Preparing for the Adoption of Office 365October 3, 2016 No Comments
Featured article by Deena Thomchick, Sr. Dir, Outbound Product Management, Blue Coat + Symantec
As you may know, Microsoft Office 365 is the number one cloud-based solution, due to its appeal on multiple levels to individuals and business users alike. In recent years, Microsoft has invested heavily in cloud computing, with its revenue from Office 365 jumping 54 percent over the last quarter.
With a total of 78 percent of enterprises already using the platform, or planning to start, you can be sure Microsoft’s development focus will remain on Office 365 for years to come. As with the adoption of any cloud application, there are a number of security issues to address during planning, especially when the app is central to your business as Office 365. Whether you are walking in with a partial online deployment or jumping right into a full transition to Office 365 model, security should be a top priority during planning.
In the rush to slash upfront capital outlays for software licensing, it’s important to not forget about the back-end risks associated with a transition. To stay ahead of the evolving threat landscape, its important that your IT teams get up to speed on exactly what’s required to keep your Office 365 deployment safe, compliant, and fast. Before you take off running with an Software-as-a-Service (SaaS) adoption, here are four questions you should to ask yourself before implementing Office 365:
How protected is your data from accidental exposure? Collaboration platforms like Office 365 are powerful business tools. Unfortunately, these platforms can lead to accidental over sharing, which is the biggest cause of sensitive data exposure for enterprises. Before you start the adoption process, it is important to know just how Office 365 protects your data.
Office 365 provides basic protections for your data, but native capabilities may not meet your enterprise needs. Make sure you familiarize yourself with what security activities Microsoft is and isn’t responsible for with Office 365. For example, Microsoft will not take responsibility for the data users choose to upload and share within Office 365. In addition, Microsoft does not take responsibility if an unauthorized user accesses your accounts should one of your employees account credentials are compromised. Things like Cloud Access Security Broker (CASB) data governance and enterprise cloud DLP will help to protect against accidental data exposure, as will educating your users on best practices for secure sharing in the cloud.
Do you know what regulated data is being placed in Office 365? Many enterprises store sensitive, compliance related data in Office 365. Microsoft meets most of the compliance requirements as a platform, such as CSA STAR Self-Assessment, PCI and HIPAA, however it does not offer Truste, Safe Harbor, SOC III, ITAR, or COBIT at this time. Microsoft will protect the platform but you are responsible for the data your users choose to store in Office 365 and how they share it. You should consider cloud DLP, encryption and automated CASB controls to make sure PII, PHI, and other regulated data is properly protected as it moves in and out of the cloud. Office 365 offers some services to help you govern your data but it is not an enterprise DLP solution and may not provide the level of data classification, identification and response capabilities your organization needs.
What password controls, authentication and identity systems will you set up for your Office 365 implementation? Unfortunately, attackers frequently target account credentials for theft so it is important to implement a secure user authentication and user access strategy. It is likely that your organization is or will be using multiple SaaS services so a Single Sign On (SSO) solution that can provide user authentication for multiple services is highly recommended, and while you are at it take advantage of the multifactor authentication capabilities of that SSO solution. Office 365 is one of the more business ready cloud platforms and it has a good range of access control options you can leverage with your user authentication solution.
There are a lot of different options available to protect your accounts against brute-force attacks. For example, you can utilize CAPTCHA or set up progressive responses if there are multiple failed logins. Additionally, you may want to ask yourself the following: Are you using the right access controls in place that restrict what devices can be used with Office 365? What will your password quality requirements be? Will you implement multi-factor authentication? Do you have effective email protection to mitigate social engineering attacks aimed at stealing user credentials?
How do you identify a compromised account? With potentially thousands of user credentials in play, the prevalence of malware targeting theft of user credentials or hijacking sessions and the ability for hackers to access Office 365 accounts directly from the internet, it is statistically likely that one of your user accounts will get compromised.The best way to identify a compromised account is through user behavior analysis (UBA). Office 365 can analyze your user transactions for basic UBA but it can’t analyze user behavior beyond it’s own scope of control may not provide the level of UBA intelligence and threat protection you want for your enterprise. There are UBA and CASB solutions that leverage sophisticated data science techniques to analyze user behavior across multiple applications that may be more effective at identifying suspicious activity.
Look into additional solutions to provide extra support. For example, a Cloud Access Security Broker (CASB) lets you analyze user behavior in cloud applications and a CASB + cloud DLP solution will help prevent your sensitive data from getting exposed. Anti-malware and advanced threat protection solutions should be extended to your cloud accounts, as they can assist in stopping malware from compromising your accounts and infecting your organization.
As you start to implement Office 365, you’ll gain many benefits from your move to a collaborative cloud solution. However, don’t forget to stop, ask questions and analyze your options to make your move to Office 365 is not only successful but also secure.
CLOUD COMPUTING, DATA and ANALYTICS , Inside the Briefcase, SECURITY