Office 365 Security and BeyondPart 1 of 2
Adopting a cloud platform strategy might be great for business efficiency and the wallet, but are you putting your data at risk?
Can you rely on Microsoft’s default security features to protect your data?
Have you got sensitive data and IP in the cloud (Intellectual Property)? Hackers want it!
By Paul Rummery, Securenet Consulting
If you didn’t make it to the Cloud Security Expo Europe event in London in March, we are doing a few round ups around some of the hot topics and solutions for protecting your investment and data in the ‘cloud’.
One of the main, but not exclusively popular cloud platforms helping businesses reduce cost and increase work place productivity and efficiency is Microsoft’s Office 365.
Now entering maturity, with more than 85 million active users, businesses and organisations (SME and enterprises) are moving to Microsoft Office 365 at a rapid rate.
Office 365 offers an alternative to on-premise systems, combining the functions of Office Applications, SharePoint File Server, Exchange Email and Lync Communications on a public cloud fabric hosted on Azure.
However, many companies have not migrated all their data to the cloud, to reap the full potential of cloud cost savings and efficiency, purely because security of data in the cloud is one of the biggest concerns for IT departments and business leaders alike.
Microsoft have been work very hard to incorporate security features and controls into Office 365, they still state that overall security and data protection is the responsibility of their customers.
So what we have is a situation of yet another platform for IT departments to manage, and more controls to learn and maintain in order to track and secure data. This in reality is a complex feat – relying on Office 365’s security features will not ensure the protection of your data. We explore some of the key points for concern, business leaders and IT management should be considering in order to protect their data and business reputation from embarrassing data leaks, hacks, theft and user dissatisfaction.
Keep advanced attacks out and sensitive data in across Exchange Online, SharePoint Online, OneDrive, even Yammer.
Microsoft gives you a base set of security controls – but you can layer on top of these to make it more secure - for your needs
Even if you deem O365 security adequate – what assurances and measures do you have in place when data moves out of 365
Secure & protect your sensitive data and investment in Office 365
Prevent Data Loss / Leaks
Secure other key third party cloud platforms e.g. Amazon AWS
Discover shadow IT, rogue collaboration and file sharing
Secure sanctioned and unsanctioned cloud applications, collaboration and file sharing
Advanced Threat Protection (ATP) – prevent and detect threats in real time for Inbound and outbound traffic.
Extend your security coverage to not only Office 365, but other third party cloud platforms / applications, on the move users and office locations
Secure Office 365 admins, users, data
Protect cloud email from phishing and advanced malware and spam
Being Realistic
It’s a question of work place productivity, governance and security
- How can I detect account breaches?
- Should I rely exclusively on Microsoft to prevent advanced threats?
- How can I make sure that content in the cloud meets compliance laws?
Decisions to rapidly implement cost savings for the business, low cost of IT ownership, low cost of maintenance, convenience, gain competitive advantage, enable user and data mobility / collaboration. However, each cloud platform comes with its own set of new challenges, controls and outputs.
As organisations replace their on-premises applications with cloud based ones, security hasn’t been given as much focus, and now more of their data communications occur outside the corporate firewall - resulting in reported breaches and data leakage since the platforms inception - creating a completely new set of compliance and security concerns
Researchers have cited that at user accounts have been compromised at least once a month within Office 365 – often those are privileged user accounts.
These accounts often contain confidential data, personally identifiable information, health data or payment details. Users are also storing unencrypted files and password files called ‘passwords’.
It is evident that more needs to be done to control access, meet compliance and protect customer and corporate data.
Microsoft 365 requires enhanced security technologies and controls
Microsoft have been working hard to provide security coverage and data protection in Office 365, but that is the extent of the scope and coverage. The level of protection also depends on the package you invest in. While 365 comes with all the benefits of a hosted service with financially-backed SLAs, there are some concerns.According to Microsoft, “Using Office 365 service offerings may increase your organisation’s Internet traffic, so it is important to evaluate and assess the network impact of the services.”
As office applications move into the cloud and its users connect through encrypted SSL/TLS channels, traditional on-premise security appliances cannot effectively scale to provide security and visibility into network traffic.
“Some network hardware may have limitations on the number of concurrent sessions that are supported.”
Microsoft Office 365 creates multiple connections from the client to the Microsoft data centre, increasing the load on network firewalls. As a result, many organisations are forced to heavily invest in increasing MPLS (inter-business and Internet connectivity) bandwidth to mitigate network choke-points and the negative impact of increased latency on users.
