Office 365 is now the most popular enterprise cloud service by user count and Microsoft is just getting started. A recent analysis found that while Office 365 has a foothold in 91.4% of enterprises, just 22.3% of enterprise users have been migrated to Microsoft’s cloud-based productivity suite. Studies continue to find that concerns about security are the single greatest barrier holding back cloud adoption. Perhaps with good reason; 17.1% of files in OneDrive and SharePoint Online contain sensitive information including payment cards numbers, Social Security numbers, business plans, financial records, and even user passwords.

With Morgan Stanley projecting that cloud products will comprise 30% of Microsoft’s revenue by 2018, the cloud leader has made significant investments in security. In this post, we’ll examine Office 365 built-in security capabilities in detail – both capabilities enabled by default as well as capabilities customers can configure in order to take full advantage of what Office 365 offers. Microsoft also works with an ecosystem of security partners to deliver more security options for Office 365 customers requiring an additional layer of protection. We’ll review some of the capabilities customers can find through third parties including CASBs.

The Definitive Guide to Office 365 Security

Learn common security pitfalls enterprises encounter in Office 365 deployments and detailed best practices for making the most of Microsoft’s built-in security capabilities.

Download Now

Security of data in the cloud is one of the biggest concerns for IT departments looking to take advantage of cloud computing. The explosion of cloud usage, which has coincided with the rise in mobile device use and BYOD policies has brought with it a plethora of cost savings along with data security risks.

When it comes to cloud services such as Office 365, enterprises want to know the location of their data, whether they are being compliant with regional laws and regulations, and whether the security controls are on par with what they can achieve with their on-premises infrastructure. 61% of companies see compliance with regulations as a major barrier to cloud adoption. This is especially true when an organization has export-protected data and wants to make sure that data doesn’t cross national borders without certain security and privacy guarantees.

The upcoming EU General Data Protection Regulation, which will introduce extensive requirements for any organization doing business in Europe, highlights different standards of data security. Since Microsoft may be compelled to produce data under court order in other jurisdictions such as the United States, which can violate EU data protection laws, some enterprises may seek additional security features to supplement Office 365.

For these reasons and more, Microsoft has invested significant resources in building its security stack. At the same time, Microsoft has partnered with third-party security vendors to provide additional layers of security for organizations with more complex requirements.

What Microsoft Offers: Office 365 Service-Level Security

Microsoft breaks down the service-level security built into Office 365 into physical, logical, and data layers. The capabilities that are built into Office 365 without requiring any customization or third party vendors are extensive, and extend far beyond what the typical cloud provider offers. In some cases they extend beyond the security controls enterprises can support for applications running in their own data centers. Enterprise-grade cloud applications such as Office 365 take advantage of pooled security resources delivered by a company whose core competency is maintaining high availability and security for these applications.

Physical Layer – facility and network security

Microsoft starts by providing security for the physical access of the data. Microsoft stores its customer data in data centers distributed geographically, restricts access to the data centers job function, and uses physical security measures such as badges, smart cards, biometric scanners, motion sensors, security officers, video surveillance as well as two-factor authentication.

At the network level, Microsoft only allows connections that are necessary for the systems to operate, blocking other ports, protocols and connections. Tiered Access Control Lists and firewall rules put security restrictions on communication, protocols, and port numbers. There are also security features that detect intrusions and vulnerabilities at the network layer.

Logical Layer – host, application, admin user

Microsoft has automated most of the operations performed on the hosts and apps by administrators in order to reduce human intervention. Access to Office 365 data is strictly controlled where least privilege is granted to perform specific operations by role. Microsoft’s Lock Box process greatly limits human access to data.

Microsoft employs a “Security Development Lifecycle” process to ensure every stage of Office 365 development conforms to security best practices and that its cloud services remain secure with each new release.

Microsoft employs anti-malware software to protect data from malicious applications by both detecting and preventing such software from entering the systems. If malware enters a system, Microsoft quarantines infected systems to prevent additional damage. Additionally, they perform regular updates, hotfixes, and patches.

Data Layer – data

Office 365 is a multi-tenant service. This means multiple customers use some of the same hardware resources, which is one of the primary benefits of cloud computing that allows for lower operating costs. Microsoft isolates co-tenant data through Active Directory and has other features specifically designed to secure multi-tenant environments.

Microsoft has built encryption features for Office 365 that follow industry cryptographic standards such as SSL/TLS, AES, etc. Customer-facing servers use secure sessions using SSL/TLS to secure the data in transit. Microsoft also uses BitLocker to encrypt data at rest. BitLocker drive encryption is integrated with the operating system to protect the data in case there is lost, stolen, or inappropriately decommissioned hardware in one of the company’s data centers. In some instances Microsoft goes so far as to employ per-file encryption where each encrypted file has its own key, and all future updates to the file are encrypted with new keys.

