Best Practices and Solutions for Securing Enterprise Data in Office 365 (O365)
17 IT and security professionals discuss the best practices and solutions for securing enterprise data in Office 365.
Office 365 is widely used by enterprises around the world for its ease of use, seamless integration, mobile access, and enhanced productivity. While Office 365 offers a number of built-in data protection features, those features alone are usually not enough for the robust security posture required by the modern enterprise.
To gain some insight into the best practices and solutions for securing enterprise data in Office 365, we reached out to a panel of security pros and asked them to answer this question:
"What are the best approaches and solutions to securing data in Office 365?"
Meet Our Panel of Security Professionals:
Read on to learn what our experts have to say.
Daniel Schutzsmith is the Digital Technology Manager / Senior Web Developer of Amnesty International USA and an adjunct professor at SUNY New Paltz.
"The first and quickest thing you should do to secure O365 is to..."
Enable two factor authentication. Two factor authentication, also commonly called 2FA, ensures that the user has access to a trusted device setup in their Office 365 environment, such as a cell phone with a lock screen.
Second, because breaches can happen, I recommend putting some extra measures in place to protect the files on your Office 365 from prying eyes. Products like Digital Guardian's Cloud Data Protection can secure your files and even remove files from the cloud based on protection policies you administer.
Another great tool I've discovered for securing your files is a pay-what-you-want application called Cryptomator. Essentially it will encrypt all of your files that go into the cloud so that if someone did gain access to them, they wouldn't be able to open them at all.
Lastly, I suggest setting your password expiration for at the most every three months. This will force all users inside your organization to reset their passwords regularly.
Yes, it can be a hassle to change passwords frequently, but consider using a password manager such as 1Password or Last Pass for your whole organization to make it much easier for them to create new, secure passwords and remove the hassle of having to remember them.
Michael Fimin, an accomplished expert in information security, is CEO and co-founder of Netwrix, the company that introduced the first visibility platform for user behavior analysis and risk mitigation in hybrid IT environments. Netwrix is based in Irvine, CA.
"Cloud technologies like Office 365 present organizations with a range of opportunities for competitive advantage..."
However, according to the 2016 Netwrix Cloud Security Report, security and privacy of data and systems in the cloud are a top worry for 70% of IT professionals; they are mainly concerned with unauthorized access (69%), malware (37%), and denial of service attacks (34%).
I would suggest three tips to ensure security of data in Office 365:
- Have visibility into user activities. Without a clear understanding of what is happening in the cloud environment, organizations cannot have control over their business-critical data and protect their assets against unauthorized access. Companies need to ensure that they have an integrated view of critical changes in the IT environment and enable continuous monitoring of user activities, including successful and failed access attempts for all critical systems and data.
- Use advanced analytics to reduce risks. Although Microsoft provides the Office 365 Secure Score to help customers evaluate their security posture, organizations still need additional solutions to identify and mitigate risks based on regular activities and security settings. The growing adoption of technologies like user and entity behavior analytics (UEBA) will enable organizations to better understand their weak points and fix security holes faster.
- Use multi-factor authentication. Multi-factor authentication makes it harder for hackers to break into organizations' IT environments. Even if a user's password is compromised, Office 365 account will be still protected: a culprit won't be able to access the account until he acknowledges a phone call, text message, or an app notification on the smartphone.
Taylor Toce is President & CEO of Velo IT Group, a managed IT services provider focused on providing businesses with the technology and support they need to achieve maximum velocity in their markets. Taylor has a proven track record leveraging IT solutions to help clients gain efficiency and improve profit margins.
”Using cloud services like Office 365 comes with security concerns that need to be addressed by organizations during adoption..."
The good news is that Office 365 has built-in security controls, data retention policies, and even data loss prevention measures that can assist IT administrators and organizations in securing their cloud-based data.
However, simply accepting the default policies in place may not adhere to your organization’s security guidelines. Leveraging a managed security services provider to provide ongoing security services for your organization can help to secure your O365 environment.
Some organizations elect to secure data outside of the Office 365 platform in order to further retain data, add additional recovery points, and meet regulatory or corporate security protocols. These third-party applications allow you to pack up all your Office 365 data, including not just email, but also OneDrive, SharePoint, and other data in a location outside of the Office 365 system.
