IT needs to address security gaps in the platform before getting buy-in from interested parties
The Microsoft Office 365 platform is a powerful bundle of software that can deliver significant benefits for organizations, including enhanced messaging and collaboration, and integration between those important capabilities. The product offers rich services in the cloud, with a suite of collaboration tools for online chat and file sharing, as well as much larger mailboxes.
But the platform also comes with legitimate questions and concerns around data security, litigation and compliance that IT managers need to address before they can achieve buy-in from stakeholders in each of these three areas within their organization.
Let’s look at some of the key security issues to gain a better understanding of what’s at stake when companies are looking to deploy Office 365.
Security in layers: What is included in Microsoft Office 365
The platform comes with built-in security provisions such as Microsoft security best practices, 24-hour monitoring, isolated customer data, secure network, and encrypted data at rest. These are really about Microsoft’s data center controls, and how they handle those data center controls.
There’s no question Microsoft has some of the best data centers in the world, and it has some fantastic processes in place to ensure that those data centers are kept secure. This is the first layer of Office 365 security (blue layer in above graphic).
The second layer includes customer controls (red layer). These are the options organizations are able to configure within the administrative console, including encryption, rights management, anti-virus and anti-spam, and user access controls.
The next layer (gray layer) is about Microsoft’s independent verification, which is basically about the data center certifications in place to ensure that the data centers meet customers’ requirements.
Addressing the Gaps
These layers together provide a very good level of service and security, from a data center perspective.
What this strategy doesn’t address as much are the emerging advanced threats and targeted attacks, in terms of how the platform handles anti-virus and anti-spam. This is where Microsoft has gaps in terms of Office 365 security.
Each of the three stakeholder areas—security, legal and compliance—will have their own concerns about these gaps. Prior to deploying Office 365, IT needs to be able to answer a number of questions in each of these areas.
From a security standpoint, these include:
- How does Exchange Online Protection detect emerging zero-day threats and protect against targeted attacks and emerging threats?
- How can we gain visibility into who has clicked malicious URLs?
- How flexible are the loss prevention rules?
- Will the loss prevention incident workflow scale to meet my needs?
- Can end users make security decisions?
From a legal perspective, the key questions to ask include:
- How does Office 365 ensure data retention?
- What’s the legal hold management workflow?
- Will search adequately find messages and attachments of all types?
- Can we conduct searches ourselves, or are we relying on IT for this?
And from a compliance perspective, the questions include:
- How does Office 365 ensure data retention?
- Will it meet my supervision requirements?
- How can we ensure data immutability?
- How can we make policy-based retention decisions?
- Where is our data stored?
Learn More
Discover the answers to these questions as well as handy recaps of what Office 365 does and doesn’t do for security, litigation and compliance in the on-demand webinar Accelerating Office 365 Adoption.