Office365 security

Microsoft 365 security

Secure Your Investment in Office 365, Protection and Compliance Solutions


Moving to Office 365? 
Recently deployed Office 365?




The Challenge

Office 365 offers an alternative to on-premise systems for Microsoft Exchange, SharePoint & Lync.

As an IT professional, you understand that adopting cloud applications such as Office 365 could potentially improve employee productivity, simplify IT management and reduce overhead cost. However, each cloud application comes with its own set of challenges - Microsoft cautions that network connectivity can be severely impacted when you deploy Office 365. This creates problems for traditional enterprise WAN architectures that were designed to handle mostly internal, predictable traffic.



Microsoft 365 requires enhanced security technologies and controls

The level of protection depends on the package. While 365 comes with all the benefits of a hosted service with financially-backed SLAs, there are some concerns.

According to Microsoft, “Using Office 365 service offerings may increase your organisation’s Internet traffic, so it is important to evaluate and assess the network impact of the services.” As office applications move into the cloud and its users connect through encrypted SSL channels, traditional on-premise security appliances cannot effectively scale to provide security and visibility into network traffic.

“Some network hardware may have limitations on the number of concurrent sessions that are supported.” Microsoft Office 365 creates multiple connections from the client to the Microsoft data center, increasing the load on network firewalls. As a result, many organizations are forced to heavily invest in increasing MPLS bandwidth to mitigate network chokepoints and the negative impact of increased latency on users.



Office 365 Security Considerations

Is your proxy and firewall protection being bypassed? 

As part of the migration process, Microsoft may suggest that Office 365 traffic bypass web proxy infrastructure. However, it’s important to consider the security advantages lost if Office 365 traffic bypasses the proxy, for example, impacting current corporate policy / compliance, certificate status verification, application controls, logging, malware scanning, data loss prevention, and reverse proxy security for hybrid deployments.


Data Loss - If Office 365 is configured to bypass the proxy, then it will bypass DLP controls. For organisations with proxy-based DLP integrations, there are two core Office 365 use cases to consider: Document Files and Email.


Document Files – Document files stored on the Office 365 cloud drives and SharePoint servers may or may not be considered outside corporate data loss boundaries. It depends on the extent to which your organisation trusts Microsoft infrastructure, provides 3rd party access (contractor, etc.) to Office 365, and uses native Office 365 security tools such as rights management, transport rules, etc. If after considering these factors, you decide that DLP for Office 365 is required, then make sure that Office 365 traffic does not bypass proxy infrastructure. Your ICAP DLP integration can cover Office 365 file transfers.

Email – Many organisations apply on-premise DLP by forwarding email from their Exchange server to a security scanning solution / service. However, Office 365 moves the Exchange server into the cloud, so firms with this architecture will need to find another solution.



Security Policy Compliance 
Security best practice and most enterprise security policies prohibit direct Internet access from internal network clients. It is common that all client traffic, including Office 365, should pass through a secure proxy. This guidance exists for a reason – proxies provide valuable security benefits.

Bypassing the proxy violates policy, forcing organisations to document exceptions, justify the exceptions, and accept a lower security posture for this segment of Internet traffic.



SecureNet Consulting provide single point of management solutions to solve Data Loss Prevention (DLP), enforce policy, logging, and reporting system covers both web and email channels.


Note that Microsoft offers security capabilities as part of premium Office 365 enterprise bundles. However, this not only can add license cost, it means having to manage two separate systems – one for Office 365 and one for the rest of your enterprise.
 

See below Office 365 security and data protection solutions available to bolster any Microsoft offerings.





Office 365 - Solution Features & Benefits

> Integration


Integrate into enterprise file collaboration, sync and share platform.



> Certificate Verification

Microsoft, due to their size and user based volume across the world, they are a common target for certificate attacks. In fact, Microsoft certificate compromises known to the public have occurred in 2001, 2008, and 2012.

Verify the status of Office 365 certificates in real-time. If a certificate has been compromised and revoked, you will want to block the request and alert your users.



> Web Applications 

Control for Web 2.0 applications like Office 365, social media, Webmail, etc.. These controls not only give you control over which users can access which Office 365 applications, but which application operations are available. For example, you could meet least privilege access requirements by allowing a contractor to access SharePoint but deny Exchange. You could further allow that contractor to download files, but prevent a SharePoint infection from an unmanaged contractor device by blocking uploads. 

These controls maximise Office 365 effectiveness as a collaboration tool, while ensuring the integrity of your infrastructure.