When it comes to cloud services such as Office 365, enterprises want to know the location of their data, if they are being compliant with regional laws and regulations, and if the security controls are on par with what they can achieve with their on-premises infrastructure.
Organisations want to make sure that data doesn’t cross national borders without certain security and privacy guarantees.
There is the ever present risk that Microsoft may be compelled to produce data under court order in other jurisdictions such as the United States, which can either be undesirable for UK or EU companies or violate EU data protection laws - some enterprises may seek additional security features to supplement Office 365.
Although Microsoft has invested significant resources in building its security stack, they have also partnered with third-party security vendors to provide additional layers of security for organisations with more complex requirements.
More holistic solutions are available that protect all inbound and outbound data, guard against the uncertainty of unmanaged user devices, third party cloud applications (shadow IT), risk of platform failures or performance degradation, compliance mandates, threat of hackers, government spying and data seizures.
Office 365 Security Considerations & Solutions
Sensitive & Legal Data Discovery
Do you know where all your unstructured files reside?
Solutions locate and classify all data on-premises and in the cloud, encrypting or quarantining when required.
Rapid search and insight
Centrally manage the classification of Office 365 documents, on-premise at rest or in motion automatically based on the presence of sensitive data and provide options for users to classify data as it’s created. Set business rules with your classifications to not only restrict audience, but also restrict actions that can be taken with classified documents such as print, email or save as to prevent data leakage.
Capturing and preserving email in a separate secure data repository outside the operational environment ensures it can not be amended or tampered with, and can be kept securely for as long as necessary. Archiving capabilities and/or solutions offer the unique ability to search across live and archived data from both Exchange and Office 365, as well as PST data, providing comprehensive visibility and control of email.
Again insight and report on status and compliance violations to stakeholders.
Email Security & Management
Centralise security funtions with the rest of your infrastructure and organisations policies by supplementing Microsoft Office 365 with third party solutions to layer the capabilities in Microsoft’s offering.
- Advanced archiving and eDiscovery capabilities that exceed the native Office 365 archiving features
- Malicious Link Protection
- Data Loss Prevention
- Email Encryption
Email Encryption
Secure your email communications by encrypting messages that contain sensitive data. Although now provided by O365, it might be advantageous for certain enterprises who wish to ensure their data is not exposed to government officials, in the event Microsoft is forced under court order to release their encryption keys to access data on O365. - Utilise a service that offers complete end-to-end email encryption.
- Encrypt email in transit, without needing to share keys or install cumbersome software like PGP.
Mailbox continuity services limit the risk associated with potential cloud service outages, automatically re-routing email to employees.
Maintain a business continuity plan in the cloud to counter reliance on just one service (O365) that can become a single point of failure for critical email services.
- gain uninterrupted employee email access via Outlook for Windows, Mac, mobile apps and web portal.
- 24/7 availability of mission critical email services.
Email & Data Archiving
Data Loss Prevention
Content control
It is unlikely that any organisation can say for certain that all their data is secure in their newly sanctioned cloud platforms / applications. By its very nature, data will never really remain in the cloud at all times – let’s be realistic. Presently, it is safe to say data ends up getting stored and copied in non-cloud places such as on laptops, USB drives and local email folders as well as third party cloud applications, too.
You will need policies and controls to cover your existing infrastructure, including Office 365 applications and services.
DLP solutions can automatically inspect, classify, secure, audit and process content in Office 365 (Exchange Online, SharePoint Online, and OneDrive) on-premise applications and other third party cloud platforms (hybrid environments).
Cross cloud platform data leak or threats
Users could download sensitive data from SharePoint, then upload that data to their personal Google Drive account or a Shadow IT file sharing service like 4shared.com and use the secondary file sharing service for data exfiltration. This type of activity will not be visible within Office 365.
Detect & inspect sensitive data and automatically take actions to ensure access to Office 365 content is only available to users who have permissions to the file.
Compliance
Ensure compliance with regulations such as PCI DSS, HIPAA, HITECH, GLBA, SOX, CIPA, FISMA, and FERPA by applying comprehensive data loss prevention capabilities to new or existing content within Office 365.
Is your proxy and firewall protection being bypassed?
Prevent data leak out from within your organisation – either deliberately or by accident.