Payton Moyer, President & COO of ManagedLab Services / MLS Technology Group, has been in the IT industry for almost 20 years.
"Over the years, we have worked with thousands of users spread across dozens of clients in both on-premise and cloud solutions..."
One of the most widely adopted cloud solutions that we have seen is Office 365.
However, securing and protecting your data in Office 365 from unauthorized access, theft, and/or data loss are all areas that are frequently overlooked by both internal IT departments and external experts. The following three steps will help you secure your Office 365 environment.
- Prevent Unauthorized Access - Complex passwords and changing your password every 30/60/90 days just isn't enough anymore. Hackers are far too advanced today where they will harvest your credentials either through a successful phishing attack, social engineering, or by hacking a website where you registered your work email address and password. In fact, your credentials may even be for sale on the Dark Web for anyone to buy. Preventing this type of unauthorized access is fairly easy. You simply need to enable Multi-Factor Authentication (MFA) for your Office 365 account. This will require both your password plus a randomly generated six-digit code every time you try to access your Office 365 data. You should still require password changes every 30/60/90 days, but having MFA enabled essentially changes your password every 30 seconds.
- Prevent Data Theft - By default emails sent are unencrypted and can easily be intercepted and read. Office 365 has a built-in feature called email encryption, but it is not enabled by default. Our recommendation is to turn the feature on and enable it to encrypt emails in one of two ways. First, is a trigger word in the subject line such as Encrypt or Secret. The second is by implementing a set of rules that look for confidential information such as SSN or CC information and, if found, automatically encrypt the email. This solution is easy to implement and protects your data from being stolen while in transit.
- Prevent Data Loss - Although Office 365 has generous storage allocation for both files and email, the built-in recovery options are limited and are more designed to not lose your current data. What about your historical data? If data was deleted or corrupted 15 days ago and the data retention is 14 days, you just lost the file. This is why we highly recommend a third-party backup solution for Office 365 – so you control the data retention.
Puneet Gangal is the CEO and Founder of Aciron Consulting, a business management and technology consulting firm based in Boston, MA, with a focus on the client's specific needs and helping them achieve greater efficiencies in business/IT alignment. He has over 20 years of technology and management consulting experience.
"One best practice for securing data in Office 365 is to..."
Configure Data Loss Prevention policies, so that users can't accidentally or intentionally share sensitive data, such as financial data or personally identifiable information. You can identify documents and emails that contain sensitive data and prevent them from being shared with unauthorized parties. Depending on the needs of your organization, a third-party DLP tool can extend built-in features to ensure data security.
Another best practice is to configure multi-factor authentication (MFA). Having a strong password policy is essential, but passwords can still be compromised. So one quick win for improving security in Office 365 is enabling MFA. MFA helps you add a layer of security beyond passwords. After users enter their password, they are asked to verify their identity using their phone. MFA is easy to set up, as it's a setting that you can simply turn on with the click of a button.
Finally, Office 365 offers a few built-in tools that can assist you in your security strategy. You can enable alerts through the Office 365 Cloud App Security to monitor unusual activity like large data downloads, repeated failed sign-in attempts, or sign-ins from unknown IP addresses. The Office 365 Secure Score is a new security analytics tool that allows you to check how secure your Office 365 configuration is. In addition to giving you a rating, this tool analyzes your security setting and provides actionable tips for improving your security policies.
Stephen Ostendorf is a former Consultant and Enterprise Architect who is currently the President of XMS Solutions, Inc., a Microsoft Partner and Professional Services provider. The goal of XMS is to build solutions on Microsoft Technologies that allow for collaboration and security without limitation.
"These are the most important steps for securing data in Office 365..."
- Understand your priorities. The first step in protecting information is understanding which information is most valuable. Many years ago, information technology departments held the sole responsibility for data and made unilateral decisions without consulting the business. These days, IT needs to view itself as providing a service to the business. Part of this service is working together to understand what information and systems are most valuable. There is a balance between information usability and security. As you protect data more strongly, it becomes more difficult to use. For this reason, a one-size-fits-all classification model is not usually a good idea. A standard practice is to define three or four classifications for data, from least important to mission-critical information, which requires the strongest protection.
