Office 365 Security – Capabilities & Planning

Moving to the Cloud can introduce new concerns. In this post, i’ll help you address your unique organizational security standards, framed against the products and capabilities of your Office 365 services.

While Microsoft has invested heavily in securing their platforms against cyber attacks, they operate with a shared responsibility model in which the customer is responsible for ensuring their users take precautions to protect information. Many organizations have an information gap where the IT security team does not have visibility into everyday high-risk activity occurring within these services. They often do not know about misuse until it escalates into a major data loss incident.

As a result, many IT security teams need actionable intelligence around a wide range of internal and external threats and security vulnerabilities that can lead to data loss including:

  • Employees downloading sensitive corporate data with the intention of taking that data with them when they leave to join a competitor
  • Malicious administrators accessing data out of policy or data not related to their role, intentionally degrading security settings, or creating dummy accounts for unauthorized third party access
  • High-risk user behavior such as downloading data from company-sanctioned cloud services and uploading it to high-risk shadow IT services
  • Third parties logging into cloud service accounts using stolen or guessed login credentials in order to steal sensitive data
  • Dormant administrator accounts belonging to former employees that can be de-provisioned to eliminate the latent risk of account compromise
  • Data leakage from users due to improper configurations/permission management

The information gathered in this report can help mitigate those types of scenarios, based on Microsoft’s own best-practice foundational security goals:

  • Simplify and protect access​
  • Allow collaboration and prevent leaks
  • Stop external threats​
  • Stay compliant​
  • Secure administrative access​

Introduction to Office 365 Security

Let’s assess risk and implement the most critical security, compliance, and information protection controls to protect your Office 365 tenant. The goal is to prioritize threats, translate threats into technical strategy, and then take a systematic approach to implementing features and controls.

At core to Office 365 Security:

Data Loss Prevention

  • Malware and targeted attacks can cause data breaches; however, user error is a much greater source of data risk​
  • DLP identifies, monitors and protects sensitive data and helps users understand risks​

Auditing and Retention Policies

  • Allow logging of events including viewing, editing and deleting content such as email messages, documents and calendars​

eDiscovery

  • A single experience for searching and preserving email & documents​

Data Deletion

  • Clear commitments and procedures for end-of-life and data destruction​

Data Spillage Management

  • Hardware with your data is locked down

Question: “What are the main differences between security on-premises and security in the public cloud?”​Answer: “You still need to do most of what you’re doing now.

Ensuring that the data and its classification is done correctly, and that the solution will be compliant with regulatory obligations is the responsibility of the customer. ​Physical security is the one responsibility that is wholly owned by cloud service providers when using cloud computing.

The remaining responsibilities are shared between customers and cloud service providers​.

Responsibility Zones

Security Responsibilities Managed by Office 365

Threats Managed by Office 365

Implications

Considering the aforementioned Security Responsibility & Threat patterns, a key conclusion can be drawn as to what your Organizational security focus with Office 365 should be:

  • Authentication Security is critical
  • Tenant Security Configuration is critical

Security Capabilites Plan

Start with a set of standards that can be applied across your organization. Here is an example of what this can look like.

Set Information Protection Standards

Start with a set of standards that can be applied across your organization. Here is an example of what this can look like:

Goal Description
Establish information protection priorities The first step of protecting information is identifying what to protect. Develop clear, simple, and well-communicated guidelines to identify, protect, and monitor the most important data assets anywhere they reside.
Set organization minimum standards Establish minimum standards for devices and accounts accessing any data assets belonging to the organization. This can include device configuration compliance, device wipe, enterprise data protection capabilities, user authentication strength, and user identity.
Find and protect sensitive data Identify and classify sensitive assets. Define the technologies and processes to automatically apply security controls.
Protect high value assets (HVAs) Establish the strongest protection for assets that have a disproportionate impact on the organizations mission or profitability. Perform stringent analysis of HVA lifecycle and security dependencies, establish appropriate security controls and conditions.

