Don’t just accept the defaults and hope for the best
Wherever you look there’s yet another SME or enterprise migrating to Office 365.

This says a lot for the attractiveness of cloud-based office suites, and perhaps it also says something about the attractiveness of letting someone else look after one’s SharePoint and Exchange servers rather than having to fight with their maintenance and upkeep internally.
It also says a lot about the security of the platform: if there were any serious concerns there wouldn’t be so many people using it (the figure I have to hand cites 60 million business customers as of spring 2016). What this tells us, though, is not that it’s the Fort Knox of cloud-based office software: it merely says that it’s secure enough for commercial organisations to accept it into their infrastructure.

Any system has scope for improvement, or for the user to layer further security mechanisms on top to make the setup even more attractive.
So what does Office 365 give us, and what can we do to take it further, security-wise?
Underlying directory services
One of the reasons people tend to trust Office 365 is that it’s based on the directory service that everyone knows and is familiar with: Active Directory.

Cloud-based AD integrates with its on-premise peer very straightforwardly, and although in the past one tended to use outward federation (that is, AD was hosted and managed in-house and federated/synchronised to an external AD server) the story is now far more bi-directional, so you can manage the AD setup either internally and externally and it’ll sync in either direction. Let’s face it, it’s difficult to criticise the fundamental security capabilities of a cloud-based AD setup because we’ve all been using it in-house for years and years.
Securing other apps
The other benefit you get if you adopt the Enterprise Mobility Suite on top of Office 365 is the ability to bring the user authentication of a variety of apps into a single user database.
Interestingly EMS gives you more than you’d be able to do with an in-house AD setup.
So as well as providing native AD authentication you can point all manner of other stuff at it – ODBC lookups, LDAP queries, Web services and of course other native AD servers.

But more interestingly there’s a pile of specific support for a wide range of popular cloud-based apps (Salesforce is the one that’s generally cited, so let’s not buck the trend) and so you can move away from your plethora of separate user databases and toward a single integrated directory service.
Two-factor authentication
The problem with centralising your authentication, though, is that the impact of a breach on your central authentication database is far greater than a breach on a single application’s own internal user database.
So the first thing you’ll probably want to add to your Office 365 setup is two-factor authentication (2FA).

To be fair to Microsoft they do provide a 2FA mechanism of their own, but many of us already use third-party 2FA (RSA’s SecurID is probably the best known, though more recently I’ve used Symantec’s VIP offering) and it’s understandable to want to stick with what you know.

And without trying to sound disparaging to Microsoft, there’s something to be said for picking a different vendor for your 2FA in the interests of putting your eggs in more than one vendor basket. Happily the 2FA vendors are happy to sell you their 365-connectable offerings as they’re becoming nicely established and stable.
Edge protection
We mentioned earlier that managing your own in-house Exchange setup can be something of a chore, and quite frankly who can blame you for wanting to ship it off to the cloud for Microsoft to look after it? I’ve seen it done more than once, and the relief on the faces of the mail server admins was palpable.

But I also wouldn’t blame you for considering persevering with and potentially even expanding some or all of the edge protection you have for inbound email – it’s been common for many years to adopt a hosted anti-malware and/or anti-spam offering and to funnel all your inbound email through it on its way to the Exchange server.
So of course Microsoft’s mail infrastructure has its own anti-malware mechanisms (and they’re very proud of it) but again, by sticking with a third-party offering layered around it you can bring an additional layer of security, visibility and reassurance to yourself and your management.
Going in the other direction, Data Leakage Protection (DLP) is also something that you’re increasingly likely to need these days, what with the tendency toward accreditations such as PCI-DSS and ISO 27001.

Again there’s a selection of DLP tools and policy features with Office 365, but a third-party approach is very much an option.
Security monitoring
Regardless of whether your installation is on-premise or in the cloud, security monitoring is absolutely critical if you’re serious about security.

The market to be in these days is selling Security Information and Event Management (SIEM) software and appliances: storing, collating and analysing log data and the associated response and remediation brings massive benefits, particularly if you’re aiming toward some kind of formal security or similar accreditation. Office 365 provides APIs into which SIEM platforms can hook in order to deduce what’s occurring in the cloud installation and alert you to potential issues; and as with the likes of DLP and 2FA the vendors of SIEM products are now commonly supporting Office 365 to pretty much the same extent as they support on-premise kit.

Does Office 365 have in-built SIEM? Yes, there are tools that provide you with forensic analysis features and of course there’s event logging, but SIEM isn’t a core concept for Microsoft and so unless you have a very small setup you’ll look to third-party SIEM offerings for the functionality you need, either in a dedicated, targeted SIEM solution from someone like LogRhythm or Splunk or in a multi-function package from the likes of Proofpoint.
One of the big differences between the cloud-based world and the on-premise setup is the need for and the implementation of backups.
It’s common to decide that the requirement for backups to protect against complete system failure (i.e. disk crashes causing data loss) is much reduced in the cloud thanks to the robust physical implementation of the underlying storage layer.

