All but written off 24 months ago as the technology landscape tilted in favor of mobile devices and cloud services, rather than software running on PCs, Microsoft has successfully reinvented itself as a cloud computing powerhouse. The swiftness and scale of the company’s pivot under Satya Nadella’s leadership is impressive. Today, one out of every five corporate employees uses an Office 365 cloud service, up from less than 7% just nine months ago. Put another way, in the last two years Office 365 has eclipsed all other cloud providers to emerge as the most widely used enterprise cloud service by user count. It’s all part of Satya Nadella’s vision for remaking Microsoft into a subscription company where customers rent rather than buy software.
That strategy is beginning to pay financial dividends. Microsoft CFO Amy Hood has explained that transactional customers who generally upgrade every 5-7 years pay up to 80% more in the long run with Office 365 when they use an E-3 plan that includes Office applications (Word, Excel, PowerPoint, etc.) as well as cloud-based Exchange Online, SharePoint, and Skype for Business Online. It’s a win for customers as well who no longer pay for hardware or resources to manage software in their own datacenters. Moreover, enterprises using Office 365 benefit by always having users on the latest versions without having to upgrade anything.
To look at the state of Office 365 adoption and how it is transforming enterprise productivity and collaboration, we analyzed cloud usage data from Skyhigh Cloud Access Security Broker for over 27 million users working at over 600 enterprises. These enterprises span all major industries worldwide. We compared usage in Q3 2015 with that in Q2 2016 to assess the growth of Office 365 over the past three quarters.
Microsoft’s land and expand strategy
Microsoft has been successful in gaining an Office 365 foothold in nearly every enterprise. In the previous 9 months, the percentage of enterprises with at least 100 users increased slightly from 87.3 to 91.4 percent. However, usage within enterprises grew over 320% as the percentage of employees using at least one Office 365 application more than tripled from 6.8 to 22.3 percent. That’s good news for Microsoft. A key goal for the company is driving more Office 365 usage, also referred to as “consumption”, and their efforts appears to be working.
Even though Microsoft already occupies the top spot in cloud usage rankings by user count, the company still has a significant opportunity to expand Office 365 revenue. Analyzing usage of over 20,000 cloud services, we found that 58.4% of sensitive data in the cloud is stored in Microsoft Office documents. If we use sensitive information (e.g. business plans, medical records, financial forecasts, etc.) as a proxy for business-critical data, it’s clear that the dominant platform for working with this information remains Microsoft Office. As Microsoft tightly integrates Office applications with the cloud – entry level Office subscriptions already get 1TB of OneDrive storage for each user – it’s likely that usage of Microsoft’s cloud services will grow.
A deeper look at consumption by application and industry
Broken down by individual application, OneDrive for Business has the highest penetration rate with 79.1% of organizations possessing at least 100 users. It makes sense that OneDrive is deployed at so many organizations because it is included in every Office 365 plan, even the entry level ProPlus plan that primarily gives access to Office applications on the desktop (Word, Excel, PowerPoint, etc.). OneDrive for Business also has the highest usage rate, with 18.6% of all enterprise employees actively using it. Exchange Online has the second highest penetration rate – 66.9% of enterprises have at least 100 users. However, while Skype for Business is used by fewer enterprises, more users are using cloud-based Skype for Business than Exchange.
One way to interpret this data is that enterprises are beginning to migrate to Exchange Online from on-premises versions of Exchange but that – owing to the scale of these migration projects – they are migrating in phases. Similarly, the complexity of many sprawling on-premises SharePoint deployments may be slowing down migration to SharePoint Online. Only 35.3% of enterprises and 2.1% of users have moved to SharePoint Online. By both metrics, Yammer is the least used Office 365 application. Yammer faces stiff competition from upstart Slack, which is rapidly expanding in the enterprise. This may partially explain why it has been slower to expand its footprint after being acquired by Microsoft in 2012 for $1.2 billion.
Office 365 adoption is not uniform across industries. Financial services firms have the highest rate of Office 365 usage. Perhaps this is not surprising because financial services firms are simultaneously heavy users of Microsoft Office, particularly Excel, and also seek to have the latest technology tools to maintain a competitive advantage. Within financial services, 39.3% of users actively use OneDrive for Business and 17.3% actively use Skype for Business. By far, the most popular Office 365 application in healthcare is Skype for Business and 14.2% of users rely on it for online meetings, messaging, and audio and video calls. Manufacturing leads adoption of Exchange Online, with 12.9% of users actively using Microsoft’s cloud-based email platform. That’s followed by media and entertainment with 12.5% of users on Exchange Online.
