While Office 365 has already crossed the edge of 100 million active users, it’s not yet the limit. The 2017 Global SharePoint Survey by Hyperfish, Sharegate, and Nintex shows that at least 32% of organizations are planning to migrate to Office 365, and 16% are already in the process. The interesting thing is that 32% of respondents have confirmed that Office 365 security concerns are an important reason that prevents them from going to the cloud.
With the release of Microsoft 365, includes Office 365 and provides enterprise security as part of the package, companies have a lot more options to kick-off cloud collaboration. That’s why we can expect more suspicion and negotiation about the safety of both Cloud suites.
In such cases, there are true reasons for organizations to worry or are the fears related to security are baseless? In this article, we will focus on that only.
Office 365 security from the organizational perspective
Organizations who decide to move their on-premises arrangements to the cloud can feel dim. When a company is used to having complete control over its arrangements and data, they may hesitate about locating them in the cloud owned and managed by a third party even if it’s a world-known software giant.
Let’s put an end to all the queries companies can have if they decide to start with Office 365.
What effective steps does Microsoft take to protect our Office 365 deployment and data?
Physically, your deployment or arrangement is hosted in Microsoft Datacenters located in different parts of the world. Microsoft assures several layers of physical security in their data centers to prevent any attempts of physical breaks. Microsoft is being also responsible for Office 365 to be up and running, as well as carries out regular functional and security updates of the suite.
Microsoft engages to keep the data out-of-reach for third parties and does not use your data for advertising or marketing campaigns. However, you should understand that in some extreme situations Microsoft will have to disclose your data. This may be a matter of legal requirements. But make sure your data will be disclosed only when Microsoft fails to contact your organization with all the available tools.
Can we leverage upon which security features of Office 365?
Microsoft sticks to the defense-in-depth theory to ensure the strong security of their cloud services. This principle estimates at least two categories of Office 365 security features:
- Built-in security features
- Customer controls
Microsoft sticks in its proprietary threat management strategy, which includes several types of threatened security mechanisms to keep organizations away from malware and viruses, phishing campaigns and spoofing, DDoS attacks and other types of security threats.
There are also many customer controls to set up their unique security for each organization in the Office 365 environment. This security layer covers essential safety aspects that are in the form of security access to Office 365 services, subscribed to the organization, multi-factor authentication and for end-users, role-based access control (RBAC), Data loss prevention (DLP) features, message encryption and more.
If we use Office 365, can we stay compliant?
Compliance is one of the superior pain points (A pain point is a particular problem that prospective customers of your business are experiencing) for organizations that consider adopting Office 365. Basically, this aspect is really suspicious or you can say unclear.
At this moment, Office 365 meets the requirements detailed in ISO 27001, European Union Model Clauses, the Health Insurance Portability and Accountability Act Business Associate Agreement (HIPAA BAA), and the Federal Information Security Management Act (FISMA).
In addition, Microsoft offers various certifications, confirmations, and authentications to help organizations follow national, regional and industry-specific requirements. You can find an all-inclusive list of certificates in the Office 365 Trust Center.
The fastest way to see that Office 365 services and apps meet the highest level of compliance, you can consult the Microsoft Compliance Framework. In this way, you will see that SharePoint Online has much more compliance category than, for example, Microsoft Teams or Planner, which means that the latter still have spaces in their compliance. For the Microsoft Stream, this new Office 365 is not fully covered with compliance features at and is currently only on the auditing stage.
Taking into account, everything is well worth collaborating on compliance issues directly with Microsoft or with your Office 365 consulting agency. While applying Office 365 solutions manageable with General Data Protection Regulation (GDPR), Henkel did the same.
Office 365 security from the end user perspective
Office 365 offers a great collaboration flexibility, so employees can use suite from various devices and from any place. However, this freedom should be linked with the belief that employees work in a protected atmosphere, especially if they deal with sensitive data.
The question is, can anybody access the data you are working on in Office 365.
Office 365 allows encryption of data both at rest and in transit, which means that your content is zeroed or of no importance and can’t be read until a malicious user has a decryption key. Office 365 uses advanced encryption protocols and technologies, including TLS / SSL protocol, Internet Protocol Security (IPSec) and Advanced Encryption Standard (AES).
