Securing Office 365? There's always more you can do

Are we spotting a trend here?

We've been talking so far about augmenting Office 365 with security features that don't come as standard, or that do come with the system but are perhaps not so attractive as those of separate products whose developers are more focused on the subject area. The thing is, though, that aside perhaps from the discussion on backups, little of these supposed shortcomings are unique to Office 365 – they exist in on-premise setups too. And that makes sense: we're not saying Office 365 is particularly deficient, just that the whole reason all these third party products and services exist is that you can't reasonably expect Microsoft (or any other of your vendors) to have a perfect solution in every specialist field of security as part of its office suite.

What do the Office 365 experts think?

Aonghus Fraser, CTO at C5 Alliance, echoes the idea that the service has its own features but they're not the whole story. He notes: “There are a number of areas that should be considered – some are in addition to Office 365 but there are also newer or lesser-known security features or services that can complement that native Office 365 security and cover all bases”.

Endpoint security's high on his list. “Whilst there is protection at the server-side for O365 including Exchange and SharePoint Online, it is recommended that a strategy for endpoint protection for devices is implemented. This can range from leveraging native O365 & Microsoft services such as InTune to ensure that a minimal level of patching and AV is enabled (using Windows Defender) to third party solutions such as Sophos Endpoint which can work on devices and in conjunction with firewalls to detect and isolate compromised devices”.

Following up his point about new features that wink into existence, he cites a recently introduced built-in feature: “Advanced Security Management is a new service providing global and security administrators with the facility to detect anomalies in your tenant – alerts for abnormal behaviour, and alerts for activities that might be atypical. Examples could include logging in from unusual locations, mass download by a single user (suggesting a data leakage risk) or administrative activity from a non-administrative IP address”.

The non-technical elements

Our original request to Aonghus was for three observations, of which we've just mentioned two; the third is non-technical but absolutely key. He states: “It is essential to ensure that business policies are regularly maintained in line with Office 365 capabilities such as Multi-Factor Authentication and Data Leakage Prevention in order for security to be optimised whilst taking into account employee productivity”.

It's key to ensure your business is able to work effectively and in a governed way as you evolve into the cloud world: “An understanding of the implications on users of implementing some security measures is essential to ensure that users are well-informed and do not try to bypass the measures due to lack of understanding or usability or productivity being severely compromised. If the measures are too draconian users will find a way to circumvent them; business decisions need to align with the security recommendations in order for the right balance to be achieved”.

People as a problem

Aonghus touched on the issue of ensuring that staff are well informed and don’t try to side-step security measures, but it’s worth remembering that even with a strong staff awareness programme there’s still a risk of inappropriate inactivity. And you can’t really blame your staff for falling for the occasional phishing attack: some are so sophisticated that even the most aware staff member will be taken in eventually.

As Joe Diamond, Director of Cybersecurity Strategy at ProofPoint puts it: “The level of social engineering to craft a convincing lure is what makes phishing so successful. We see this used across attacks that use malware, and those that don’t – such as business email compromise spoofing attacks and phishing for credentials”.

Joe continues: “While end user education serves an important role, you cannot rely on it. Focus on where your users digitally communicate the most – email, social sites, and mobile apps – and put in the protection needed to shield advanced attacks from ever reaching your end users”.

As for the complexity of attacks these days: “The attack on customers of National Australia Bank that Proofpoint recently identified is a perfect example of how to the naked eye, the emails and links were virtually indistinguishable from legitimate bank communications. The email content tricked recipients into entering credentials to verify their account and provide accounts details, before redirecting to the legitimate banking site. The URL [looked] legitimate, but a letter was swapped with Unicode and encoding in the URL hid suspicious code”.

In short

Like any system of its kind, Office 365 is sufficiently secure in its basic form but there's always more you can do – either to make it easier to exploit what it inherently does or to add further layers of protection and reporting on top of what you get “out of the box”. You may decide when you move to Office 365 that you can wind down some of the extras you bolted onto your on-premise system simply because technology's moved on and the inherent provision in Office 365 is good, but any cloud email service is fair game for an attacker because a compromise of a single system serves up multiple victims so you're unlikely to want to throw away all the extras that can help you provide a layered security model as you evolve to a cloud setup.

Oh, and one more thing: moving to the cloud doesn't make you immune from the long-standing tradition of stereotypical bad practice. Aonghus gets the last word in this respect: “Accepting the default settings without considering whether, for example, the password expiry policy is appropriate is something that is often left – a 'hope for the best' approach or assumption that Microsoft defaults are right for you is not a good strategy where security is concerned”. Amen. ®