In order to protect data from security threats, Microsoft adheres to an “Assume Breach” approach. Microsoft assumes a breach has already occurred and is not known yet, while their security team attempts to detect and mitigate the threat. The assume breach mentality rests on four pillars of security:

  1. Prevent Breach – Microsoft continues to improve its built-in security features including port scanning, perimeter vulnerability scanning, system patches, network level isolation/breach boundaries, DDoS detection and prevention, and multi-factor authentication for service access.
  2. Detect Breach – Microsoft uses a form of machine learning, taking in signals from their internal system security alerts and combining it with external signals such as customer incidents to detect patterns and trigger alerts.
  3. Respond to Breach – In the case there is a security compromise, Microsoft launches its incident response process, which includes immediate termination of access to sensitive data while informing the affected parties immediately.
  4. Recover from Breach – This step returns the cloud service to operation, automatically updating and auditing breached systems to detect anomalies.

Email Threat Protection

Due to the evolving nature of the threat landscape, Microsoft offers its threat protection for Exchange Online, which goes beyond protection against spam, viruses and malware and includes:

  • Protection against unknown malware – By using a feature called Safe Attachments, Exchange Online users can be protected against malware not known to Microsoft as well as other zero-day threats. Microsoft routes all messages and attachments without a known malware signature to a sandbox environment that employs machine learning to detect malicious patterns/intent, and if none are detected, the message is delivered to its destination.
  • Real time protection against malicious URLS – This feature goes beyond the traditional security feature of Exchange Online where each message in transit is scanned to detect and block malicious URLs in an email. With threat protection, malicious URLs, even when disguised as normal URLs, can be identified/blocked, and users who click them will remain protected.
  • Robust reporting URL tracking – Office 365’s advanced threat protection also lets organizations see who is being targeted by unknown malware and malicious links, which messages are being blocked due to the unknown malware, and trace those malicious URLs in message that have been clicked.

Security Monitoring, Response, and Verification

Microsoft utilizes the Operational Security Assurance (OSA) framework to continuously monitor, identify operational risks, provide security guidelines, and ensure the guidelines are adhered to. Microsoft has made operational security a scalable process that is adaptable to industry-specific needs and the latest standards. External and internal audits of Office 365 ensure a comprehensive approach to securing applications in Office 365. Key audits include verifications of adherence to regulatory standards such as ISO 27001, SSAE 16 SOC1 Type II, and HIPAA.

Security Controlled by the Customer

Along with built-in security features, Microsoft also offers solutions that can be implemented by the customer, including:

  • Rights Management Service
  • Secure Multipurpose Internet Mail Extension (S/MIME)
  • Office 365 Message Encryption
  • Transport Layer Security (TLS) for SMTP messages for partners

Rights Management Service

Microsoft not only encrypts files but it can also apply custom policies that limit the actions users can perform on the data via its robust Rights Management Service (RMS). Azure RMS comes with Office 365 and IT admins can deploy it for an entire organization. Using Azure RMS while sharing sensitive data reduces the security risk of unauthorized individuals accessing the data.

One thing to note is that organizations cannot run Azure RMS alongside on premises Active Directory RMS. In order to use Azure RMS, AD RMS first needs to be migrated to Azure. This can be a roadblock for large enterprises with a lot of partners. If an organization collaborates with external partners (for example, by using trusted user domains or federation), the partners must also migrate to Azure RMS either at the same time or as soon as possible afterwards. To continue to access content that the organization previously protected by using AD RMS, the partners must make client configuration changes that are similar to those that the organization makes.

Office 365 Message Encryption

It’s well known that emails are sent across the Internet with about as much privacy as a postcard. Microsoft helps enterprises thwart man-in-the-middle attacks, wire-taps and other forms of data interception by letting users send and receive encrypted data. This is yet another way to ensure email messages don’t fall in the wrong hands.

Along with message encryption, Office 365 has robust anti-malware/spam controls. Office 365 protects incoming, outgoing, and internal messages from malicious software. The controls can be managed by an administrator and includes advanced spam options and company-wide blacklists and whitelists. Office 365 can also block malicious files based on file name extensions.

Secure Multipurpose Internet Mail Extension

Secure Multipurpose Internet Mail Extension is a standard for public key encryption and digital signing of MIME data that allows users to send secure emails. In this method, only the intended recipient of the email can decrypt the digitally signed message with a private key so as to protect it from being intercepted in transit or at rest.

As described in an Office 365 blog article “S/MIME differs from Office 365 Message Encryption in that it is a standard for public key encryption and digital signing of MIME data. It requires a certificate and publishing infrastructure often used in business-to-business (B2B) and business-to-consumer (B2C) scenarios. It’s also a requirement for certain government business cases. S/MIME allows a user to encrypt and digitally sign an email. It provides cryptographic security services such as authentication and message integrity. It also helps enhance privacy and data security (using encryption) for electronic messaging.”

Transport Layer Security

This is a feature most valuable to organizations with a lot of business partners. Companies can set up secure SMTP connections to their partners using Transport Layer Security (TLS).

