With the cloud comes security concerns. It's as simple as that. Vendors can promise all they want, but there's no practical way to verify what's actually happening behind the scenes. Microsoft's Office 365 is no different. Given the criticality of your office applications and the information that passes through and gets stored on them, security needs to be a top priority. Microsoft is clearly asking for our trust with their core tenets related to Office 365 security features:
- built-in security
- privacy by design
- continuous compliance
- transparent operations
Microsoft also touts the top 10 privacy and security features of Office 365, including some big concerns -- such as encrypting data in transit and at rest, regularly backing up data, and hosting customer data in-region. We all know that talk is cheap. So what is Microsoft really doing in order to make Office 365 a compelling solution for business applications that, at the same time, minimizes security risks? As it turns out, quite a bit. There have been many Office 365 security features that all but the most paranoid IT and security professionals could get on board with, including the following:
- E-discovery to preserve data and assist with forensics investigations and requests;
- Exchange Online Protection for filtering spam and malware from email;
- Azure Active Directory (AD) Privileged Identity Management that can help manage admin-level Office 365 accounts and access;
- Azure AD for cloud, synchronized and federated identities, including multifactor authentication;
- Azure Identity Protection that monitors for suspicious activity on Office 365 accounts and invokes additional security measures to minimize risks in real time;
- data loss prevention policies across Office 365 applications, including Exchange and OneDrive;
- encryption-- Transport Layer Security for data in transit and Advanced Encryption Standard for data at rest across Office 365 applications; and
- mobile device management across the major smartphone platforms via Intune.
More recently, Microsoft introduced Advanced Threat Protection (ATP) to augment Exchange Online Protection and protect Office 365 users and their systems from zero-day malware attacks. Office 365 security features Safe Links and Safe Attachments provide real-time protection against malicious links and attachments. Additional ATP security controls announced earlier this year called URL Detonation and Dynamic Delivery take these controls to the next level by proactively analyzing the links and attachments to further minimize the risk of infection and exploitation.
In the spirit of continuous improvement, Microsoft also announced recently three new Office 365 security features and governance features:
- Office 365 Secure Score analyzes your current Office 365 configuration and provide recommendations for improvements as well as long-term analytics.
- Office 365 Threat Intelligence Private Preview helps you leverage Microsoft's threat intelligence resources in order to find and analyze threats in your own environment.
- Office 365 Advanced Data Governance helps with your data classification, archival and retention programs.
I've never had 100% of buy-in on cloud-based security features and, knowing what I know, I don't think that I ever will. Again, there is no way of fully understanding -- or validating -- what's going on behind the scenes. All it takes is one rogue employee or system oversight. Still, if we're going to enjoy all of the benefits cloud computing has to offer, we're going to have to trust our vendors -- in this case, Microsoft -- to do the right things. At the end of the day, the Office 365 security features that Microsoft is integrating rival or surpass those found in the most mature of enterprise security programs. All things considered, I think odds are good that sensitive information assets processed and stored in Office 365 are about as secure as they're going to get.
How malware authors may be using Office macros and how Microsoft is responding
The latest on MS Office and multifactor authentication
What is GDPR compliance and how it will aid Office 365 users