In meeting with customers I’ve found a strange split in the way people approach security with Office 365. Companies that historically have a culture that puts security front and center seem to feel using Office 365 sacrifices some control of security. Customers who have been less focused on security are often relieved that, at first blush, Office 365 doesn’t present a lot of security options they need to worry about. Accounts? Check. Passwords? Check. Groups and security settings that are mostly familiar from AD, Exchange, and SharePoint? Check, check and check, we are ready to get to work. The truth of it is that both of these takes on online security have some validity.
“Let it go?”
If you are used to exercising complete control over your environment’s security you may feel let down by the default setup of Office 365. The default settings are sprinkled with options that allow users to invite people outside your organization to view and edit content; control seems very diffuse and difficult to see from a high level. Syncing or federating Azure AD with on-premises AD can require some uncomfortable holes in your firewall, and trying to explain your concerns to the executive staff that is putting its weight behind Office 365 can often be met with shrugs and indifference. As people wax poetic about “The Cloud” you just keep thinking “The Cloud is just someone else’s server!” Bring your own device policies and mobility first strategies can just feel foreign and wrong, but everyone else keeps telling you to let it go.
“Set it and Forget It”
You’ve never set up a domain, a mail server, a file server, a firewall, a DMZ, and all the assorted bits and pieces of technology that have become ubiquitous in business over the last 30 years or so? Or, you have set up some of those things and hope to never do so again. You logged into Office 365, hired some consultants to migrate your mail systems, SharePoint, and convert all those personal file shares to OneDrive for Business. It works. People can log in, users mostly manage their own passwords, the same mail team that managed the in-house Exchange server manages mail, the people who managed SharePoint seem to be getting by just fine. Why mess with success?
The Middle Path
At the risk of turning this into an essay on argument and dialectic, these two approaches to Office 365 are not incompatible. There’s a big gray area between them that deserves some serious examination and a lot of that gray area is addressed in Security and Compliance. Each area of Office 365 (OneDrive, Exchange, Skype, SharePoint, etc.) has security options of its own, sharing configurations, permissions, roles, retention, all powerful and useful in their areas. Office 365 Security and Compliance tools has begun to consolidate some of the most important aspects of these tools. E-Discovery is a good example. SharePoint 2013 and Exchange 2013 on-premise installations where the first time we saw the in-place hold and e-Discovery tools that later moved into the O365 versions of each, almost without change. Microsoft is now unifying both into a single area of Security and Compliance, giving users the opportunity to create an in-place hold that spans across the ecosystem in one place.
There isn’t enough space in this blog, or even this website unless the executives at PAIT Group decide to make it my full-time job, to cover even the basics of what you can do with Security and Compliance today (and this list is growing) but if any of these items may be important to your organization:
- Office 365 Cloud App Security
- Threat management such as mail filtering and anti-malware
- Advanced threat management such as customer lockbox and threat explorer for phishing campaigns
- Mobile device management
- Data loss prevention
- Data governance
- Advanced data governance
- Search and investigation
- eDiscovery search
- eDiscovery export
- Advanced eDiscovery
- Litigation Holds (including query-based Litigation Holds)
- Manual retention/deletion policies
You will want to explore the Office 365 Security and Compliance tools. If tuning or changing none of those areas interests you there are still dashboards and reports for many of them to give you an overview. SPAM, overall mail activities, malware attacks are all logged for example. There is a library of over 75 FAQs and white papers trusted by Microsoft to assist with things ranging from HIPAA Compliance Implementation to protecting against denial-of-service attacks. You already have these things, you might as well give them a look.
You can customize compliance reports for any policies you do create, and if you just take everything from the defaults you at least get updates and guidance from the reports that are already available.
Figure 1: Ever wonder about any of these things?
Figure 2: I had this whole example scenario about using some of the reports to find out who spends all their time sending emails instead of doing useful work. I pull up the report and find out I am the fourth highest email user in our organization. Now I know the more emailing you do, the harder you are working. Knowing is half the battle, kids.
So, where should you start? Luckily Microsoft has already compiled a LOT of information for you. A good place to begin is Plan for Security and Compliance in Office 365 . There you will be able to learn about the “Secure Score”, Email Policies, permissions for accessing the Security and Compliance center itself, as well as some overview documents that give you a good idea of what is possible with these tools. I should probably take a second to mention, the “Secure Score” is not a measurement of how secure your environment is, it is a scoring of how many of the tools available to you are in use. Don’t panic if you see a score of something like 65 out of 364, it just means you have a lot of tools to explore.
“Set it and Forget It” is an option that is hard to keep over the long term, but the baseline security of Office 365 is a solid place to begin. Awareness of the tools Microsoft makes available to you will begin with keeping an eye on the reports you already have access to and knowing what other information can be provided with a little setup. Like many tools provided by Microsoft the surface of Office 365 looks like a complete solution by itself, but if you dig past the check boxes in front of you, additional layers of power appear. These layers may require more effort and are more complex, but they lead to possibilities you may not expect.
These days almost every time I say, “I wish there were a tool that would allow me to do X” a quick internet search will show me where Microsoft has already anticipated my request. From PowerShell in the cloud, to robust data policies, Office 365 does not offer the same tools as an on-premise environment, but in many ways, you will find more oversight and control in the default tools than you would be able to provide with thousands of dollars in 3rd tools and equipment in the past. All these tools are already part of your subscription, so at very least you owe it to yourself to be aware of them, and maybe you will find they provide solutions to problems that have plagued you in the past, whether you were in the “hands off” camp for managing your environment, or a “complete control” administrator from way back.
As this project goes forward I expect more report and policy options to disappear from the various admin panels for specific parts of Office 365 and consolidate into the Security and Compliance admin panel so you may find yourself looking in there no matter what I write, but do yourself a favor and give it a chance now. If you happen to find any great solutions to a problem you have wanted to tackle for some time, we here at PAIT would love to know about it so we can share with others. That is what PAIT stands for: “Powerful Alone, Invincible Together”.