Maksim Kabakou - Fotolia
Office 365 security challenges and how to solve them
To understand the Office 365 threat landscape, take stock of the application features and programs available based on the organization's license level of the subscription.
Many companies moved to Office 365 for one reason -- to get Microsoft Exchange servers, and all the related headaches, out of their data centers. While email was no doubt the initial draw, its function -- although fundamental -- wound up as just another product in a family of fairly complete collaborative applications.
To that end, when evaluating Office 365 security challenges, it's important to examine all the applications within the suite -- and not just concentrate on email.
Plethora of programs anchor Office 365
Primary products with Office 365 are SharePoint and OneDrive. SharePoint is a content management system that is now nearly 20 years old. OneDrive is a more recent file storage application, along the lines of Dropbox and others. These two alone offer a lot of features -- and security challenges.
Skype for Business (formerly Lync), meantime, provides unified communications functions like voice over IP (VoIP), chat, conferencing and screen sharing. Yammer is a social network environment. Teams is yet another self-descriptive collaboration environment, and don't forget about Kaizal. That app was built from Microsoft's "Garage" project and is a business-oriented messaging app similar to WhatsApp.
Depending on the license level of your company's subscription, Office 365 offers additional extensions, among them Dynamics CRM, or customer relationship management; Project Server; and Visio.
The breadth and depth of these applications fuel Office 365 security challenges, which include the following:
Unused applications. The good and the bad of Office 365 is that all of the licensed applications appear to be live and available even if there is no interest in using a particular app. Each application, though, represents a separate attack surface this means it can be susceptible to security incursions whether in use or not.
Many of the applications have a network element -- for example, chat, VoIP or file sharing -- which can usher in a network-level exposure. Identify all the unwanted Office 365 applications and make sure they are not used. The Office 365 application admin may be able to make changes that restrict availability. If the application has a unique network signature, or IP ports, the admin can try to block it at a firewall level -- with a next-generation firewall or web application firewall.
Application administration. Unsurprisingly, many of the apps have user administration features specific to the application. If these features are not secured properly, users may be able to do things that could compromise the system.
For example, if SharePoint security is lax, an unauthorized user might be able to generate SharePoint content. This is a preventable Office 365 security challenge. It is essential to set appropriate security restrictions for each user within each application. This should be the purview of an application-level administrator. Various permissions and security settings need to be examined and set for each of the Office 365 applications present.
System security. Mitigating Office 365 security challenges can be summarized as keeping bad things out and keeping good things in. The bad things are malware and phishing attacks. Only this time, the channel or path for the attack isn't an email inbox, but one of many communication channels that exists in the Office 365 suite of products.
A big part of SharePoint is what used to be called creating an intranet -- hosting files for internal team use. Should a file containing malware get posted and accessed, it could cause big problems -- same issue with OneDrive. Skype for Business, Yammer and other communications apps will likely have connectivity to the outside world. Chat and instant messaging are convenient. The chats can contain URLs and most services will have a file transfer capability built in. Both are potential avenues for both malware and phishing attacks.
