When one size doesn't fit all in cloud security
'You can have any colour you want, as long as it's ours'
Sponsored You want to move from an on-premises Office suite to Office 365 in the cloud. It'll save you money in the short term and free you from providing local infrastructure. That's nice. But whoa – not so fast there. Securing cloud-based productivity systems like Office 365 takes a little forethought.
Security is front-of-mind for enterprise IT professionals deploying Office 365. In its Office 365 State of the Nation survey, which took in the opinions of 160 readers, Windows IT Pro found that security and features enhancements were priorities, with 87.5 per cent of respondents highlighting these two factors. When companies mentioned that they would not consider cloud-based email systems for their next upgrade, security concerns topped the reasons given.
Companies must consider security as a primary factor when designing and deploying a cloud-based email system. Microsoft’s own security protections in Office 365 have expanded over time, but one size doesn’t necessarily fit all. They might be enough for you, or they might not. Do that analysis before making the jump.
Office 365 customers can take advantage of a range of additional security controls, both from Microsoft and from third parties. Adding them into your deployment can create defense-in-depth, in which attackers face multiple barriers should they try to get at your data.
Preventing account compromise
Microsoft’s Office 365 data centres may be secure, but can you say the same for your users? Account compromise is a top cause of data breaches, but stopping your users from writing down passwords or giving them away is a sticky challenge. Multi-factor authentication can help to stop attackers compromising accounts, while making single sign-on more feasible.
Typically, you’ll federate on-premises identity information with Microsoft’s Azure Active Directory service so that your users can use their existing login credentials to access the Office 365 service. Then, add a multi-factor authentication service such as a hardware token or smartphone app to protect the account from unauthorized access.
Third-party apps can also pose an account compromise threat. These connected applications can be used to bypass multi-factor authentication, so you may want to consider implementing a solution that provides controls for which third-party apps can connect to your data.
Assuming the right people are accessing your users’ inboxes, that means you will have to protect their devices – and your network – from inbound cyberthreats. Spam and malware are key concerns for any email communications system, and Office 365 is no exception. Customers will want tight security with the best possible scanning technology checking their mail.
Microsoft provides some protection in the Exchange Online service that makes up part of Office 365, but its Advanced Email Threat Protection service – which offers sandboxing for executable attachments and link tracking – is an add-on. It costs more, and is only available on select account types.
Services from firms like Proofpoint and LogicNow will grab your mail and then check it for threats before forwarding it on to Office 365. Look for features such as quarantining, so that admins or users can still check blocked mail for false positives, and sandboxing, which analyzes both URLs and attachments in a safe space before passing them through to your users’ enterprise mailboxes. You should also choose a solution that covers both malware and non-malware attacks in both emails and attachments.
Beyond security, admins should also be thinking about uptime. Cloud-based solutions are far from invulnerable, and Office 365 is one of several that has suffered from outages in the past, leaving customers fuming. Look, there. It just went down. Oh, and again a few weeks later. And boink. Whoops, it just fell over yet again. And another one! Oh dear. Over at Microsoft’s cloud, the hamster just can’t stay in the wheel, it seems.
Outages like these leave enterprise IT customers with throbbing temples and angry users: Microsoft’s existing service level agreements (SLA) for Exchange Online simply aren’t satisfying the majority of customers. Windows IT Pro’s survey found that the SLA met less than one in three customers’ expectations.
One possible way to counter the problem is to use a third party provider to manage the additional security and also hold a copy of your emails in one go – a kind of pre-processor for your Exchange Online system, if you will. The same services that scrub your employees’ mail before forwarding it to Office 365 can also create a continuity copy of that email and preserve it for a fixed period. If Office 365 falls and can’t get up, you can still waste time scrolling through the irrelevant update mails that Brian in marketing insists on cc-ing to everyone. Lucky you.
Assessing your online solution provider
You may install add-on security solutions on-premises or access them in the cloud from a third party solution partner. These partners may simply white-label the extra security solutions, offering them to you with Office 365 as a bundled service set.
Buying cloud and online security solutions from a single cloud-based reseller, rather than bolting together a multi-vendor SaaS solution yourself, gives you more options to choose from. You can work with a regional online solution provider, or use the online productivity suite as part of a bigger solution set.
Not all resellers of cloud-based solutions are equal, though. It’s important to apply appropriate due diligence before teaming up with someone who is providing you with cloud-based services.
You need to be sure that the partner’s solutions are appropriately secured to manage the information you’re giving them. The General Protection Data Regulation (GDPR), which comes into effect next May, places more responsibility on third party data processors than its predecessor, the Data Protection Directive, did.
Due diligence in the cloud can be challenging. Few if any solution providers will let you sniff around their data centre, and most won’t bother filling out an RFP, either, but they should at least be able to demonstrate compliance with one or more cybersecurity frameworks. SSAE-16 SOC2 is a good starting point. Created by the American Institute of Certified Public Accountants, it handles cybersecurity controls for solution providers, and is stringent. Its cousin, ISAE 3402, is a suitable substitute.
Securing a cloud-based solution, especially one built around Office 365, can be as simple as taking what the cloud vendor gives you. However, it’s important to understand that the responsibility for securing your data is shared – the cloud vendor isn’t going to shoulder all of the blame in the event of a problem. If you do need an extra layer of security, use third-party solutions to design your own. That way, you can meet not only your own internal needs, but your customers’, too.
Sponsored: Becoming a Pragmatic Security Leader