Transport Layer Security (and SSL that came before it) are cryptographic protocols aimed at securing communication over a network by using security certificates that encrypt the connection between computers. TLS supersedes SSL. Microsoft uses TLS for Exchange Online and encrypts connections between servers. However, if a message that was sent over a TLS connection was forwarded, the message won’t actually be encrypted since TLS doesn’t encrypt the message, just the connection. Microsoft recommends using TLS when an organization wants to set up a secure channel of communication between Office 365 and another organization, such as a partner.

Federated Identity, Single Sign-On and Multi-Factor Authentication

One of the tenets of Office 365 security is its advanced access control capability. Customers have granular control over how users can access and use the services. Microsoft uses Azure Active Directory as their identity platform, but Office 365 can also be integrated with other LDAP directories such as Active Directory Federation Services or a third party secure token system.

Admins can also federate on-premises active directory so that all users whose identities are based on the federated domain can use their current corporate login to authenticate Office 365. Admins can also configure the access controls so that data can only be accessed via certain devices or can limit access from public open WI-FI.

Microsoft’s multifactor authentication feature is a must in a multi-device and cloud-first world and supports phone call, text message, or in-app notification as means to authenticate user identity. Microsoft also supports third party multi-factor authentication solutions and single sign-on vendors. Only 18.1% of cloud services offer multi-factor authentication, which can significantly reduce the risk of third parties accessing data in the cloud using a compromised login.

Data Loss Prevention

Since user error and risky behavior poses a greater threat than organized data breaches, Microsoft provides data loss prevention that can identify and protect sensitive data. For instance, sensitive data such as social security or credit card numbers can be identified in email messages, and users can be alerted via “policy tips” before they can send that message.

Office 365 Compliance

Microsoft’s Office 365 complies with several industry and government standards and regulations. Office 365 has also acquired certification with:

  • SAS 70 / SSAE16 Assessments
  • ISO 27001
  • HIPAA-Business Associate Agreement
  • FISMA/FedRAMP Authority to Operate
  • PCI DSS Level One

The US-EU Safe Harbor framework is in a state of limbo as EU lawmakers work towards a new agreement following a recent court case that ruled the current agreement is invalid. Stay tuned on how this will impact Office 365 customers in EU.

The following government regulations also impact Office 365:

  • Gramm-Leach-Bliley Act (GLBA) sets minimum security and privacy requirements for financial institutions in the US. Two of the principal regulations under GLB that affect Office 365 services are:
    • Financial Privacy Rule governs the collection and disclosure of customers’ personal financial information by financial institutions.
    • Safeguards Rule requires all financial institutions to design, implement, and maintain safeguards to protect customer information, whether they collect such information themselves or receive it from other financial institutions.
  • PCI-governed data: Office 365 ordering, billing, and payment systems that handle credit card data are level one PCI compliant, but Office 365 services are not suitable for processing, transmitting, or storing PCI-governed data and should be supplemented with additional security software.

Why Some Organizations Need Additional Data Security Capabilities

Microsoft’s commitment to data security can’t be overstated, but many enterprises, especially very large ones who use several cloud services, will require greater visibility and control over their cloud services and an additional layer of protection for data transmitted to, stored, and shared in SharePoint Online, OneDrive, and Exchange Online.

Supplementing Office 365 Encryption

As previously mentioned, Microsoft isn’t immune to government subpoenas. Things such as blind subpoenas not only put an organization’s data at risk, but due to the nature of the subpoena, neither the affected company nor its customers will ever become aware of the data leakage. Even when the cloud provider encrypts data, government agencies can demand the encryption key.

One way companies are beginning to combat this is by using encryption solutions that allow them to maintain control over the encryption keys used to protect their data in the cloud. While Microsoft does not currently offer this capability, the company partners with third-party cloud encryption providers that make it possible for customers to use their own encryption keys, so that no third parties have the ability to read the data stored in Office 365.

Correlating Threat Data Across Cloud Platforms

Although Microsoft looks at past data to identify potential data threats, a more accurate way would be to look at data across cloud service providers. For example, a user who downloads sensitive data from SharePoint may then upload that data to their personal Google Drive account or a Shadow IT file sharing service like 4shared.com and use the secondary file sharing service as a vector for data exfiltration. This type of activity will not be visible within Office 365.

One DLP Policy for Every Cloud Service

Given that the average enterprise uses over 1,000 distinct cloud services, it’s in the best interest of an organization to have a central control point for DLP rules as well as the remediation actions. If an enterprise uses Salesforce.com as their CRM, Box as their collaboration and file sharing service while using Office 365 for their email needs, the same DLP rules should apply to all three, and any change made to the rules should propagate to every cloud service in use without manually updating each instances of the rule in each cloud service. The same logic applies to access controls as well as the remediation action for DLP and collaboration violations.

Standardizing on Office 365

There are a lot of redundant cloud services being used by employees in today’s enterprises. The average organization uses 171 collaboration services and 57 file sharing services. In order to realize the security benefits of Office 365, IT professionals must be able to see who’s using what, assess the risk of those services, and coach users to the corporate standard, Office 365.