Microsoft has made strides in security by offering a wide range of built-in security functionality for Office 365. According to Gartner1, Office 365’s security offers “native capabilities beyond what enterprises have had in previous on-premises deployments.” But even with these improvements, many enterprises find that Office 365’s native security capabilities cannot support their security requirements and use cases.

Role of Microsoft in securing Office 365

Office 365’s existing security controls are consolidated to a few consoles and APIs. Since not every security control is available by default, customers can license different Office 365 tiers to fulfill their security requirements. While a number of add-ons are available directly from Microsoft, Gartner lists out several third party security controls that should be leveraged to complete the O365 security stack.

Following are Gartner’s recommendations for enhancing Office 365 security:

  1. Start with Identity, access, and privilege management
  2. Gain visibility into user, application, and data behavior
  3. Secure Office 365 content in motion and at rest
  4. Protect Office 365 from threats
  5. Secure managed/unmanaged devices
  6. Consider a CASB for consistent visibility, control, and protection

Gartner Report: How to enhance the security of Office 365

Download this report to learn about the key Office 365 security challenges and Gartner’s recommendations to enhance Office 365 security.

Download Now

Identity, access, and privilege management

The first step in securing Office 365 is properly managing user identity and access to Office 365. The simplest way to implement an IAM strategy is to federate your on-premises Active Directory (AD) with Office 365 using Azure AD. Alternatively, you can use a third-party Identity as a Service (IDaaS) provider that offers SSO across multiple SaaS applications.

In addition, organizations who want to augment their existing IAM should consider using adaptive access controls that take context into consideration when an access attempt occurs. In other words, the access control decisions will take contextual factors into consideration, such as time of day, IP address, or the location of the access attempt. Microsoft provides adaptive access controls at an additional cost.

Since administrator/privileged accounts have access to a wider range of information, protecting them should be a security priority. It is recommended that enterprises consider a privileged access management (PAM) solution to increase the authentication threshold.

Gain visibility into user, application, and data behavior

Visibility is one of the key pillars of securing cloud services like Office 365. Natively, Office 365 provides activity reports for service usage and transactions in its Admin Center. It also provides an audit report for Exchange Online, SharePoint, OneDrive for Business and Azure AD, found in the O365 Security and Compliance Center.

More sophisticated features are available from third party vendors, including activity and admin auditing, event collection and correlation, permissions monitoring, UBA, anomaly detection, and content discovery. While individual point-solutions meant to provide visibility into Office 365 can prove effective, managing disparate security tools could become cumbersome and increases the risk of misconfigurations caused by human errors.

CASBs provide similar capabilities as point-solutions in terms of Office 365 visibility, with the additional benefit of being a single platform that provides the same level of visibility across multiple cloud services.

CASBs offer a depth of visibility beyond native Office 365 capabilities and extend this with several important security controls.

-How to Enhance the Security of Office 365, Steve Riley

Protect content in motion and at rest in Office 365

Transport layer security (TLS) ensures data in motion is secured in Office 365. Office 365 protects emails in two primary ways: Secure Multipurpose Internet Messaging Extensions (S/MIME) encrypts email messages at the discretion of the user, and Office 365 Message Encryption automatically encrypts emails without user input.

Office 365’s Information Rights Management (IRM) can also be used to implement file level encryption and other access policies.

For certain organizations who can’t solely rely on Microsoft’s encryption offerings, they may want to consider third party tools that can encrypt content before it is uploaded to Office 365. While this may decrease some of Office 365’s native functionalities, it does mean that the organization, and not Microsoft, has sole access to the encryption keys.

Office 365 also offers basic data loss prevention (DLP) capabilities, however, since most enterprises license multiple SaaS products and have deeper DLP requirements than what Microsoft can offer, an alternative to relying on Microsoft’s built-in capabilities to protect content in Office 365 would be a CASB.

If your organization subscribes to multiple SaaS applications, an alternative to enabling native Office 365 data security features would be to select a CASB that includes these capabilities. With a CASB, you can create centralized encryption, rights management and DLP policies across most popular SaaS applications.

-How to Enhance the Security of Office 365, Steve Riley

Protect Office 365 from threats

The recent “slow and low” attack against Office 365 customers underscores the need for advanced threat protection. While Office 365 utilizes user and entity behavior analytics (UEBA), known as Office 365 ASM and derived from their cloud app security product, sophisticated attacks targeting multiple Office 365 customers or targeting customer’s other SaaS applications alongside Office 365, may go undetected when using Office 365’s native threat protection.