But remember that physical crashes are just part of the need for backups: the risk of inadvertent deletion of data doesn’t go away when you shift the installation into the cloud.

As with some of the other concepts we’ve mentioned there are built-in tools such as version control and rollback, automatic retention of items in recycle bins, and so on.

But again you’re likely to want more, and again you can look to the market as there’s a growing selection of options out there.
Are we spotting a trend here?
We’ve been talking so far about augmenting Office 365 with security features that don’t come as standard, or that do come with the system but are perhaps not so attractive as those of separate products whose developers are more focused on the subject area.

The thing is, though, that aside perhaps from the discussion on backups, little of these supposed shortcomings are unique to Office 365 – they exist in on-premise setups too.

And that makes sense: we’re not saying Office 365 is particularly deficient, just that the whole reason all these third party products and services exist is that you can’t reasonably expect Microsoft (or any other of your vendors) to have a perfect solution in every specialist field of security as part of its office suite.
What do the Office 365 experts think?
Aonghus Fraser, CTO at C5 Alliance (), echoes the idea that the service has its own features but they’re not the whole story. He notes: “There are a number of areas that should be considered – some are in addition to Office 365 but there are also newer or lesser-known security features or services that can complement that native Office 365 security and cover all bases”.
Endpoint security’s high on his list. “Whilst there is protection at the server-side for O365 including Exchange and SharePoint Online, it is recommended that a strategy for endpoint protection for devices is implemented.

This can range from leveraging native O365 & Microsoft services such as InTune to ensure that a minimal level of patching and AV is enabled (using Windows Defender) to third party solutions such as Sophos Endpoint which can work on devices and in conjunction with firewalls to detect and isolate compromised devices”.
Following up his point about new features that wink into existence, he cites a recently introduced built-in feature: “Advanced Security Management is a new service providing global and security administrators with the facility to detect anomalies in your tenant – alerts for abnormal behaviour, and alerts for activities that might be atypical.

Examples could include logging in from unusual locations, mass download by a single user (suggesting a data leakage risk) or administrative activity from a non-administrative IP address”.
The non-technical elements
Our original request to Aonghus was for three observations, of which we’ve just mentioned two; the third is non-technical but absolutely key. He states: “It is essential to ensure that business policies are regularly maintained in line with Office 365 capabilities such as Multi-Factor Authentication and Data Leakage Prevention in order for security to be optimised whilst taking into account employee productivity”.
It’s key to ensure your business is able to work effectively and in a governed way as you evolve into the cloud world: “An understanding of the implications on users of implementing some security measures is essential to ensure that users are well-informed and do not try to bypass the measures due to lack of understanding or usability or productivity being severely compromised.
If the measures are too draconian users will find a way to circumvent them; business decisions need to align with the security recommendations in order for the right balance to be achieved”.
People as a problem
Aonghus touched on the issue of ensuring that staff are well informed and don’t try to side-step security measures, but it’s worth remembering that even with a strong staff awareness programme there’s still a risk of inappropriate inactivity.

And you can’t really blame your staff for falling for the occasional phishing attack: some are so sophisticated that even the most aware staff member will be taken in eventually.
As Joe Diamond, Director of Cybersecurity Strategy at ProofPoint puts it: “The level of social engineering to craft a convincing lure is what makes phishing so successful. We see this used across attacks that use malware, and those that don’t – such as business email compromise spoofing attacks and phishing for credentials”.
Joe continues: “While end user education serves an important role, you cannot rely on it.

Focus on where your users digitally communicate the most – email, social sites, and mobile apps – and put in the protection needed to shield advanced attacks from ever reaching your end users”.
As for the complexity of attacks these days: “The attack on customers of National Australia Bank that Proofpoint recently identified is a perfect example of how to the naked eye, the emails and links were virtually indistinguishable from legitimate bank communications.

The email content tricked recipients into entering credentials to verify their account and provide accounts details, before redirecting to the legitimate banking site.

The URL [looked] legitimate, but a letter was swapped with Unicode and encoding in the URL hid suspicious code”.
In short
Like any system of its kind, Office 365 is sufficiently secure in its basic form but there’s always more you can do – either to make it easier to exploit what it inherently does or to add further layers of protection and reporting on top of what you get “out of the box”. You may decide when you move to Office 365 that you can wind down some of the extras you bolted onto your on-premise system simply because technology’s moved on and the inherent provision in Office 365 is good, but any cloud email service is fair game for an attacker because a compromise of a single system serves up multiple victims so you’re unlikely to want to throw away all the extras that can help you provide a layered security model as you evolve to a cloud setup.
Oh, and one more thing: moving to the cloud doesn’t make you immune from the long-standing tradition of stereotypical bad practice.

Aonghus gets the last word in this respect: “Accepting the default settings without considering whether, for example, the password expiry policy is appropriate is something that is often left – a ‘hope for the best’ approach or assumption that Microsoft defaults are right for you is not a good strategy where security is concerned”.

Amen. ®

Leave a Reply