- Define and implement a corporate security policy. Now that you have defined and agreed to priorities, you can use those to begin building a global security policy. This will take some time as there are many parties who need to be consulted. This is where you decide on policies for things like password complexity, permissions, retention policies, encryption, and so on. This is the most complex and time-consuming step in the process. The good news is that once it is finished, you have a clear direction in which to focus.
- Synchronize with Office 365. This may seem like something that could go without saying, but it is surprising how many organizations think that they can get by managing Office 365 separately from their on-premise identities. Yes, it takes a little extra hardware and administration to connect to Office 365, but it is well worth it. Synchronizing with Office 365 allows you to implement your security policy centrally and to manage identities from a single source. For example, when a user is disabled in your on-premise directory, there are no extra steps to disable the person in Office 365, and you don't have to worry about a terminated employee retaining access to corporate resources. With the addition of things like Azure Active Directory Pass-Through Authentication, it is easy to do.
- Centralize, automate and lock down identities. When people think of data breaches, they think of the hackers on TV who are sitting in front of their computer screens, somehow writing code on the fly which will break into networks or steal information. However, far more prevalent are the social engineers who use psychology and phishing to capture user identities. Given the right user name and password, a hacker could gain access to absolutely anything on your network, and by extension, Office 365. Centralizing identities means users access all applications, servers, and workstations using a single account which follows the concept of least privilege and requires multiple forms of identification. This user can request more elevated permission which initiates an approval work flow, and permissions are granted on a temporary basis.
- Use third-party software and services. There are some very good reasons to work with good third-party solution providers. Much of the benefit boils down to your organization's time and resources. Often organizations have the time but not the right resources, or have the resources but not the time. Working with a third-party services provider allows you to leverage deep experience and expertise without a significant time investment from your internal resources who need to focus on their day-to-day tasks. Defining a strategy alone can be a huge undertaking and having the help of someone who has done it before can be a significant benefit.
Rick Deacon is the founder/CEO of Apozy, a cybersecurity company that created NoHack, which stops phishing, ransomware, and other web-based attacks in the browser.
"When it comes to Office 365 security..."
Companies need to bear in mind that they are essentially using a web-based cloud service for all of their business communication. This comes with a few challenges:
- User data is in the cloud in a multi-tenant environment. This means that the security of Microsoft & Outlook is paramount. Their ability to update and keep data safe determines most of the safety of your data. In order to improve this, make sure sensitive data is encrypted in communication.
- Users are in the browser most of the time. This means that traditional antivirus solutions and network perimeter security tools are not enough. They can't protect the browser. The best solution for this problem would be to implement a tool that uses Native Browser Isolation or Implemented Browser Isolation. These tools limit the exposure to malicious pages.
- More phishing attacks mimic Outlook 365. Since Outlook 365 and Gmail both are browser-based, it's easy to mimic their logins to try to steal sensitive credentials. In this case, they're stealing corporate credentials. A good mitigation for this issue would be Native Browser Isolation (see above) and two-factor authentication combined with good user training.
Rishi Khanna is a passionate entrepreneur and CEO. He leads ISHIR, a global offshore technology organization and other high growth companies. Rishi has been part of the outsourcing industry since 1999 and has successfully implemented strategic outsourcing and offshore programs in IT, Cloud, Mobile/IoT, BPO, and Digital Marketing functions.
”Enterprises upload incredible amounts of data onto Office 365 each day..."
They use OneDrive, SharePoint Online, and Yammer to share data across the enterprise. Despite a robust platform, Office 365 is not devoid of security concerns. There are surreptitious hackers who are constantly working towards newer ways to gain unauthorized access to critical enterprise data. One of the most critical things that most of the enterprises skip is making the best of Office 365's built-in security. We recommend IP filtering, single sign-on, multi-factor authentication, and message encryption to strengthen the way that data is protected in enterprises.