We must highlight that the encryption of data at rest is applicable to enterprise-level apps and services. For example, OneDrive for Business will protect every file stored in it, whereas OneDrive for non-business users doesn’t ensure content encryption. So avoid using your personal storage instead of corporate ones.
Can anyone use Office 365 on mobile devices securely and strongly?
The mobile security of Office 365 subscribers is provided through two prime sets of tools: built-in mobile device management (MDM) features and Microsoft Intune.
MDM (Mobile Device Management) Office 365 allows creating dedicated mobile policies for controlling access to organizational emails and documents for supported mobile devices and apps. Thus, if you lose your device, Office 365 admins will be able to remotely access the device and remove sensitive data if there’s any.
Organizations with complicated mobile environments can use Microsoft Intune. Office 365 users can access it through a different subscription, while Microsoft 365 offers it out of the box. This service allows managing collection of mobile devices and controlling mobile access to Office 365 services, as well as enabling mobile applications management (MAM).
How can anyone keep control over the shared data?
Data Leak Prevention policies will help to address this office 365 security challenge. When Office 365 Admins set DLP policies, automatic alerts will trigger every time whenever you try to send emails or share documents containing sensitive information whether its financial data or PII i.e. Personally Identifiable Information: Credit card numbers, social security numbers, and health records.
While you can always have control over the shared data, admins can continually monitor sensitive data flows and block them at any time.
Office 365 security from the IT admin perspective
Finally, we come to IT experts who are responsible for overall enterprise security. To ensure the protected work of employees within the suite, IT professionals can apply various safety methods and tools available in Office 365.
In what manner admins monitor the security of Office 365 deployment?
Admins of Office 365 Business Plans gain access to the Office 365 Admin Center. Using the core capabilities of the Admin Center, IT specialists can manage various security standards within their Office 365 solutions, including:
- Permission of User
- Security setting within Office 365 groups
- Security updates
- Access rights for external users
- Security reports on security status in Office 365 applications and services etc.
- Security policies
In addition, Office 365 admins can access different admin centers for major Office 365 apps and services like Exchange Online, SharePoint Online, Skype for Business and Yammer. It allows administrators to establish granular safety controls within each of the Office 365 components and each of them has a detailed view.
By what means admins discover Office 365 security weaknesses?
To keep the record of Office 365 security, IT admins can use a special analytical tool, Office 365 Safe Score. While analyzing Office 365 environment, Secure Score allows Office 365 administrator to:
- Determine the current safety situation of the deployment and compare it with established baselines.
- Identify security issues that require admins’ attention to prevent a potential Office 365 security breach.
- Get suggestions on how to fix detected problems and improve overall security score.
In addition, Secure Score provides an overall risk assessment and shows the risk, the company faces if it does not take any actions.
What necessary steps should admins take to minimize the risk of cyber attacks?
We live in a cyber-insecure world where there’s a large number of violations happening every day, so it would be naive to expect that Office 365 will not attract the attackers.
At present, there’s a visible dominance of attacks related to brute-force attacks and email that targets the Exchange Online service. In 2016, there was a massive Cerber ransomware attack hit millions of Office 365 users. Since May 2017, organizations around the world have reported targeted KnockKnock attacks on their Exchange Online accounts.
Keeping in mind the trend, IT admins should pay special attention to password policies, as well as enable and monitor Office 365 email security continuously. To check the safety of the Office 365 environment, it can be acceptable to conduct penetration testing at least once a year.
Be proactive in your Office 365 security
Although Office 365 is Microsoft’s proprietary cloud platform, you shouldn’t think that Microsoft is solely responsible for the security of your solution. Yes, the corporation works very hard in implementing various security features which their customers can have the advantage of. The overall cloud protection can hardly be questioned.
At the same time, your Office 365 solution comes under you. So you can take full control of your office 365 environment and users. Security is one of those aspects where it needs to be active and intense. Just don’t wait for a real attack to have an inclination in your Office 365 deployment over, but take preventive measures. If you don’t have internal resources to handle security challenges, you can always address them to an Office 365 consulting team, which will help you build a strong security integrated for your organization.
Last but not least, how to address Office 365 security concerns through this video:
What are your 365 security concerns? Which tools do you use for your Office 365 deployment and which techniques prove to be more effective? Share your experience in the comments below.