Microsoft Office 365 (O365) is more than a service that provides employees with access to core productivity tools, such as Word, Excel, PowerPoint and Outlook. O365 is about collaboration which, in today's always-on world, means that your users will be interacting with others, such as other employees and external partners via the cloud.
O365 licensing extends beyond the core productivity applications to include services that enhance user collaboration. While these tools can significantly improve an organization's ability to collaborate, they also bring some security concerns.
Like systems and applications in corporate data centers, O365 is targeted by malicious actors. In one case, millions of Office 365 users were targeted by a phishing campaign with the goal of installing password stealers on infected devices. In another instance, "high-level" Office 365 user accounts were hit by a brute-force style attack designed to quietly steal sensitive corporate data.
Reducing the probability that these types of events occur can be as simple as keeping data security governance top of mind throughout all phases of the O365 migration process. This will help your organization protect their digital assets cost effectively.
To effectively work through the maze of technical controls that are available to protect cloud-based workloads, a data-centric approach can be used to mitigate the risks associated with storing and processing data in the cloud. This includes meeting cybersecurity objectives and compliance requirements.
For example, governments across the globe are demanding stronger privacy protections for individuals, such as the EU's General Data Protection Regulation (GDPR). To comply with these requirements, you must understand the types of data being collected, and how it is processed, stored and transmitted so that appropriate controls are designed and implemented.
Regardless of where you are starting from, begin your O365 transformation journey with a critical analysis of your data.
The benefits of conducting a "crown jewels" analysis of your organization's data include:
Make no mistake, this is a critical step in the process. Without understanding what your data is worth, it is not possible to design a cost-effective program that minimizes the impact on user productivity while maintaining your desired security posture.
Now that we discussed the cybersecurity implications of O365 and the benefits of a data-centric approach to protect your data, what are your next steps?
Although necessary for mitigating O365 risk, exclusively focusing on a tools-centric approach, such as deploying a cloud access security broker, encryption, digital rights management, or a secure email gateway solution, is not adequate. Instead, a more holistic and multi-faceted approach should be taken that incorporates your organization's use of people, process and technology.
To get the full value of your O365 investment, an obvious, but sometimes overlooked first step, is user education. Prior to moving to O365, you should first train and educate internal staff to understand the architectural and engineering-related aspects of the O365 environment. If you're lacking internal capabilities, another option is to contract external consultants to provide the necessary knowledge and expertise.
In addition, due to the many collaborative features of O365 that could invite risk, focus training on the end-user that includes security awareness. Enable your employees to do the right thing by empowering them with relevant knowledge to improve their productivity and better protect the organization's digital assets in the process.
It is important to understand how the new O365 collaborative workflows, processes and data is stored and what is needed to protect them. Also, if other cloud service providers (CSP) are used within your organization, then aligning the data controls across CSP's becomes necessary.
Implementing strong data protection controls in OneDrive to limit sharing files only with other employees but allowing sharing with external parties on a non-O365 CSP service, such as Dropbox, significantly limits the benefit of securing your O365 instance. A balanced and holistic approach across all data types and CSP's is highly recommended.
The business objectives drive the organization's data taxonomy and associated policies. The policies are then used to define what is acceptable. A reference architecture is then to define how policies are enforced for each level of classification. These architectural elements are then implemented to protect sensitive data, such as encrypting sensitive data.
As mentioned earlier, technology is a necessary, but not solely sufficient, approach to mitigating O365 risk. Once you understand your business requirements and expectations around O365, you can assess the existing security architecture and identify gaps. This gap analysis will be the primary driver for technology and tooling decisions.
With that said, here is a list of some areas that deserve further research depending on if they align with your identified gaps.
1) Update your data protection and threat protection use cases for O365.
2) Identify new identity management requirements, such as federation for O365 and other cloud services.
3) Identify solutions for protecting email messages, links and attachments.
4) Identify data that is transmitted and stored in the cloud, regardless of the platform (e.g. Azure, AWS, Google Cloud) or location.
5) Consider cloud access security brokers (CASBs) and secure web gateways to enforce cloud data restrictions.
6) Review your existing Microsoft Enterprise Agreement/licensing to understand what Microsoft technologies are included - and then identify gaps.
7) Identify third-party solutions that cover gaps, such as:
As mentioned above, it is important to not get lost in the forest of technologies. Be sure to apply business context to inform how you integrate the people, process and governance functions needed to support any solution.
Based on the discussion above consider the following high-level approach.
1) Educate key business and technical resources on O365.
2) Assess your critical data and the security impacts of using O365 and other cloud service providers to store and process your organization's data.
3) Define the necessary business- driven use cases to protect data in the cloud.
4) Identify gaps in your existing governance model, operational processes and supporting technology.
5) Create a three-to-six-month roadmap and execute the plan.
Regardless of where you are starting, the primary goal for your O365 security program is to continuously improve the maturity of how you are managing it over time. The good news is that once you have O365 up and running, you will be able to easily monitor the security posture of your instance using Microsoft's Security and Compliance portal and the Office 365 Secure Score. However, you will need to integrate these new data sources into your security processes.
Following these simple steps will enable your organization to gain the most from your O365 investment without incurring unnecessary risk in the process.
Thad Mann is global practice manager for data protection at Trustwave.