Microsoft Office 365 (O365) is more than a service that provides employees with access to core productivity tools, such as Word, Excel, PowerPoint and Outlook. O365 is about collaboration which, in today's always-on world, means that your users will be interacting with others, such as other employees and external partners via the cloud.
O365 licensing extends beyond the core productivity applications to include services that enhance user collaboration. While these tools can significantly improve an organization's ability to collaborate, they also bring some security concerns.
- Exchange Online (Outlook) is an email service that enables users to send and receive internal and external messages. You should enlist email security that protects sensitive data and accounts for external threats, such as embedded malware or links that lead to malicious sites.
- OneDrive for Business is a cloud storage repository that can store from one terabyte (TB) to an unlimited amount of data. SharePoint is a cloud-based collaboration platform that tends to be used as a document management system. Both services increase the risk for unauthorized distribution of sensitive data (aka a data breach). Securing these data repositories requires organizations to implement access control based on least privilege. Additional controls, such as data encryption, backup and recovery, are also needed.
- Other solutions that are included in O365 licensing bundles, include Skype for Business, Teams, Yammer, Power BI Pro. These collaboration platforms foster a level of trust for users, but this may cause them to inappropriately click on malicious links or attachments or share sensitive information.
Like systems and applications in corporate data centers, O365 is targeted by malicious actors. In one case, millions of Office 365 users were targeted by a phishing campaign with the goal of installing password stealers on infected devices. In another instance, "high-level" Office 365 user accounts were hit by a brute-force style attack designed to quietly steal sensitive corporate data.
Reducing the probability that these types of events occur can be as simple as keeping data security governance top of mind throughout all phases of the O365 migration process. This will help your organization protect their digital assets cost effectively.
Addressing cloud-related cybersecurity risks
To effectively work through the maze of technical controls that are available to protect cloud-based workloads, a data-centric approach can be used to mitigate the risks associated with storing and processing data in the cloud. This includes meeting cybersecurity objectives and compliance requirements.
For example, governments across the globe are demanding stronger privacy protections for individuals, such as the EU's General Data Protection Regulation (GDPR). To comply with these requirements, you must understand the types of data being collected, and how it is processed, stored and transmitted so that appropriate controls are designed and implemented.
Regardless of where you are starting from, begin your O365 transformation journey with a critical analysis of your data.
The benefits of conducting a "crown jewels" analysis of your organization's data include:
- Gaining insight into which data is important to your organization and why.
- Assigning a monetary value to the data that is incorporated into the risk management process.
- Understanding how data flows through your organization enables for the design of more effective security controls that doesn't impact productivity.
- Minimizing your attack surface by restricting where sensitive data is stored and who can access these repositories.
Make no mistake, this is a critical step in the process. Without understanding what your data is worth, it is not possible to design a cost-effective program that minimizes the impact on user productivity while maintaining your desired security posture.
How to safely migrate to O365
Now that we discussed the cybersecurity implications of O365 and the benefits of a data-centric approach to protect your data, what are your next steps?
Although necessary for mitigating O365 risk, exclusively focusing on a tools-centric approach, such as deploying a cloud access security broker, encryption, digital rights management, or a secure email gateway solution, is not adequate. Instead, a more holistic and multi-faceted approach should be taken that incorporates your organization's use of people, process and technology.
To get the full value of your O365 investment, an obvious, but sometimes overlooked first step, is user education. Prior to moving to O365, you should first train and educate internal staff to understand the architectural and engineering-related aspects of the O365 environment. If you're lacking internal capabilities, another option is to contract external consultants to provide the necessary knowledge and expertise.
In addition, due to the many collaborative features of O365 that could invite risk, focus training on the end-user that includes security awareness. Enable your employees to do the right thing by empowering them with relevant knowledge to improve their productivity and better protect the organization's digital assets in the process.
It is important to understand how the new O365 collaborative workflows, processes and data is stored and what is needed to protect them. Also, if other cloud service providers (CSP) are used within your organization, then aligning the data controls across CSP's becomes necessary.
Implementing strong data protection controls in OneDrive to limit sharing files only with other employees but allowing sharing with external parties on a non-O365 CSP service, such as Dropbox, significantly limits the benefit of securing your O365 instance. A balanced and holistic approach across all data types and CSP's is highly recommended.
The business objectives drive the organization's data taxonomy and associated policies. The policies are then used to define what is acceptable. A reference architecture is then to define how policies are enforced for each level of classification. These architectural elements are then implemented to protect sensitive data, such as encrypting sensitive data.
Technology & Tooling
As mentioned earlier, technology is a necessary, but not solely sufficient, approach to mitigating O365 risk. Once you understand your business requirements and expectations around O365, you can assess the existing security architecture and identify gaps. This gap analysis will be the primary driver for technology and tooling decisions.
With that said, here is a list of some areas that deserve further research depending on if they align with your identified gaps.
1) Update your data protection and threat protection use cases for O365.
- Define and map how and where cloud data is stored and transmitted.
- Define data taxonomy for classification and tagging.
- Design appropriate data controls for email and cloud storage.
2) Identify new identity management requirements, such as federation for O365 and other cloud services.
3) Identify solutions for protecting email messages, links and attachments.
4) Identify data that is transmitted and stored in the cloud, regardless of the platform (e.g. Azure, AWS, Google Cloud) or location.
5) Consider cloud access security brokers (CASBs) and secure web gateways to enforce cloud data restrictions.
7) Identify third-party solutions that cover gaps, such as:
- For all clients having a need for an additional and independent anti-virus engine scanning all emails (aka secure email gateway).
- For all clients requiring that cloud-related telemetry is centrally collected and analyzed (aka SIEM).
- For O365 Enterprise E3 clients requiring cloud protection for non-O365 cloud workloads (aka CASB).
As mentioned above, it is important to not get lost in the forest of technologies. Be sure to apply business context to inform how you integrate the people, process and governance functions needed to support any solution.
A Summary: What You Should Do Now
Based on the discussion above consider the following high-level approach.
1) Educate key business and technical resources on O365.
2) Assess your critical data and the security impacts of using O365 and other cloud service providers to store and process your organization's data.
3) Define the necessary business- driven use cases to protect data in the cloud.
4) Identify gaps in your existing governance model, operational processes and supporting technology.
5) Create a three-to-six-month roadmap and execute the plan.
Regardless of where you are starting, the primary goal for your O365 security program is to continuously improve the maturity of how you are managing it over time. The good news is that once you have O365 up and running, you will be able to easily monitor the security posture of your instance using Microsoft's Security and Compliance portal and the Office 365 Secure Score. However, you will need to integrate these new data sources into your security processes.
Following these simple steps will enable your organization to gain the most from your O365 investment without incurring unnecessary risk in the process.
Thad Mann is global practice manager for data protection at Trustwave.