Classify Data by Sensitivity Levels

Four levels is a good starting point if your organization doesn’t already have defined Data Sensitivity standards:

Sensitivity Level Description
Confidential Only those who need explicitly need access must be granted it, and only to the least degree in order to do their work (the ‘need to know’ and ‘least privilege’ principles).
Restricted Subject to controls on access, such as only allowing valid logons from a small group of staff. ‘Restricted’ information must be held in such a manner that prevents unauthorised access i.e. on a system that requires a valid and appropriate user to log in before access is granted
Internal Use Can be disclosed or disseminated by its owner to appropriate members of your organization, partners and other individuals, as appropriate by information owners without any restrictions on content or time of publication
Public Can be disclosed or disseminated without any restrictions on content, audience or time of publication. Disclosure or dissemination of the information must not violate any applicable laws or regulations, such as privacy rules.

 

Map Service Capabilities to Data Sensitivity Levels

This table is an example of how capabilities can be mapped to data sensitivity levels:

Service Capability Description
Data is encrypted and available only to authenticated users Provided by default for data stored in Office 365 services. Data is encrypted while it resides in the service and in transit between the service and client devices.
Additional data and identity protection applied broadly Capabilities such as multi-factor authentication (MFA), mobile device management, and Exchange Online Advanced Threat Protection increase protection and substantially raise the minimum standard for protecting devices, accounts, and data.
Sophisticated protection applied to specific data sets Capabilities such as Azure Rights Management (RMS) and Data Loss Protection (DLP) across Office 365 can be used to enforce permissions and other policies that protect sensitive data
Strongest protection and separation Customer Lockbox for Office 365, eDiscovery features in Office 365, and use of auditing features to ensure compliance to policies and prescribed configurations.

 

Office 365 Secure Score

Secure Score analyzes your Office 365 organization’s security based on your regular activities and security settings and assigns a score. Think of it as a credit score for security.

Anyone who has admin permissions (global admin or a custom admin role) for an Office 365 Business Premium or Enterprise subscription can access the Secure Score at https://securescore.office.com. Users who aren’t assigned an admin role won’t be able to access Secure Score. However, admins can use the tool to share their results with other people in their organization.

Secure Score figures out what Office 365 services you’re using (like OneDrive, SharePoint, and Exchange) then looks at your settings and activities and compares them to a baseline established by Microsoft. You’ll get a score based on how aligned you are with best security practices.

Using Secure Score helps increase your organization’s security by encouraging you to use the built-in security features in Office 365 (many of which you already purchased but might not be aware of). Learning more about these features as you use the tool will help give you piece of mind that you’re taking the right steps to protect your organization from threats.

If you want to improve your score, review the action queue to see what you can do to help increase security and reduce risks.

Expand an action to learn about what threats it’ll help protect you from and how you’ll get the job done.

To see the impact of your actions on your organization’s security, go to the Score Analyzer page and review your history.

Click any data point to see a breakdown of your score for that day. You can scroll down to see which controls were enabled and how many points you earned that day for each control.

Add Secure Store to Office 365 Security and Compliance Center Dashboard

Office 365 Secure Score is a great security analytics tool that you can access at https://securescore.office.com. However not everyone knows how to access Secure Score. You can make it easier to discover and quickly review your security position by adding a Secure Score widget to the home page of the Office 365 Security and Compliance Center.

The widget will show your latest score and the maximum points you can obtain. To get more information about your score you can click the “Go to Secure Score” link and it will take you directly to Secure Score to review the additional details.

References

Offerings
Office 365 Secure Productive Enterprise

Getting Started

New technologies and services enhance Microsoft’s unique approach to cybersecurity
Address your CXO’s top five cloud security concerns
Take control of your security and compliance with Office 365
Learn how Office 365 security and compliance leverages intelligence in a cloud first world
Secure Office 365 like a cybersecurity pro—assessing risk and implementing controls
Own your data with next generation access control technology in Office 365
General Data Protection Regulation (GDPR)

How Does Microsoft IT Secure Office 365?