> Content Control - Data Loss Prevention

Automatically inspect, classify, secure, audit and process content in both Office 365 (Exchange Online, SharePoint Online, and OneDrive) and hybrid environments.
  • Detect & Inspect sensitive data and automatically take actions to ensure access to Office 365 content is only available to users who have permissions to the file.
  • Encrypt Office 365 content immediately when sensitive information is identified. Encryption permissions are applied at the individual file level, sensitive content can be stored, shared and collaborated on from any site or library in Office 365. Business rules and policies can be applied to an Office 365 or hybrid environment to centrally manage content security, reducing the administrative burden of managing content across multiple locations.
  • Control content distribution by setting rules to control how authorised users can consume and distribute content. For example, if a document is going to be emailed to a group and a listed recipient does not have proper access to that category of document, the email cannot be sent until that individual is removed from the distribution list. Users can also be prevented from printing and saving Microsoft Office documents outside of Office 365.
  • Classify Office 365 documents at rest or in motion automatically based on the presence of sensitive data and provide options for users to classify data as it’s created. Set business rules with your classifications to not only restrict audience, but also restrict actions that can be taken with classified documents such as print, email or save as to prevent data leakage. 
  • Comply Ensure compliance with regulations such as PCI DSS, HIPAA, HITECH, GLBA, SOX, CIPA, FISMA, and FERPA by applying comprehensive data loss prevention capabilities to new or existing content within Office 365.
 



> Layer-7 Application control

> VPN connectivity

Secure (encrypted) connection from Office 365 to office, branches and mobile users.



> Advanced Persistent Threats (APT) protection

> Bandwidth Shaping / QoS control

> Real-time traffic monitoring

> User activity and network traffic reporting

> Anti virus & Anti-spam filtering

> URL protection

Destination website scanning to protect users from spear-phishing attacks.

Suspicious links are inspected at the time of click (from any device, including smartphones and tablets).


> Sandboxing & Malware Scanning  
 
Scan and Sandbox content / files for analysis to detect zero-day malware, malicious code and prevent threats from migrating over from or to Office365 SharePoint, Office applications (Word, Excel, etc.), PDFs, Outlook Web App (OWA), and Exchange ActiveSync (for mobile email).

This also improves your visibility for compliance and data loss prevention.

This can be particularly valuable in environments where mobile devices are not protected by client virus software, are uploading and downloading files. Malware scanning also provides protection against compromising Office 365 infrastructure. For example, login credentials can be phished from employees or the Office 365 infrastructure itself can be hacked any number of ways. By enabling malware scanning, you can prevent malware posted by attackers from spreading to other systems and identify which files need to be removed from Office 365 servers.


URL sandboxing (from any device, including smartphones and tablets)

> Reverse proxy for hybrid deployments

Hybrid Microsoft SharePoint deployments combine SharePoint Server resources with Office 365 SharePoint resources.

Search results from both sources can be combined to present users with a unified view of SharePoint resources in both locations. However, enabling this unified view requires inbound SSL connectivity from Office 365 to on-premise SharePoint servers.

Secure these connections by providing an inbound SSL scanning endpoint (typically a proxy device) in your DMZ – authenticating, and decrypting traffic before passing it to SharePoint servers on the internal network.

Note: Direct (non-proxied) inbound connections from Internet resources should not be allowed to reach internal resources.



> Safe Firewall Administration


Avoid firewall downtime, operational, availability downtime and financial costs associated with managing vendor / Microsoft changes 

Firewall rule sets typically limit outbound Internet access to a single (or a few) static proxy IP addresses. Bypassing the proxy, however, requires that the firewall team open holes in the firewall from all client subnets to Office 365 IPs. To assist network managers in this task, Microsoft publishes the 175+ IP addresses necessary to support Office 365. However, these addresses constantly change. From January 2014 through August 2014, they changed 216 times. Therefore, bypassing the proxy commits your firewall team to manually synchronising a firewall rule set covering 175+ constantly changing IP addresses – forever. This is a difficult task for any firewall team. Any time the rule set falls out of sync or simple mis-configurations occur, Office 365 services can be disrupted.

Passing Office 365 traffic through a proxy completely avoids this firewall operations cost and availability risk.

 

> Network Content Caching


Reduce bandwidth costs, strain on IT help desk resources and increase service performance. 

Many organisations are concerned with increased bandwidth costs and latency associated with migrating from on-premise Office to Office 365 in the cloud. 


No one wants users submitting help desk tickets complaining about long file uploads and downloads, slow screen refreshes and choppy communications.

Overcome bad user experience problems that are out of control of Office 365

  • Latencies on the Internet, even those within region, can vary day-to-day and location-to-location making Office 365 performance difficult to predict.
  • Out-of-region users will have their data stored in the Microsoft data center closest to where the IT team registered for the service, not the user's location.
  • Roaming users still need to access their data in the data center in their native regions.
Proxy solutions provide content caching for CIFS file transfers as well as objects embedded in HTTP and HTTPs sessions. Because services in the cloud can have high latency, access to local content can make Office 365 applications much more responsive. Caching will be particularly effective in Office 365 SharePoint and other environments in which the same objects (e.g. video, pictures, presentations, etc.) are downloaded by many users. In these environments, performance can be improved by up to 25%. If Office 365 traffic bypasses the proxy, these gains are lost.


> IP & Connection Load Balancing


Spread the load of user numbers to your web services to increase service and performance. 

