Natalia Merzlyakova - Fotolia
Microsoft Office 365, the company's subscription-based services product suite, is king of the hill in the cloud-based email systems market. And while Office 365's full-service product line includes security components, there is no such thing as too much security. That's an important consideration because some security functions, such as advanced persistent threat (APT) protection, are only provided in more expensive subscription tiers. The fact that some security features are extra-cost options opens the door to other vendors' offerings engineered to augment Office 365 email security.
Core Office 365 services span the gamut
While many people think of Office 365 as email, it offers much more than that. Microsoft's Outlook Web Access was once considered only a browser-based email access tool but now it is a feature-rich, collaborative environment that has been extended to provide access to Microsoft Office applications.
The Office 365 services you use will necessarily influence the security features you need -- whether from Microsoft or from a third-party vendor -- so a brief overview of the services is in order.
In addition to email, Office 365 includes SharePoint, OneDrive and Skype for Business. SharePoint is a content management system and collaborative web application launched more than 18 years ago. It can be used for simple, team-based web applications and documents as well as for more complex, custom-developed applications. OneDrive is a file hosting and syncing service similar to Google Drive, Dropbox and others. Skype for Business, formerly known as Lync, provides instant messaging, as well as VoIP gateway features and functions. Each one has its own security requirements. Let's examine security options for email. A future article will address protection alternatives for SharePoint, OneDrive and Skype for Business.
Office 365 email protection options
Email security is a given. For years, that largely meant reducing junk mail and keeping out viruses -- both spam and malware. While both issues remain important, features designed to combat phishing are arguably the most important elements of Office 365 email security today.
Microsoft bundles its anti-phishing and zero-day malware support as part of its Office 365 Advanced Threat Protection add-on. While it might seem simplest to license Microsoft's anti-threat protection, it's fairly easy to implement alternative, third-party anti-phishing options.
For example, to use a third-party secure email gateway instead of -- or in addition to -- Microsoft's offering, configure email domain name system entries to point email at the third-party gateway. That gateway, in turn, is configured to forward acceptable email to the Microsoft Office 365 system for delivery to the user's inbox.
Many options exist for Office 365 email security. Along with long-time security vendors such as Symantec and McAfee, newer entrants such as Proofpoint and Mimecast market products with similar capabilities.
Choosing the right gateway
Email gateways differ from each other much more than other types of network infrastructure. Where one LAN switch will do the same job as another -- maybe faster, maybe cheaper -- that's not the case with email gateways.
Spot-checks conducted by The Tolly Group have revealed gateways so porous that they have allowed basic viruses and days-old phishing attacks to pass through unrecognized.
Complicating the situation is that it's difficult to pin down the features offered by various gateway vendors. If they want your business and you are a big enough customer, they should be willing to provide details revealing how they deliver the accuracy they claim to have.
With email gateways, take nothing for granted. Make sure your vendor knows you will monitor advancements in the art of threat protection, and they should not assume you will remain a customer forever.
Data loss protection
While users generally focus on what's coming into the inbox, let's not forget security threats related to outbound mail. Malware isn't the only way to compromise your data. A disgruntled sales rep planning to leave the company might use email to send a confidential customer list from his corporate account to a private account, for example.
Data loss protection (or prevention, a term favored by some vendors) is an important email security consideration. Assess gateway security products that have the capability to apply company policies to external emails to ensure they don't have any customer or personally identifiable information. This will help ensure your corporate system isn't a conduit for unauthorized or confidential information.
The bottom line on Office 365 email security: Once you decide on your security product, don't just cross it off of your to-do list. Attackers are forever busy and you need to be ever vigilant.