Keep calm and automate: How we secure the Office 365 service

Office 365 Secure Score
Introducing the Office 365 Secure Score
An introduction to Office 365 Secure score
New Office 365 capabilities help you proactively manage security and compliance risk

Advanced Threat Analytics

Learn how Microsoft Advanced Threat Analytics combats persistent threats
Plan and deploy Microsoft Advanced Threat Analytics the right way

Advanced Security Management

Overview of Advanced Security Management in Office 365
Get started with Advanced Security Management
Gain visibility and control with Office 365 Advanced Security Management

Advanced Threat Protection
Introducing Office 365 Advanced Threat Protection
Advanced threat protection for safe attachments and safe links
Learn about advancements in Office 365 Advanced Threat Protection

Data Loss Prevention

Protect your sensitive information with Office 365 Data Loss Prevention
Customize and tune Microsoft Office 365 Data Loss Prevention

Customer Lockbox
Announcing Customer Lockbox for Office 365
Office 365 Customer Lockbox Requests

Developer

Building security and compliance solutions with the O365 Activity API – a Microsoft IT case study

Exchange
Implement Microsoft Exchange Online Protection
Get an edge over attackers – what you need to know about email threats
Understand how Microsoft protects you against Spoof, Phish, Malware, and Spam emails
Learn about advancements in Office 365 Advanced Threat Protection

Advanced eDiscovery

Office 365 Advanced eDiscovery
Video: Office 365 Advanced eDiscovery
Reduce costs and challenges with Office 365 eDiscovery and Analytics

Azure Information Protection

What is Azure Rights Management?
Collaborate confidently using Rights Management
Adopt a comprehensive identity-driven solution for protecting and sharing data securely

Mobile Devices
Secure access to Office 365, SaaS, and on-premises apps and files with Azure AD and Intune
Deliver a BYOD program that employees and security teams will love with Microsoft Intune
Manage BYOD and corporate-owned devices with MDM solutions

Encryption

Introducing Office 365 Message Encryption: Send encrypted emails to anyone!
Encryption in Office 365
Challenge cloud encryption myths and learn about Office 365 BYOK plans

Advanced Data Governance

Advanced Data Governance overview
Take control of your data with intelligent data governance in Office 365
Applying intelligence to security and compliance in Office 365

Join the #CodeGeneration Movement

Building on Microsoft’s recent announcement to invest $75 million in community programs to increase access to computer science education for all youth worldwide, Microsoft Canada is launching the #codegeneration movement – to inspire Canadian youth (13 -18 year olds) to learn more about coding. #codegeneration will run from now until Computer Science Education Week (December 7-13). 

Join the Movement!

Help us spread the word and teach Canadian youth to create with technology. Anyone can code, it’s simple and easy.

  • Coding Challenges: For the next five weeks, Microsoft will be issuing coding challenges at www.CodeGeneration.ca. Students who complete these weekly challenges will have the chance to win points towards prizes while learning the basics of coding; and parents and teachers can find resources to help them lead students in these challenges themselves.
  • “Hour of Code” Sessions: As a founding corporate supporter of Code.org, Microsoft is offering free Preparation Webinars with live chat for questions and answers on November 24 and December 1.  Ready to hold your own Hour of Code with your students – download your toolkit today and lead them through a Minecraft tutorial.  Or schedule a field trip to a local Microsoft Retail Stores during Computer Science Education Week to give young developers the opportunity to learn coding. For more info, please visit the In-Store event section at a store near you.

Spread the word!

Microsoft Ignite Conference: Day 3 Round-Up

I’ll kick off Day 3’s post with another imprint of pure experience. Scale- On-premise, Cloud, Global, Local. The rush/distraction/tunnel vision of being one of 23,000+ people moving through the Microsoft Ignite conference, contrasted with simple but essential logistics like bio-breaks and food, are a big parallel for me to the distinct juncture we are at in technology:  empower everyone at a mass scale, but make sure the human details are taken care of, and that everyone has a voice.

