Microsoft Office 365 has become incredibly popular because of the mobility and collaboration it enables. With Office 365, companies always have the latest versions of Excel, Word, PowerPoint and Outlook, as well as cloud-based collaboration and productivity platforms OneDrive, Exchange Online, Yammer, and SharePoint Online. Skyhigh’s research has found that 87.3% of enterprises have at least 100 active Office 365 users, but just 6.8% of corporate users have migrated to Office 365.
Whether you are evaluating Office 365, have deployed it to all users, or are somewhere in between, we’ve distilled some key best practices our customer success team has picked up working with over 600 enterprises who use the Skyhigh CASB. These common best practices used by other companies will help you make the most from your deployment and ensure that you continue to meet your security, compliance, and governance requirements as data moves to the cloud.
Microsoft has invested heavily into the service-level security of the Office 365 platform. That means Microsoft works to strengthen the platform against intrusions and cyber attacks, making it one of the 8.1% of cloud services that earn Skyhigh’s highest CloudTrust Rating of Enterprise-Ready. Under a shared responsibility model, Microsoft takes care of platform security but leaves it up to the customer to ensure their users don’t mistreat data in ways that expose the organization to risk.
There are four best practices organizations can build into their Office 365 processes to gain visibility into actions users take within these applications, protect data from access from third parties using compromised login credentials and from negligient or malicious insiders, and meet regulatory compliance requirements.
1. Gain visibility into how employees use Office 365
Office 365 is home to sensitive corporate data. 17.4% of documents in OneDrive and SharePoint Online contain sensitive data. Combine that with the fact that the average enterprise collaborates with business partners via OneDrive and SharePoint, and it becomes clear that IT security teams need greater visibility into how employees are using and sharing data stored in Office 365.
Our own customer data shows evidence of risky user behavior. Across OneDrive and SharePoint Online, we found that 18% of shared files are shared with a personal email address such as Gmail, Hotmail, etc. To make matters even more complicated, we’ve found that the average enterprise has 143 files with the word “password” in the file name on OneDrive. Obviously, if one of those files is accidently shared with the wrong person, it could expose the organization to the risk of a data breach. In fact, IT professionals are not immune from this behavior.
Considering that the average enterprise uses 61 file-sharing services, and many of those services lack basic security controls, it is a best practice to know what those services are and coach the users to move to the more secure Office 365. At the same time, the IT security team needs to understand where sensitive data is stored in Office 365 and who’s sharing with whom. It is imperative that IT security professional be able to answer the following questions:
- How many file-sharing and collaboration services are we using, and what is the risk of each?
- Which types of sensitive data are uploaded to Office 365, and where is it being stored?
- What activities are occurring within Office 365 and which ones are admin vs. user-driven?
- Which outside third parties are given collaborator access to Office 365 and what level of access do they have?
2. Protect data stored in Office 365 from internal and external threats
The average organization experiences 9.3 insider threats each month which can include negligent employees downloading data from a secure cloud service such as OneDrive and uploading it to a high-risk cloud service such as FreakShare. It also includes employees who maliciously steal sensitive data. Moreover, the average company experience 5.1 incidents each month in which a third party exploits a stolen or guessed password to gain access to corporate data in a cloud services
Enterprises need to put in place the processes and tools to gather actionable data on insider threats and compromised accounts so that the correct remediation action can be taken immediately. This also means IT security teams should know who the privileged users and admins are and ensure their accounts aren’t compromised. One way to this is to track all user and admin activity for forensics.
In order to achieve the above, the IT security team must be able to answer the following with an affirmative:
- Are there behavioral anomalies, such as excessive downloads of confidential information that indicate insider threat?
- Are there behavior anomalies, such as repeated logins from an unusual geography that indicate a compromised identity?
- Do users have the permissions that are appropriate for their current job?
- Can we access an audit trail of all user and admin activity in Office 365 should an investigation require it?
3. Audit sensitive data in Office 365 and take action to meet compliance requirements
Since nearly 18% of files uploaded to Office 365 contain sensitive data, it’s easy to see why compliance with regulations should be a top of mind concern for security professionals. 2.2% of data uploaded to Office 365 contains protected health information that is regulated by HIPAA-HITECH. Violations of HIPAA carry steep penalties and could even lead to jail time. A whopping 9.2% of uploaded files contain confidential data such as financial records, business plans, trading algorithms, and trade secrets.
It is imperative that IT security professional be able to answer the following questions:
- Are we in compliant with PCI DSS, HIPAA-HITECH, GLBA, SOX, CIPA, FISMA, FERPA today?
- Are we in compliance with international data residency requirements today?
- Which DLP policies do I need to enforce within Office 365 to ensure compliance with industry regulations and privacy requirements moving forward?
- Are our cloud DLP policies perfectly aligned with the DLP policies we enforce on-premises.
4. Secure your data using encryption and tokenization while preserving key functionality such as search
In some cases, organizations look to encrypt data using encryption keys they control so that no third party, not even a cloud provider, has access to their information. Data protection policies and regulations can require encryption. It’s one of the most effective ways of protecting data in case it falls in the wrong hands. However, encryption shouldn’t get in the way of end user experience. The best encryption service will preserve important functionality such as search.
Enterprises should be able to answer the following question in order to ensure total data protection:
- Which devices and geographies are employees accessing file-sharing services from?
- Can we define who has access to which data based on the sensitivity of the data and the user’s role, device and location?
- Can we see what data is shared publicly now, and restrict collaboration to verified business email accounts?
- Are security policies enforced uniformly across files that are shared from a computer, phone, or tablet, including mobile and sync clients?