Preparing for the Remaining 93 Percent of Office 365 Adoption
Any company migrating data to the cloud has to contend with the shared responsibility model. 64.9 percent of IT professionals consider cloud applications to have equal or better security than on-premises software. All of this is useless, however, unless the cloud customer holds up their end of data security.
Microsoft, as the tried and true solution for enterprise software, is leading many enterprises’ march to the cloud. 87.3 percent of organizations have at least 100 employees using Office 365, but 93.2 percent of employees still use Microsoft on-premises solutions.
Gartner has predicted that through 2020, 95 percent of security incidents involving cloud will come from customers’ vulnerabilities. Between a lack of expertise and the complexity of an enterprise-wide environment, there are all too many stumbling blocks to deploying effective security measures.
After observing companies across all major verticals, we have developed a checklist for Office 365 security based on their successes and failures. Any company considering, starting, or wrapping up an Office 365 deployment needs to account for these seven factors.
Companies should consider their security responsibilities as they conduct a migration to any cloud service
1. Don’t Leave the Keys Under the Doormat
Moving sensitive data to the cloud may seem like a big leap of faith for some companies, but the reality is that employees have likely already taken this step. 17.4 percent of documents contain sensitive data in the average SharePoint Online deployment. If employees uploaded this data without oversight from IT security, there may not be DLP or access controls in place–policies a company would surely have in place for sensitive data on premises. Policies should prevent employees from accessing data not relevant to their jobs; for example, an employee in R&D should not be able to freely access financial forecasts or sales lists. Then there is the classic “keys under the doormat” phenomenon: the average company’s OneDrive stores 143 files containing the word “password” in the filename.
2. Oversharing is not Caring
Office 365 has turned into the central hub for inter-business collaboration. Companies connect with an average of 72 business partners through Office 365, more than on any other collaboration platform. Once again, ease of sharing functions as a boon and a bane. 29 percent of data shared externally in file-sharing services ends up in the hands of high-risk partners. A company’s internal security measures become irrelevant if hackers can target a less secure business partner to access corporate data.
3. Cloudify Information Rights Management (IRM) Policies
IRM policies are a staple for data in companies’ on-premises SharePoint. However, many companies hesitate to extend these policies to the cloud because the prospect of hosting encryption keys in cloud or downloading client software to access an acquired SharePoint file is daunting. The solution is not to completely neglect IRM, but rather to apply these policies in a targeted way: encrypt sensitive files as they are downloaded, using encryption keys stored on-premises.
4. Don’t Let Data Escape Under your Nose
After hackers stole terabytes of data from Panamanian law firm Mossack Fonseca, companies are doubling down on behavior monitoring to prevent data exfiltration and other threats. The Office 365 Management Activity API provides raw usage data, with 162 distinct event types that users perform. The large amount and variety of data would be overwhelming for manual monitoring, but machine learning algorithms excel with such a rich data set. Microsoft’s Graph API connects vendor partners to this data, allowing Office 365 customers to leverage best-in-class machine learning tools to identify threats out of millions of user actions, like an employee downloading an abnormally large amount of data before leaving to a competitor.
5. Make Security Policies Contextual
Cloud’s mobile capabilities have transformed the workplace. Office 365 lets employees access data on a smartphone or laptop so they can read an urgent email on vacation or work on a spreadsheet at home. Breaking down the walls of the office can expose data to new risks, however. Employees may access sensitive data through public WiFi or lose a personal device with corporate data. Security policies in Office 365 need to consider contextual information like device type and location. A standard baseline rule is to block downloads of sensitive data coming from outside a trusted network or corporate VPN. From a BYOD perspective, companies should restrict access to sensitive material managed devices only.
6. Don’t Put too Much Faith in Passwords
Passwords have been the fail-point in a quarter of data breaches. Using the Activity Monitoring APIs, third-party solutions can detect anomalous login attempts. For example, services should detect when a user who normally logs in from San Francisco attempts to log in from an untrusted location such as China. Other examples include consecutive logins to an account across an implausible geographic distance in a given time frame or multiple failed login attempts indicative of a brute force attack. In addition to monitoring for new threats, closing inactive accounts is one way to reduce risk, especially if they belong to former employees.
7. Minimize Exposure to Administrator Threats
Administrator accounts pose a unique security threat to companies. Whether at the hands of a rogue insider or a stolen credential, administrator accounts can be abused to compromise large amounts of corporate data. All too often, accounts fall idle and end up as zombie administrators, which are sitting ducks for attackers to exploit. Any company transitioning to Office 365 needs to audit privileged users for security threats, not just end users.
From Office 365 and Beyond
Many of these controls may have been standard for on-premises software. As we have reviewed, companies can achieve these capabilities but will need to take a proactive approach to do so. Office 365 currently dominates collaboration and file sharing, but the same principles in this checklist apply to other cloud applications. Microsoft has demonstrated with its warming partner strategy that cloud means perpetual choice for customers. Companies should consider their security responsibilities as they conduct a migration to any cloud service.