The entrance hall may resemble a slightly above average shopping mall scene for most, but in context, on the ground, it was more like the entrance to a spaceship waiting to take off:
Entrance

Existential experiences aside, I waited a full 5 minutes for cell phone guy to abandon his hostile takeover of Microsoft (pleading eye contact included), and finally realized that was 5 minutes I would never get back, so I snapped my obligatory “largest Expo Hall ever” pic:
Microsoft
Really, words don’t help much with describing the scale of this event. 23,000 of the world’s finest Microsoft-oriented IT professionals in not one, but two Conference centers daisy-chained together. Being from Canada, the SCALE of business in America is always impressive-  this time it was the hammer of Thor (axe of Abe Lincoln?). There were numerous, well-attended core educational/interactive groups with all the best of the Microsoft team providing direct interaction with attendees. These were no tradeshow stunt doubles, but really the actual program leads and people who make things move at Microsoft. Super high quality interactions all over the floor.

Office 365

TechNet is my bible, which would make Joanne & KC here (Senior Content Writers for Microsoft), pretty high up in the toga-wearing department:
TechNet Rocks

Aside from the separate, colossal pool of core Microsoft and Partner & Vendor talent present in the Expo Hall, here’s the top sessions from day 3, on the SharePoint/Office 365 tip (with some guest appearances from OneNote & Visio, as I love both):

Whats New for IT Professionals in SharePoint Server 2016
What's New for IT Professionals in SharePoint Server 2016

“Engineering paths directly influenced by SP Uservoice” See: https://sharepoint.uservoice.com/forums/282887-customer-feedback-for-sharepoint-server
“Durable Links- permalinks based on resource ID. Move Docs freely, URL stays the same”
“No downtime CU patching”
“OneDrive integration big priority for Engineering team”

 

This article describes initial investments made in installation and deployment of SharePoint Server 2016: http://blogs.technet.com/b/wbaer/archive/2015/05/12/what-s-new-in-sharepoint-server-2016-installation-and-deployment.aspx

MinRole for the win!!
image10_00727E0C

Embrace the BYOD Revolution: Effectively Manage a Multi-Device, Multi-Generational Workforce


A major business transformation is brewing in the enterprise today. Mobile technologies, business velocity, geographically dispersed and multi-generational workforce are converging to deliver the promise of responsive organizations. Organizations that miss this paradigm shift will face dire consequences. How can you effectively manage this shift, ensure that it will be sustainable and reap the benefits of being a responsive organization? In this session, learn how to apply practical steps and effective techniques to manage your multi-device and multi-generational workforce.

MVP Panel: Sample Apps and Intelligent Solutions Showcasing Office Graph and Delve Extensibility

Preparing for a meeting, but not sure what documents are relevant? Writing a proposal and looking for similar documents to help you out? Interested in what your colleagues are working on to stay updated? With the new Office Graph, answers to those questions are within your reach. In this demo-packed session, we show you how the Office Graph works and how it can be used when building custom apps and enriching existing solutions and portals. All scenarios are backed up by real-life solutions that you could use in your organization.

Microsoft Ignite Conference: Day 2 Round-Up

Day 2 started off with a walk to the shuttle bus under the looming John Hancock building. Infrastructure into the Cloud, this pic worked out well as a deep ol’ metaphor 🙂 :
John Hancock

Here’s some of the most awesome SharePoint/Office 365 sessions from Day 2:

There are over 150 Day 2 sessions available for immediate viewing.

Source: Microsoft Ignite Day 2 Sessions On-Demand

Here’s my takeaways from the sessions I had scheduled:

Microsoft Office 365 Groups Overview and Roadmap

“It’s not an email, it’s a conversation.”
Dynamics CRM and Group’s integration.

Office 365 Groups helps you collaborate by easily bringing together your colleagues and the applications you need to get work done. Office 365 Groups leverages a standard definition for team membership and permissions across Microsoft Exchange, SharePoint, and later Skype for Business, Yammer and the rest of Office 365, managed through Microsoft Azure Active Directory. This session provides an overview of Office 365 Groups, demonstrates its capabilities today, and provides a roadmap for future investments.

