How to safely enable Microsoft Office 365
How can businesses enable Office 365 and its rich ecosystem of supporting apps securely without risking security issues or data loss, asks Eduard Meelhuysen.
Eduard Meelhuysen, VP Sales and MD EMEA at Netskope
With over 1.2 billion users globally, Microsoft's Office is ubiquitous in workplaces all around the world. According to the Netskope Cloud Report, the suite is one of the top 10 most-used apps in enterprises.
The good news for businesses is that Office 365 has a strong security posture. The suite is rated “high” in the Netskope Cloud Confidence Index, a security assessment adapted from criteria set by the Cloud Security Alliance. Office 365 boasts key third-party certifications, flexible security settings, and privacy features, but the fact that the suite is inherently enterprise-ready does not mean that security teams can rest easy just yet.
Such high enterprise penetration levels, combined with extensive reach and features, mean that Office 365 merits careful attention from a security perspective. Companies should be considering how best to safely enable Office 365 by ensuring visibility into usage and data movement, and that there are policies in place to protect against both internal and external threats.
So how can businesses enable Office 365 and its rich ecosystem of supporting apps securely without risking security issues or data loss?
Extending access and usage policies to Office 365
Businesses should extend their best identity and access management (IAM) practices to Office 365 and any integrated apps, as well as other business-critical cloud apps. Here are some examples of the key best practices for IT teams to consider and implement:
- Right-size administrative privileges. Consider employing a “least privilege” model in Office 365. Rather than offering full administrative privileges across the suite, split privileges between two admins – with one taking responsibility for Exchange, and another owning OneDrive, for example. This avoids any single admin having full access.
- Extend single sign-on (SSO). Whether you're using Azure Active Directory (AD) or a third-party SSO provider, extend your SSO framework to Office 365 apps, apps in its surrounding ecosystem, and other business-critical apps.
- Enforce granular access and usage policies. Enforce specific policies based on activity, content, device, geo-location, AD group, and other cloud apps. Policy should be explicit and aimed at preventing specific activities, such as stopping insiders from sharing content outside of the company. For example, if you want to block users from uploading content to cloud storage apps to steer them towards using OneDrive, enforce that policy across all cloud apps and provide coaching to users to avoid frustration, explaining the reasons for this policy. Don't forget to extend any such usage policy to the ecosystem apps that may share data with Office 365.
- Coach users to use Office 365. Run a discovery process to uncover any unsanctioned cloud apps providing similar functionality to Office 365. Then coach users away from these unsanctioned apps by automating a workflow which leads them towards the same functionality in Office 365.
- Log user and admin activity. Record activity for all users and admins in detailed audit logs. These logs should cover all apps in the suite including Exchange, OneDrive, Yammer, Lync, and SharePoint, and the logs also need to cover any ecosystem apps which could form part of an audit trail. Consider a departing user who downloads company assets from OneDrive, uploads this content to any other cloud storage app and then shares it with his new employer. This information needs to be included in a post-event audit, but you won't have the full picture unless you're monitoring apps outside the Office 365 suite.
- Think mobile and remote for all access and usage policies. Microsoft's Intune mobile device management (MDM) is built into Office 365. Ensure all devices accessing these apps meet your configuration requirements and that you can control access and wipe data from devices. Extend granular usage policies to mobile, and at this point it's helpful to differentiate between corporate- and employee-owned devices. This enables you to set a policy to allow downloads from OneDrive to corporate devices only, for example.
As well as looking at policy, organisations should also discover and inspect data at rest and in motion, and identify internal and external security threats including risky users and unusual behaviour – before taking steps to mitigate any risks posed.
Because it is inherently secure and so prolific in today's enterprise, Microsoft Office 365 is sometimes overlooked by IT teams thinking about cloud app security. But by extending the best practices you employ in your environment today to Office 365 and its surrounding ecosystem apps, you can safely enable the suite for your enterprise and reduce the risk of security issues or a data breach.
Contributed by Eduard Meelhuysen, VP Sales and MD EMEA at Netskope