IP filtering will curb extranet access to Office 365 or any other cloud service of the enterprise. Microsoft supports IP filtering like IP Whitelist and Trusted IPs. Single sign-on for OneDrive, SharePoint Online, Skype, Exchange, and Yammer makes it easier and more effective to manage password policies. With multi-factor authentication, third party access is difficult and adds an additional layer of security. In addition, it is best to send encrypted messages when sharing sensitive data.
Tunde Odeleye is the Sr. Manager of Security Services / Cybersecurity Architect for PCM, Inc.
"Several strategies exist for securing cloud assets such as Office 365..."
However, the most effective strategies include:
Multi-Factor Authentication: Multi-factor authentication (MFA) is a method of computer access control in which a user is granted access only after successfully presenting several separate pieces of evidence to an authentication mechanism.
As the name implies, multi-factor authentication requires more than just a username and password to login to Office 365, and it can be set up on a per-user basis. Users first authenticate with a username and password, and then they'll either receive a phone call or text message (depending on the configuration) and they must answer the call or enter the access code received via text into the browser. Additionally, source-based authentication with IP addresses can be whitelisted, meaning when users are in your office, they don't need to use multi-factor authentication, but if they’re outside the office, it will be required. Multi-factor authentication is a free feature available on all Office 365 plans.
Advanced Threat Protection: A threat management strategy for Office 365 involves identifying a potential threat's intent, capability, and probability of successful exploitation of a vulnerability. Office 365 provides robust email protection against spam, viruses, and malware with Exchange Online Protection. Office 365 also offers Advanced Threat Protection (ATP), an email filtering service that provides additional protection against specific types of advanced threats. However, a third-party solution might be necessary.
A robust ATP solution detects infections with certainty, terminates their threat activity, detects malicious files (malware), and tracks suspicious behavior over time in the network, delivering actionable information about known and unknown threats regardless of the infection's source, entry vector, or OS of the device compromised.
Lisa Rivera is the product manager at Specops Software, a password security company with over 2,000 clients across the globe.
"The single most important approach to securing data in Office 365 (O365) is..."
Ensuring that user login is secure by moving away from relying solely on password-based authentication. In the Microsoft Security Intelligence Report, Volume 22, Jan - Mar 2017, Microsoft states that there has been a 300% increase (2016/2017) in O365 compromised user accounts mostly due to weak, guessable passwords / poor password management practices. In fact, Microsoft has stated that O365 experiences 10 million user account attacks per day.
Using only the password to authenticate users to O365 truly leaves organizations at risk. Recently O365 has been the target of a credential harvesting campaign where attackers launch spear-fishing campaigns to gain users' credentials and then go to work – gaining visibility into usage patterns, etc. to later launch ransomware attacks. It has been reported that only 0.73% of O365 administrative accounts are protected by multi-factor authentication (MFA). Not securing such high-privileged accounts obviously makes these attacks much easier for hackers.
Organizations that have adopted or are considering adopting O365 should take the following steps:
- Integrate O365 with existing on-premise directories such as Active Directory to ensure that password security policies and controls can be extended to O365. This will put control back in the hands of organizations' IT departments.
- Use stronger password security policies and/or a password security solution to enforce the creation of longer, stronger passwords and block users from choosing weak, previously leaked passwords or phrases. The solution should be able to apply different password policies to varying security groups. For example, administrators should have more stringent policies in place.
- Enforce multi-factor authentication upon login. You can use an authentication solution that can be used with your password as the first factor (e.g., the user has to authenticate with their password plus something else) or that can replace passwords completely with other forms of more secure authentication.
Rodrigo Montagner is an Italian and Brazilian IT Executive with 20 years of experience in multiple data environments. He is currently CEO of OM2 Tech Solutions.
"Microsoft has been proving to be..."
One of the most competent global cloud services providers due to several factors, but mostly because:
- They have multi-layer and also regional centers throughout the globe to guarantee data protection
- They feature a robust encrypting portfolio, such as Bit-locker, SSL over HTTP, and even IRM protocols over Document Libraries.
- They offer regular backups of customer data, multi-layered and globally performed.
Based on that, the best approach is implementing the full strategy of Office 365 using strong passwords, a competent anti-virus, and data theft protocols installed in your network. Also, deploying a VPN on MS Cloud has also proven to be a very secure measure. As a final hint, I would also install Windows data dedupe and DPS, well-configured.