Designing and Applying Information Architecture for Microsoft SharePoint and Office 365

Provide Clear Guidance
Make it Easy
Keep it Simple, Stupid
Define > Design > Implement > Govern

This session demonstrates a proven process for defining, designing, implementing, and governing your information architecture (IA). IA is more than just columns and metadata. Learn how the different components available in SharePoint and Microsoft Office 365 can be leveraged to their fullest potential and your users’ ultimate benefit to content organization and discovery.

Managing Change in an Office 365 Rapid Release World

Selective First Release! Roll out first release changes to selected users only. ’nuff said.

Before moving to Microsoft Office 365, your team planned each and every change or update before your users saw anything new or different. Now in a services-first world, changes are introduced at a rapid pace, sometimes before you or your help desk may be prepared. Office 365 provides communications to help you manage change, stay informed, and inform your users. Learn how to best use the Office 365 Message Center, Roadmap.office.com, and Success.office.com to get ahead of updates and help your business take advantage of the latest and greatest Office 365 has to offer.

Microsoft Office 365 Groups Deep Dive
Office 365 Groups helps you collaborate by easily bringing together your colleagues and the applications you need to get work done. Office 365 Groups leverages a standard definition for team membership and permissions across Microsoft Exchange, SharePoint, and later Skype for Business, Yammer, and the rest of Office 365, managed through Microsoft Azure Active Directory. This session follows the introduction session “Microsoft Office 365 Groups Overview and Roadmap,” and covers the following topics: architecture, administration, security and compliance, and extensibility.

All in all a great day- I was also lucky enough to be able to work at the Microsoft MVP Booth (in the “Microsoft on Microsoft” section of the Expo Hall). Very rewarding to answer questions about the MVP program and connect with people from around the world.

MS MVP Booth

MVPS

Cloud-based SharePoint – Risks & Rewards

I just checked out a whitepaper-style document promoting the cloud offerings of a company named SpringCM on the topic of Enterprise Content Management and it got my gears turning about about the the concept of ECM and SharePoint in particular in the cloud. While Office 365 is a viable option for some businesses, in particular up here in Canada it’s a no-go as a lot of governmental and business clients cannot due to legal or policy reasons host on servers that are physically in the US or other countries.

Those types of situations aside, cloud-based ECM seems like a great idea on the surface – an automagically maintained and scaled SharePoint (or SharePoint-style) farm, with no messy details about hardware and networks capacity planning, no depreciation tables, on and on. I got into the Windows Azure platform around this time last year and have seen it grow from a latecomer second to Amazons cloud offerings, to a mature platform which leverages the one great thing Microsoft succeeds with: 100% integration.

You can definitely stand up SQL Server images on Amazon EC2 super-quick but in the end the hardware patterns and practices that MS’s dedicated cloud MS SQL offering uses is going to nail it for performance and overall ROI. So to that end, one would a forward-looking SharePoint shop to be diving headfirst into the fluffy cloud. Not so fast- let’s look at some of the ideas presented in the linked whitepaper and see why the “traditional” method of deploying SharePoint 2010 within the clients existing or new IT infrastructure is still in most scenarios the winning one:

