScript is on pages?
4. Do I know who made configuration changes last?
5. Is my Tenant configured for the best Security?
6. Do I know what the code is doing on my site?
If the answer is “NO” to any of these questions, then you NEED to perform a detailed Risk Assessment.
Performing a Risk Assessment of Microsoft 365 cloud is now more critical than ever before. Combining this with the evaluation of the On-premises services that are in use allows you as an organisation to understand the full threat landscape. The risks and vulnerabilities to the organisation will change over time; however, if the organisation continues to follow a risk assessment methodology, it will be in an excellent position to address any new risks and vulnerabilities that arise.
Augmenting Office 365 Security
Microsoft’s Office 365 security strategy is based on following four pillars.
1. Prevent Breach: It’s predicated on the assumption that a breach has already happened but is not known yet. It includes port scanning and remediation, perimeter vulnerability scanning, operating system patches, network level isolation/breach boundaries, DDoS detection and prevention, live-site penetration testing, and multi-factor authentication for service access.
2. Detect Breach: It features system and security alerts that are collected and correlated via an internal analysis system. Both internal and external (i.e., coming from customer incidents) signals are analysed. Based on machine learning, new patterns are incorporated to trigger alerts.
3. Respond to Breach: It deals with risk remediation if a component is compromised. The ability to deny or stop access to sensitive data as well as tools to promptly identify involved parties helps facilitate mitigation.
4. Recover from Breach: It includes the standard procedures to restore the Office 365 service. It includes the ability to modify the security principals in the environment, automatically update the affected systems, and scan for any anomalies.
Even though Microsoft provides several security features natively in Office 365, organisations still must turn to third-party solutions to supplement what Microsoft offers natively.
Conclusion
All companies and organisations, regardless of their size, are susceptible to hacking, phishing, and unauthorised access. Businesses these days are held accountable for having a secure environment, even if they are running all critical systems in the cloud, or have a hybrid-cloud model. And, for companies that are public, or have legal requirements, a security breach can be expensive! Some companies have been fined and sued for negligence involving a preventable breach, and not having the proper security measures in place. Hence one must carry out Office 365 Security Assessment to identify potential security gaps and formulate a strategy to protect access and sensitive data stored in Office 365 while meeting all compliance obligations.