George founded Akruto, Inc. in 2010 to help customers keep their private information safe and readily available wherever they go. Prior to founding Akruto, George managed teams of engineers at large companies and successful start-ups.
"Office 365 has built-in data security features…”
However, that doesn't mean your data is 100% protected from a data breach. There's always a chance of a zero-day vulnerability or massive hack capable of compromising millions of accounts and petabytes of data.
While you can’t stop all threats, you can prevent many threats by implementing the following approaches into your data management processes:
- Enable two-factor authentication.
- Use Cloud App Security to manage data security policies and alerts.
- Enable email access log in to Office 365.
- Use a Data Loss Prevention solution to help prevent data leakage. Third-party solutions can provide coverage where Office 365 has no visibility.
- Encrypt your emails with TLS or S/MIME to secure your connection to the server and prevent data interception.
- Check Microsoft's Security Score to find bottlenecks in your current data security level.
- Start using Rights Management System to limit the set of actions you or your colleagues can do with your personal or corporate data.
Microsoft did a great job with securing the data flow within its ecosystem of products. It has protection from unknown malware and real-time protection from malicious URLs that help prevent a lot of threats that may be inside an email. On top of Microsoft’s own solutions, third-party solutions, such as an external DLP, can further protect your data from theft or loss.
Lindsey Havens works for PhishLabs, which helps organizations fight against phishing attacks.
"There are a few security measures that can help keep information safe on Office 365..."
One of the key features that helps to aid in securing data security is Office 365's message encryption, which allows users to send encrypted email to any recipient no matter what email service they use. It also gives admins greater control to apply appropriate policies to protect sensitive data by the use of Rights Management and Office 365 Message Encryption. Another great feature is Azure Rights Management, which prevents file-level access without correct user credentials.
Mihai Corbuleac is the Senior IT consultant at Bigstep Inc.
"One of the best approaches to secure data in Office 365 is…”
To use the multi-factor authentication protocol along with Microsoft Authenticator for mobile access. As you probably know, with Office 365 your data is always encrypted, so what's left is how you manage permissions and how data is accessed. Your IT admin can easily deploy the Rights Management Service (RMS) that will reduce the security risk of unauthorized access.
Swapnil Deshmukh is currently working as a Sr. Director at Visa. He is a global head responsible for attesting security for emerging technologies such as IoT, mobile, and cloud. He has also coauthored the Hacking Exposed series and is an active member of OWASP. In his prior work he has helped Fortune 500 companies build security operations centers with on premise, cloud, and hybrid models.
"The best approach to securing data in Office 365 is..."
Utilizing a Cloud Access Security Broker (CASB) solution. Such cloud-based solutions not only provide cloud security but also provide identity access management, and protection against advanced cybersecurity threats.
Gregory Morawietz is the VP of Operations at Single Point of Contact. He is a cloud and IT Security Specialist with over twenty years of network and security experience. He has worked with hundreds of firms on improving IT environments, architecting cloud environments, consulting, and integrating technology for the enterprise network.
"Everyone thinks that Microsoft is magically securing their data, and that is incorrect..."
There is a finite amount of time that your data is retained on Office 365. If you delete something a clock starts on how long that data will be kept. You should use a third-party method of backing up your Office 365 data. There are several technology companies that provide backup and storage of this data as well as discovery services against the backed-up data.
Patrick Leonard is the COO & Vice President of My IT, an IT firm based in New Orleans that supports auto dealerships, construction companies, and medical practices nationwide.
"As an IT firm managing over 7,000 users, we secure our clients' Office 365 data with..."
Added email security and Advanced Threat Protection (ATP) solutions, along with strong, verified backups. The ATP solutions automatically scans email attachments in real-time and detonates suspicious attachments in a sandbox environment to observe behavior to determine if they're safe or harmful.
The Definitive Guide to DLP
- The seven trends that have made DLP hot again
- How to determine the right approach for your organization
- Making the business case to executives
The Definitive Guide to Data Classification
- Why Data Classification is Foundational
- How to Classify Your Data
- Selling Data Classification to the Business