How does HIPAA apply to someone

Office 365 security in questions and answers

While Office 365 has already passed the 100 million active user threshold, that's not the limit yet. The latest Global SharePoint Survey by Hyperfish, Sharegate and Nintex shows that at least 32% of organizations are planning their migration to Office 365, and 16% are already in the process. Interestingly, another 32% of respondents agree that Office 365 security concerns are the primary reason they don't move to the cloud.

With the release of Microsoft 365, which includes Office 365 and offers corporate security as part of the package, companies have even more options to start their cloud collaboration. Therefore, we can expect even more doubts and discussions about the security of both cloud suites.

So are there real reasons for organizations to be concerned, or are their security fears unfounded? In this article, we're going to focus on various security aspects of Office 365 and Microsoft 365. We answer the most common questions about Office 365 security so that you can decide whether you can trust the Microsoft cloud or stick with your on-premises deployment.

Office 365 security from an organizational point of view

Organizations that have decided to migrate their on-premises deployments to the cloud can feel insecure. When a company gets used to having complete control of its deployments and data, it may hesitate to move them to the cloud owned and managed by a third party, even if it is a world-renowned software giant.

Let's answer a few questions businesses may have when they choose to get started with Office 365.

What measures does Microsoft take to protect our Office 365 data?

Physically, your deployment is hosted in Microsoft data centers in different parts of the world. Microsoft maintains several layers of physical security in their data centers to prevent attempts at physical disruption. Microsoft is also responsible for making sure Office 365 is up and running, and it regularly makes feature and security updates to the suite.

Microsoft undertakes to keep your data inaccessible to third parties and not to use it for advertising or marketing campaigns. However, you should understand that in certain extreme situations, Microsoft must disclose your data. This can be the case with legal requirements. Just be sure that your data will only be published if Microsoft fails to contact your organization by all available means.

Which Office 365 security features can we use?

Microsoft adheres to the defense-in-depth principle to ensure robust protection of its cloud services. This principle requires at least two categories of Office 365 security functions:

  • Integrated security functions
  • Controls for customers

Microsoft adheres to its proprietary threat management strategy, which includes a range of threat protection mechanisms to protect organizations from malware and viruses, phishing campaigns and spoofing, DDoS attacks, and other types of security threats.

There are also several controls for each organization to ensure its unique security within the Office 365 environment. This security layer covers such important security aspects as secure access to the Office 365 services to which the company is subscribed, multi-factor authentication and role-based access control for end users, data loss prevention (DLP) features, message encryption, etc.

Can we stay compatible when using Office 365?

Compliance is one of the biggest pain points for organizations considering adopting Office 365. In reality this aspect is really ambiguous.

Office 365 currently meets the requirements set out in ISO 27001, European Union Model Clauses, Association Agreements on Health Insurance Portability and Accountability Act Business (HIPAA BAA), and the Federal Information Security Management Act (FISMA).

In addition, Microsoft offers a variety of certifications and attestations that companies can use to meet their national, regional, and industry-specific requirements. You can find a comprehensive list of certificates in the Office 365 Trust Center.

The quickest way to see which Office 365 services and apps meet the highest level of compliance can be found in the Microsoft Compliance Framework. Therefore, you will see that SharePoint Online has a higher compatibility category than Microsoft Teams or Planner, for example, which means that the last one still has gaps in its compatibility. As for Microsoft Stream, this new Office 365 service with the compliance features is not covered at all and is currently only in a review phase.

All in all, it pays to work directly with Microsoft or your Office 365 consulting agency on compatibility issues. This is exactly what Henkel did when implementing Office 365 solutions in accordance with the General Data Protection Regulation (GDPR).

Office 365 security from the end-user perspective

Office 365 offers great social collaboration flexibility so that employees can use the suite on different devices and from any location. However, this freedom should go hand in hand with the confidence that employees are working in a protected environment, especially when they are dealing with sensitive data.

Can someone access the content I'm working on in Office 365?

Office 365 allows data to be encrypted both on storage systems and in transit, which means your content is encrypted and cannot be read unless a malicious user has a decryption key. Office 365 uses advanced encryption protocols and technologies, including TLS / SSL protocols, Internet Protocol Security (IPSec), and Advanced Encryption Standard (AES).