A typical organisation can have tens, hundreds or thousands of cloud based applications. It is therefore in your best interest to have a central control point for DLP rules as well as the remediation actions.
An essential part to cover especially if you are maintaining compliance and standards for data protection, for example; PCI-DSS and ISO 27001.
Email security is no longer just about hygiene, anti-virus and anti-spam, it needs to include the protection of critical information through a comprehensive data loss prevention (DLP) solution.
As part of the migration process, Microsoft may suggest that Office 365 traffic bypass web proxy infrastructure. However, it’s important to consider the security (certificate status verification, application controls, logging, malware scanning, data loss prevention), policy and compliance controls lost if Office 365 traffic bypasses the proxy.
Data loss - If Office 365 is configured to bypass the proxy, then it will bypass DLP (Data Loss Prevention) controls. For organisations with proxy-based DLP integrations, there are two core Office 365 use cases to consider: Your document files and email data.
For example, Office 365 provides limited stop and block controls, but purpose built DLP solutions can automatically remove critical information, e.g. a credit card number, while leaving the rest of the communication to continue to the destination.
Document files
Document files stored on the Office 365 cloud drives and SharePoint servers may or may not be considered outside corporate data loss boundaries. It depends on the extent to which your organisation trusts Microsoft infrastructure, provides 3rd party access (contractors, suppliers, partners etc.) to Office 365, and if you use native Office 365 security tools such as rights management, transport rules, etc. If after considering these factors, you decide that DLP (Data Loss Prevention) for Office 365 is required, then make sure that Office 365 traffic does not bypass your proxy infrastructure. Your ICAP DLP integration can cover Office 365 file transfers.
Many organisations have already invested time and resource into applying complex rules for on-premise DLP and forwarding email from their Exchange server to specialist security scanning solution / services. However, Office 365 moves the Exchange server into the cloud, so firms with this architecture will need to identify if Microsoft controls are adequate for their level of security and compliance. As an example, there is a lack of outbound email quarantine in Office 365 – where there is a clear business and security need to quarantine emails that fail policy controls – such features are facilitated by third party / certified Microsoft partner solutions.
Security policy compliance
Security best practice and most enterprise security policies prohibit direct Internet access from internal network clients / computers. It is common that all client traffic, including Office 365, should pass through a secure proxy for traffic inspection.
Bypassing the proxy violates policy, forcing organisations to document exceptions, justify the exceptions, and accept a lower security posture for this segment of Internet traffic.
Note that Microsoft offers security capabilities as part of premium Office 365 enterprise bundles. However, this adds license cost and means having to manage two separate security systems – one for Office 365 and one for the rest of your organisation.
Safe Firewall Administration
Avoid firewall downtime, operational, availability downtime and financial costs associated with managing vendor / Microsoft changes
Bypassing the proxy commits your firewall team to manually synchronising a firewall rule set covering 175+ constantly changing IP addresses – forever. This is a difficult task for any firewall team. Any time the rule set falls out of sync or simple mis-configurations occur, Office 365 services can be disrupted.
Passing Office 365 traffic through a proxy completely avoids this firewall operations cost and availability risk.
Performance, User Experience and Latency
Accelerate Performance for Optimal User Experience
Ensure your investment and success of your Office 365 implementation, there is really only one metric that matters: user satisfaction.
Office 365 customers have seen an average increase in network utilisation of 40 percent, and that’s because each user is now generating up to 20 persistent connections. This increase can easily overwhelm firewalls and increase your transport budget. Microsoft now recommends performing capacity and network latency assessments.
Microsoft recommends limiting the number of users behind each public IP address to less than 2000 users. Aggregating too many users behind a single IP creates port exhaustion problems that degrade performance. Depending upon your network design, compliance with this recommendation can be a challenge. While this requirement could be met with network restructuring, this process can be very disruptive and expensive.
Load Balancing Cloud Applications
Spread the load from your users to web services, to increase service and performance.
- Bandwidth throttling management controls based on apps allows you to guarantee bandwidth for Office 365 traffic.
- Accelerate application delivery to users
- Provides visibility of traffic and sessions.
- Ensure availability in the event of failure.
- Employees never lose access to MS Office365 even in the event of site failures.
- Traffic accelerating load balancers with integrated next generation firewalls technology.