Insider threats and compromised accounts
Microsoft takes the security of the Office 365 platform very seriously and has made significant investments in service-level security. These investments protect Microsoft’s cloud-based applications from intrusions. Office 365 is one of the few cloud services to receive the highest rating of Skyhigh Enterprise-Ready based on an objective assessment of its security controls. However, users can still perform high-risk actions within these applications, whether their high-risk behavior is accidental or malicious. Moreover, account credentials can be acquired via phishing scams and used by third parties to gain access to corporate data. Taken together, the average organization experiences 2.7 threats each month within Office 365 including:
- 1.3 compromised accounts each month – such as an unauthorized third party logging in to a corporate Office 365 account using stolen credentials
- 0.8 insider threats each month – such as a user downloading sensitive data from SharePoint Online and taking it when they join a competitor
- 0.6 privileged user threats each month – such as an administrator provisioning excessive permissions to use a user relative to their role
The average organization generates 5.4 million user events each month within Office 365 (e.g. user login, upload file, edit document, etc.). Microsoft provides a raw event feed that can be consumed via an API, which leaves enterprises searching for a needle in a very large haystack. Increasingly, enterprises are leveraging tools relying on user and entity behavior analytics (UEBA), which use machine learning to analyze user activity and automatically detect unusual behavior. For example, this technology may surface an alert when a user logs in after 15 failed login attempts as a potentially compromised account. One of the challenges facing IT security teams today is the sheer volume of alerts they receive.
In the infamous Target data breach, cyber attackers stole data for over 40 million customer payment cards in the days after gaining access to the retailer’s payment systems. Target’s IT security team ignored an alert correctly identifying the breach before any card data was stolen. Had they acted immediately, it’s likely the scope of the breach would have been much smaller. In Office 366, the average enterprise experiences 256 anomalous user activities within each month for every 5.4 million events (roughly a 20,000:1 ratio). However, of these anomalous events, an average of 2.7 turn out to be actual threats to the organization. The challenge for enterprises today is how to develop the people, processes, and technology to identify these threats against the background noise of everyday Office 365 usage.
Anomalous events that do not indicate a true threat often occur in isolation. Following the above example, the user may simply have forgotten that the CAPS lock was on when entering her password multiple times incorrectly. So, how does an IT security professional tell the difference between a clumsy user and a cyber criminal? One thing that cannot be stolen by a third party is the user’s pattern of behavior. A login from a new, untrusted location, or after several failed login attempts correlated with patterns of behavior that are atypical for a user more strongly indicates a compromised account than simply looking at failed login attempts. By narrowing down anomalous events to a fewer number of likely threats, IT security teams are better equipped to respond when an actual threat does occur.
The home for business-critical data
Because enterprises store a significant volume of business-critical data in Office 365, the stakes for keeping data safe are high. Some of this data may not belong in the cloud at all. For example, the average enterprise has 204 files that contain password in the file name stored in OneDrive (up from 143 files in Q3 2015). Generally, security experts don’t recommend storing all of your passwords in an unencrypted Word or Excel document, whether you store it in the cloud or on your computer. Some of this data is sensitive but can be safely stored in the cloud with appropriate controls in place. When reviewing all types of data in OneDrive and SharePoint Online, we found that 17.1% of that data is sensitive. Broken down by type of data:
- 9.4% of data is confidential (e.g. financial records, business plans, source code, trading algorithms, etc.)
- 4.1% of data contains personally identifiable information (e.g. Social Security numbers, tax ID numbers, phone numbers, date of birth, etc.)
- 1.9% of data contains protected health information (e.g. patient diagnoses, medical treatments, medical record IDs, etc.)
- 1.7% of data contains payment information (e.g. credit card numbers, debit card numbers, bank account numbers, etc.)
In the cloud era, the challenge is not only protecting this sensitive information against internal and threats, but also retaining the same compliance policy enforcement enterprises have for on-premises applications. With just a few clicks, an employee can share an entire folder containing sensitive data with another user within the company (or outside the company) in violation of a compliance regulation. Under a shared responsibility model, Microsoft takes ownership of platform security and Office 365 customers themselves are responsible for the safe and compliant use of the application. As enterprises migrate to Office 365, security and compliance are a critical conversation to ensure corporate data is protected.