> Load Balance
> Accelerate Application Delivery to users
> Data Compression
> Data Deduplication


Microsoft recommends limiting the number of users behind each public IP address to less than 2000 users. Aggregating too many users behind a single IP creates port exhaustion problems that degrade performance. Depending upon your network design, compliance with this recommendation can be a challenge. While this requirement could be met with network restructuring, this process can be very disruptive and expensive. A proxy load balancer can help you easily meet this requirement by load balancing users across a series of public IP addresses.


> Identity & User Access Management


Fast Track Secure User Access to Office 365


Extend user identity, privileged access, device access, single sign-on (SSO) and authentication management from your on-premise and private cloud into public cloud services such as Office 365.


Two Factor Authentication  
Extend simple username and password with an extra two-factor / one-time generated authentication layer.


Password Management & Authentication
Strong dynamic passwords.
 

Single-Sign (SSO)
  • Authentication service also offers additional convenience and increased productivity by enabling Single-Sign On for web-based applications which support SAML. 
  • Active Directory-based single sign-on, user provisioning and mobility management for Office 365.
  • Hybrid deployments with secure Cloud and on-site components. Linking the Cloud and on-site components by deploying Active Directory Federation Services (ADFS) running on a load balancer, operating as an ADFS Proxy, provides single sign on and directory sync across the Hybrid Cloud.
Audit 
Track and audit user access management, roles and policies.



> MDM (Mobile Device Management)
 

Utilising controls from an MDM solution expands overall capability and benefits of Exchange Online and minimises security risks.

Exchange Online provides access and synchronisation of corporate email, contacts, calendars, and tasks to mobile devices.

  • Single view of all devices syncing email 
  • Automatic compliance enforcement 
  • Selective wipe, lock and unlock actions 
  • Device-level view of installed apps, jail-broken or rooted devices

Securely share and manage documents on mobile devices

  • Document life-cycle management
  • Document-specific sharing restrictions
  • Users are alerted when new or updated content appears

> Email Migration Service (SaaS)


Helps you easily and securely migrate users and mailboxes from your on-premise or private cloud Microsoft Exchange Email to Office 365.



> Email Security & Management

Information Protection for Hosted Email Services 
Microsoft Office 365 customers will need to use third party offerings to either supplement or replace the capabilities in Microsoft’s offering.
  • Offer advanced archiving and eDiscovery capabilities that exceed the native Office 365 archiving features available. 
  • Malicious link Protection


> Email Availability & Continuity
  • Provide uninterrupted employee email access via Outlook for Windows, Mac, mobile apps and web portal. 
  • 24/7 availability of mission critical email services.


> Email Encryption

Secure your email communications by encrypting messages that contain sensitive data. Utilise a service that offers complete end-to-end email encryption.

Encrypt email in transit, without needing to share keys or install cumbersome software like PGP.



> Email & Data Archiving

As part of the migration process, organisations’ IT departments spend many hours trying to locate and find PST files that tend to be scattered throughout their enterprise. It’s one of the greatest pain points of migration. Discover PST files on network servers and end user systems, plus move this data to a secure location such as Exchange Online (part of Office 365), or Message Archive solution.


> Legal & eDiscovery

Rapid Search and Insight
Capturing and preserving email in a separate secure data repository outside the operational environment ensures it cannot be amended or tampered with, and can be kept securely for as long as necessary. Archiving solutions offer the unique ability to search across live and archived data from both Exchange and Office 365, as well as PST data, providing comprehensive visibility and control of email.



> Regulatory Compliance

Enable use of Microsoft's productivity tools anywhere while meeting data security, compliance, and governance requirements.
  • Ensure compliance with regulations such as PCI DSS, HIPAA, HITECH, GLBA, SOX, CIPA, FISMA, and FERPA by applying comprehensive data loss prevention capabilities to new or existing content within Office 365.
  • Cloud application delivery (traffic / application optimisation).
  • Exchange to Office 365 Cloud data migration.
  • E-discovery (identify and finger print documents and files).
  • Track the entire lifecycle of Office 365 documents (read, emailed, or printed and by whom).
  • Secure email storage and archiving in ISO27001, EU Safe Harbor, SSAE Type 2 Certification.
  • Address PCI-DSS, HIPAA, and GLBA. Protect data from improper disclosure, and includes pre-built and customisable checks of structured data to accurately detect sensitive information and make it easier to comply with regulatory requirements.
  • Enforce retention policies and perform supervisory review of email to ensure that the organisation is in compliance with these regulatory policies.




Linking services and availability between 365 and your on-site premise network

Hybrid deployments with secure Cloud and on-site components. Linking the Cloud and on-site components by deploying Active Directory Federation Services (ADFS) running on a load balancer, operating as an ADFS Proxy, provides single sign on and directory sync across the Hybrid Cloud.



> SharePoint & OneDrive File Share Control

Providing enterprises with the flexibility to determine how and where users store files.

Allows users to access and edit their SharePoint Online and OneDrive for Business accounts.



> Logging & Reporting

Compliance based event and log management.


> Microsoft Office 365 Professional Services / Engineering





If you want to implement one or more of the solution features presented above, contact us today to book a meeting



P: +44(0)7714 209927

S: +44(0)1273 329753

info@securenetconsulting.co.uk