- Integrated Data Compression and Data Duplication
Secure Your Hybrid Cloud
Link business services and availability between Office 365 and your on-site premise network
Secure hybrid deployments with cloud and on-site components. Link the cloud and on-site components by deploying Active Directory Federation Services (ADFS) running on a load balancer, operating as an ADFS Proxy, provides single sign on and directory sync across the hybrid cloud.
Network Content Caching
Reduce bandwidth costs, strain on IT help desk resources and increase service performance.
Many organisations are concerned with increased bandwidth costs and latency associated with migrating from on-premise Office to Office 365 in the cloud.
No one wants users submitting help desk tickets complaining about long file uploads and downloads, slow screen refreshes and choppy communications.
Overcome bad user experience problems that are out of control of Office 365
- Latencies on the Internet, even those within region, can vary day-to-day and location-to-location making Office 365 performance difficult to predict.
- Out-of-region users will have their data stored in the Microsoft data center closest to where the IT team registered for the service, not the user's location.
- Roaming users still need to access their data in the data center in their native regions.
Proxy solutions provide content caching for CIFS file transfers as well as objects embedded in HTTP and HTTPs sessions. Because services in the cloud can have high latency, access to local content can make Office 365 applications much more responsive. Caching will be particularly effective in Office 365 SharePoint and other environments in which the same objects (e.g. video, pictures, presentations, etc.) are downloaded by many users. In these environments, performance can be improved by up to 25%. If Office 365 traffic bypasses the proxy, these gains are lost.
Secure Access, Identity Management & Permissions
Insider Threats: On-Premise Users, Mobile, BYOD access, Privileged Users to Office 365
Fast Track Secure User Access to Office 365
Extend user identity, privileged access, device access, single sign-on (SSO) and authentication management from your on-premise and private cloud into public cloud services such as Office 365.
Incorporate Office 365 access control into a centralised access control platform.
Automate Office 365 user accounts, assign or change licenses, and remove access when needed - all based on users and groups in Active Directory… without creating more security groups, more sites, libraries or folders.
Again visibility and audit permissions granted across all users.
Secure access to Office 365 from any device. Enforce and update mobile security settings, and remotely lock or wipe devices.
Context based data protection
Control access to files based on contexts like user, location, device type.
Enforce fine-grained access policies, such as allowing file preview on unmanaged devices but preventing downloads to devices without appropriate endpoint security. If downloads allowed, then encryption applied.
Control user rights management to protect files downloaded from Office 365, so that data is protected anywhere – wherever it travels.
Control how authorised users can consume and distribute content.
For example, if a document is going to be emailed to a group and a listed recipient does not have proper access to that category of document, the email cannot be sent until that individual is removed from the distribution list. Users can also be prevented from printing and saving Microsoft Office documents outside of Office 365.
Set thresholds on user activity and monitor user behaviour.
Identify whether an alerted threat is accidental or malicious, risks from dormant administrator accounts, excessive permissions, and unnecessary escalation of privileges and user provisioning.
Detect activity in Office 365 based on brute force login attempts, logins from new and untrusted locations for a specific user, and consecutive login attempts from two locations in a time period that implies impossible travel, even if the two logins occur across two cloud services. Intelligence research reveals user accounts for sale online that are at risk of compromise.
Office 365 Security Blog Part 1
Office 365 Overview
Data Discovery and Control
Take care not to bypass existing security controls
Email Security
Email Encryption
Email Management, Availability & Continuity
Email Archiving
Email Migration to Office 365 service
Data Loss Prevention (DLP)
Document File DLP
Email DLP
Prevent User Experience and Performance Latency
Linking & Securing Hybrid Cloud Environments
Secure Access, Identity Management and Privileged Users
|
Multi Factor Authentication
Data Encryption
Secure Hybrid Environments
Logging, Audit, Reporting and Security Intelligence
Protect against advance threats, malware, viruses, spam
Verify Application Certificates
Cloud Application Control
Data Backup & Archiving – Data Protection
MDM – Mobile Device Management
Address Regulatory Compliance
Secure VPN Connectivity
Web Application Firewall
Intrusion Prevention
Microsoft Office 365 Professional Services & Engineering
|
Also see solutions to control and protect
Provide enterprises with the flexibility to determine how and where users store files.
SharePoint
OneDrive
File Share
Exchange
Contact us today to discuss your requirements in more detail.
 |
Telephone
|
+44(0)7714 209927
+44(0)1273 329753
|
 |
|
 |
 |
|||
 |
 |