Criteria Conventional ECM (SharePoint) ECM as a cloud platform
Availability
(their take)
High availability requires the construction of redundant costly infrastructure. Economies of scale make redundancy cost-effective for cloud platform provider
Availability
(my take)
While hardware is costly, it is a fixed asset that can be re-allocated internally or sold eventually, when it becomes too obsolete for front-line service. Cloud and hosted solution providers have to deal with physical asset depreciation just as everyone else does,
they just often overcome the hit in part by locking clients into years-long hosting agreements which towards the end leaves the client stuck on outdated hardware.Cloud hosting is supposed to keep your enterprise virtual and less tied to specific nodes of the hosting infrastructure, however there will always be hardware-level tie-downs at some level – nothing is ever completely virtualized.
Extensibility
(their take)
Support for remote users, contractors and other third parties requires special efforts by IT department Any authorized user can access the service from anywhere, securely
Extensibility
(my take)
Remote support services like GoToManage are typically in the arsenal of an enterprise client already. HTTPS VPN access into SharePoint sounds like “secure service” from “anywhere” to me!  Heck, if there was a burning need for it you could do Forms Based authentication on SharePoint instance outside your DMZ too.
Security
(their take)
Protection of a highly diverse enterprise computing environment requires significant investments of time and effort Uniformity and economies of scale enable cloud platforms to maintain the highest security standards at less cost
Security
(my take)
The whole premise of SharePoint is that it is the opposite of highly diverse and all your sensitive assets go into it. It’s the opposite of the nuclear war strategy of spreading out your silos in obscure locations – in SharePoint’s case the monolithic security approach is its edge. I can’t see how economies of scale are relevant to security. Security is a fundamental independent of scale.  If what they are talking about is that it’s cheaper for physical firewalls etc. by grouping a bunch of clients into one datacenter, I’d ask what security risks actually arise from locking a bunch of independent companies systems in the same room together.
Performance
(their take)
IT has to keep monitoring multiple services, discover the root-causes of performance shortfalls, figure out how to fix them, and decide whether it’s worthwhile to buy more infrastructure Cloud platform uses a single set of services and can easily allocate more capacity to any customer who needs it
Performance
(my take)
itgrooveleverages the out-of-the box performance and scalability of SharePoint so that potential future performance bottlenecks are accounted for strategically, not tactically.Features like sandboxed solutions and site collection limits allow us to delegate long-term performance management to SharePoint power users and admins who can proactively manage potential performance hits directly through Central Administration. The basic concern I’d have about a cloud or hosted solution is that it’s a lot like your home ADSL or cable-based internet connection: you may be paying for 50mbps however your telco certainly isn’t planning for everyone on your block to use that pipe at 100% capacity, 24/7.The “economies of scale” work in reverse at the enterprise level when with cloud data centers leased data backbones – they get a reasonable rate for their data pipe based on the assumption that one or more of their clients will not be pegging the network infrastructure.If your enterprise company was to grow in a spurt it’d certainly be worth assessing the risk that the service at the other end of your external host’s pipe might decide  their own economies of scale don’t fit with your hosting provider any more.
Best Practices
(their take)
A software solution typically involve third parties. Software often lags current best practices by years due to the lag time in incorporating latest releases Best practices can evolve quickly and be shared immediately
Best Practices
(my take)
Microsoft offers Cumulative Updates and Service Packs for SharePointon a constant basis.While no SharePoint consultant would in good conscience recommend blindly auto-patching the latest updates without some research and evaluation first, they can conservatively fall back a couple update versions and still not be behind by “years”. Sometimes sharing isn’t caring: Best Practices should not be tagged as such simply based on speed of evolution, but instead should come from demonstrated stability and experience.
Speed
(their take)
Ongoing software upgrades, like the original software and supporting technology, can take months to install, configure, integrate, test, and roll out Immediate benefits
Speed
(my take)
It’s a good thing there are consultants who can make that part as painless as possible! Business is a marathon, not a race. I’d opt for the stability and industry depth of SharePoint over some immediate new bells and whistles any day.Being able to calculate ROI effectively is a challenge, and having your intranet application zoom over the heads of your business decision makers by running its own proprietary feature release schedule can make for some sloppy planning.

In conclusion, i’d like to disclaim that as a geek I am an early adopter by nature. The cloud is fun and exciting, and certainly let’s you focus on core business without a lot of the drudgery and expense of traditional sysadmin responsibilities, however there’s more to contemplate than just how much network latency you’re going to be getting by basing your companies ECM system over the public internet.  You know what they say about being bold and old- the cloud is definitely bold but definitely not old. Time will tell how these traits merge and whether players like SpringCM can succeed.

Microsoft’s Office 365 service offering for mid-to-enterprise sized business is likely going to be your best bet should you decide that the cloud is practical for your companies ECM needs.