We have to emphasize that the encryption of data on storage systems affects enterprise apps and services. For example, OneDrive for Business protects all files stored in it, while OneDrive for non-business users does not ensure content encryption. So avoid using your personal storage instead of corporate storage.

Can I use Office 365 safely on mobile devices?

Office 365 subscriber mobile security is provided through two main sets of tools: built-in Mobile Device Management (MDM) features and Microsoft Intune.

With MDM for Office 365, you can create dedicated mobile policies to control access to organizational email and documents for supported mobile devices and apps. So if you lose your device, Office 365 administrators can remotely access the device and remove sensitive data if there is one.

Organizations with complex mobile environments can use Microsoft Intune. Office 365 users can access it through a separate subscription, while Microsoft 365 provides it out-of-the-box. The service enables the management of collections of mobile devices and the control of mobile access to Office 365 services as well as the management of mobile applications.

How can I keep control of the data being shared?

Data leak prevention guidelines help address this Office 365 security challenge. When Office 365 administrators set DLP policies, automatic notifications are triggered every time you try to send email or share documents that contain sensitive information, be it financial information or personally identifiable information (PII): credit card numbers, social security numbers, and health records. While you can always keep control of the data you have released, administrators can monitor and block sensitive data flows at any time.

Office 365 security from the point of view of the IT administrator

Finally, we come to IT specialists who are responsible for overall corporate security. In order to ensure the protected work of the employees in the suite, IT experts can use a variety of security methods and tools in Office 365.

How can admins monitor the security of Office 365 deployment?

Office 365 business plan administrators get access to the Office 365 admin center. Using the native functions of the admin center, IT professionals can manage a wide variety of security parameters in their Office 365 solutions, including:

  • User permissions
  • Security setting in Office 365 groups
  • Security updates
  • Access rights for external users
  • Security guidelines
  • Security reports on the security status of Office 365 apps and services, etc.

In addition, Office 365 administrators can access separate admin centers for key Office 365 apps and services such as Exchange Online, SharePoint Online, Skype for Business, and Yammer. This allows administrators to set up granular security controls in each of the Office 365 components and have a detailed view of each component.

How can admins discover Office 365 security vulnerabilities?

To keep track of Office 365 security, IT administrators can use a specialized analytical tool, Office 365 Secure Score. When analyzing the Office 365 environment, Secure Score enables Office 365 administrators to:

  • Assess the current security status of the deployment and compare it with the established baselines.
  • Discover security issues that require administrator attention to prevent a possible security breach in Office 365.
  • Receive recommendations on how to correct the identified issues and improve the overall safety assessment.

Apart from that, Secure Score offers a comprehensive risk assessment and shows the risk that the company encounters if it does not take any action.

What measures should administrators take to minimize the risk of cyberattacks?

We live in a cyber-insecure world where a large number of violations happen every day, so it would be naive to expect that Office 365 will not attract attackers.

At present, brute force attacks and email-related attacks targeting the Exchange Online Service are obviously prevalent. In 2016, there was a massive ransomware attack on millions of Office 365 users. As of May 2017, organizations around the world have reported targeted "KnockKnock" attacks on their Exchange Online accounts.

Taking into account the trend, IT administrators should pay particular attention to password guidelines and activate and continuously monitor Office 365 e-mail security. It can also be useful to run penetration tests at least once a year to check the security of the Office 365 environment.

Be proactive about your Office 365 security

Although Office 365 is a cloud platform from Microsoft, do not believe that Microsoft is solely responsible for the security of your solution. Yes, the corporation goes to great lengths to implement various security features that their customers can use. The entire cloud protection can hardly be questioned.

At the same time, your Office 365 solution is yours. So only you can take full control of your Office 365 environment and users. Security is one of the things that it is important to be proactive about. Do not wait for a real attack that overturns your Office 365 deployment, but take preventive measures. If you don't have the in-house resources to address security challenges, you can always turn to an Office 365 advisory team to help you build robust security that is tailored to your organization.

What are your Office 365 security concerns?What tools do you use and what technologies are more effective for your Office 365 deployment?Feel free to share your experience in the comments below.

Benefit from the cloud-based collaboration in your company! Our consultants will help you make your Office 365 project a success.