For this reason, Gartner suggests that a CASB might be better suited as a threat protection solution.

Evaluate whether ASM’s UEBA provides sufficient anomaly detection for your Office 365 requirements. If you’re using multiple SaaS applications, a CASB might be a better choice.

-How to Enhance the Security of Office 365, Steve Riley

When it comes to malware, Office 365 has several native threat protection capabilities. Exchange Online comes with malware and spam protection. At additional cost, organizations can license Office 365’s Advanced Threat Protection capabilities that includes email sandboxing, URL checker, and protection against phishing attacks. One of the downsides of using Office 365’s message sandboxing is that delivery of attachments can take as much as 30 minutes.

Malware detection for SharePoint Online and OneDrive works in a similar way, where files are scanned prior to being uploaded to the cloud, with infected ones being quarantined.

Secure managed and unmanaged devices

Office 365 offers a free mobile device management (MDM) solution for all business tiers. There are a few crucial drawbacks with using Office 365’s native MDM:

  • Third-party MDM solutions are incapable of communicating with Office 365’s MDM APIs to manage devices or apps
  • Non-Microsoft desktop operating systems, like Apple’s operating system, are not supported by Office 365’s native MDM capabilities
  • In most cases, web browser access to Office 365 can bypass MDM policies

At an additional cost, organizations can opt for Intune, Microsoft’s complete MDM suite. Gartner, however, state that “Gartner clients have reported that Intune is challenging to configure and contains bugs that affect functionality.”

While Intune, Office 365 MDM, or third party device management vendors may satisfy the needs of some organizations, for those companies using multiple SaaS applications, Gartner recommends using a CASB to secure their data in both managed and unmanaged devices.

In addition to providing improved visibility and consistent data security, CASBs offer a variety of threat protection capabilities, including content inspection/conversion, device management and adaptive access based on device parameters (such as OS and app versions, user behavior, and location). If your organization subscribes to multiple SaaS services, a CASB might be a better approach — you can create uniform threat protection policies across all services.

-How to Enhance the Security of Office 365, Steve Riley

Consider a CASB for a comprehensive approach

For smaller organizations for whom Office 365 is their only cloud application, the native security capabilities of Office 365 might satisfy their security and compliance requirements.

However, if an organization uses multiple SaaS platforms or requires advanced security capabilities, a CASB is the ideal option. This is because enforcing the same set of security policies across multiple cloud services via the cloud services’ native capabilities can prove challenging and leave organizations susceptible to security policy enforcement gaps.

CASBs overcome these challenges by providing a suite of controls that enable you to create consistent security policies across several popular SaaS applications.

-How to Enhance the Security of Office 365, Steve Riley

According to Gartner, multi-mode CASBs are the most effective in securing Office 365, and secure SaaS applications in ways that goes far beyond traditional security controls provided by web application firewalls (WAFs) and secure web gateways (SWGs). As an added benefit, using a CASB means that all security controls for all SaaS products can be configured and enforced from a single platform.

CASBs provide security controls around 4 pillars:

Visibility goes beyond just Office 365. CASBs allow enterprises to audit their cloud usage to discover both sanctioned and shadow IT cloud services. This is beneficial towards both controlling shadow IT use and sanctioning new applications that pass risk assessment tests. By auditing their cloud applications’ usage, companies can also set governance (appropriate-use) policies, and enforce them across the entire organization’s cloud footprint.

Compliance, the second pillar, relates to identifying sensitive data in the cloud, and then ensuring the data isn’t compromised or exposed in order for the organization to remain compliant with industry regulations and internal security policies. This is done via cloud DLP policy enforcement and collaboration control, whereby organizations define certain types of data that cannot be uploaded to the cloud and other types of data that may live in the cloud but cannot be shared externally.

Data security is a core element of a CASB and includes encryption, tokenization, access control, unmanaged device control, and IRM. With a CASB organizations define who can access data in O365 based on the sensitivity of the data, the device being used (managed vs. unmanaged), and the geographic location of the access (trusted vs. untrusted).  CASBs also enable EDRM for sensitive files so organizations can extend data security to documents once they leave O365.

Threat protection is the final pillar of a CASB, which combines UEBA with machine learning to sift through billions of events and data points to detect even the most surreptitious threats. Where CASBs truly shine, however, is in their ability to correlate anomalous activity within Office 365 with events originating in other cloud applications to accurately identify instances of insider threats or compromised accounts. CASBs are also used to detect malware and ensure that it does not proliferate throughout the organization via cloud services like O365.

1How to Enhance the Security of Office 365, Steve Riley