Tip

To secure Office 365, take advantage of controls Microsoft offers

Securing Office 365 properly requires addressing upfront any specific risks of a particular environment and taking advantage of the many security controls Microsoft offers.

With more and more organizations moving to the cloud while simultaneously making every effort to be more secure, Office 365 seems to be a natural fit. Microsoft's platform can help offload enterprise infrastructure, management and security concerns. But savvy IT and security professionals know that you can't just jump on board the cloud bandwagon without doing your due diligence, especially as it relates to security. To achieve a secure Office 365 deployment, it's important to know what to look for in terms of cloud resilience. It's just as important to know what questions to ask yourself and Microsoft to ensure that you're making the right choices, ones that will provide greater long-term risk mitigation and related benefits for your business.

I have found that with most aspects of information security, properly set expectations are half the battle. In the context of moving to the cloud with Office 365, you need to fully understand what it is you are trying to accomplish, including the following:

  • What are your specific security requirements? Are you confident that you fully understand all of them? Many organizations have yet to complete a comprehensive information risk assessment of their own environment, much less of the cloud. Will Office 365 security features help with or hinder your requirements or initiatives? Are there specific gaps identified? How do you plan to address them to ensure you are using a secure Office 365 setup?
  • Which staff members need to be on board and helping to make cloud-based security decisions? Tip: it's not just IT and security. Other important roles such as legal, internal audit, HR and operations need to be involved.
  • What security standards, policies, and procedures will need to be adjusted to help govern Office 365 usage and compliance? This would likely include security testing, data loss prevention, incident response, data backups and patch management. In addition, contracts and business associate agreements may need to be reviewed and tweaked.
  • What do you have to secure in Office 365 (e.g., intellectual property and personally identifiable information)? What are you trying to protect it against (e.g., hackers, rogue employees, denial-of-service attacks, etc.)? Will your existing tools -- or anything else that Office 365 has to offer -- measure up?
  • How can you be certain yours is a secure Office 365? How will you know what's working and what's not? Do you have adequate visibility of and control over the important areas of security, such as monitoring and alerting, incident response, and business continuity?

If your goal is to ensure a secure Office 365 environment, these are all considerations that you must not take lightly. Microsoft has a planning resource for Office 365 that may spurn additional ideas about how security must be addressed. If you have already deployed Office 365 in any capacity, one quick check that you can do now to get immediate security feedback is to run Office 365 Secure Score. Secure Score will analyze your current Office 365 configuration and provide recommendations for improvements, such as the following:

  • Enable multifactor authentication.
  • Enable audit data recording.
  • Review sign-ins and role changes.
  • Review mailbox rules periodically.
  • Disable accounts not used in the last 30 days.
  • Require mobile devices to use encryption.

Microsoft has also created the Office 365 Trust Center to help address security concerns that you might have about their cloud solution. Additionally, their Office 365 security and compliance site has a lot of good information that can help answer questions and provide insight into how you can integrate Office 365 with your existing information security program. The important thing is to continue asking the right questions, keeping in mind the best interests of your organization.

Economist Thomas Sowell once said, "It takes considerable knowledge just to realize the extent of your own ignorance." Looking at this in the context of cloud security and a successful -- and secure -- Office 365 implementation, there will be oversights and mistakes that create security risks. That's OK, as long as you acknowledge them and do what you can to eliminate them or minimize their impact on your business. Office 365 offers tremendous value -- not only in terms of traditional cloud computing but also with security -- if you take advantage of the controls that Microsoft offers. It's up to you to ensure that risks are identified and addressed both now and into the future.

Next Steps

Consider launching an organization-wide app security program

More on cloud-related security concerns and what to do about them

What countermeasures can you take when faced with mobile data loss?

Dig Deeper on Application and platform security