Securing Office 365 - New Challenges for IT

[Editor’s note: This is the first of a 4-part series of Q&As that Symantec is conducting with experts and practitioners in the field, examining the myriad security issues involved with Office 365.]

As more organizations adopt cloud applications such as Office 365, security managers now find themselves scrambling to provide security for apps and services that no longer reside in on-premises data centers. This presents all sorts of new challenges, according to Mark Bowker, a senior analyst at the Enterprise Strategy Group.

“The IT and security professionals inside these organizations must now deal with a changing consumption model,” says Bowker. He added that in this multi-vendor setting, users are likely to be using SaaS apps such as Office 365 as well as a myriad of other kinds of cloud infrastructure and services, which might be as simple as a desktop service or a security service.

We caught up recently with Bowker to get his take on what Information Security Managers need to do to adjust to the security demands of this new digital order.

Q: What’s the security challenge for IT in this multi-vendor cloud setting?

They have lost control of the applications and of the data themselves and they’re looking at ways to collectively have a single source of truth across all these different providers. They want visibility across these environments, so they can monitor activity, potentially modify policies and proactively take action.

Q: How does that usually play out?

It comes about in a variety of ways, from awareness to true automation. This ability to have visibility across these different environments is extremely important and something that businesses are really finding themselves dealing with as they make security and other types of IT process decisions inside their organizations.

 Q: Isn't that the job of the Information Security Team?

They have tools which they purchased but some of those tools may not work across platforms or may only be tied to a single platform. That’s one issue.  

Another issue is if the security offered by a vendor for their particular application, such as Office 365, is really meeting the risk tolerance for the organization. The question really comes down to - and it is really up to the Information Security team to figure this out - whether that depth of security is adequate or not for the organization. Also, do the tools add visibility as well as general contextual awareness that the security team is accustomed to.

Q: What don’t companies understand about where Microsoft’s responsibility ends with regards to security in the cloud?

I’d say the confusion starts with the identity of the employee - that comes down to username and passwords and authentication methods. Then it extends to understanding what Microsoft provides versus what others in the market do to help offer strong means of authentication. The confusion also reaches to the application and data level.

Q: Unless it’s a Microsoft shop.

Most companies that I talk with are not Microsoft shops where they just use Microsoft applications. In those cases, how do you authenticate across Microsoft apps and other SaaS applications? How do you provide that security foothold and posture beyond Office 365? For instance, one of the top vectors for bad guys continues to be email, where they pose very sophisticated threats. As much as companies continue to try and educate employees, the threats are still coming in via email. Most of the CSOs I talk with are not willing to hang their hats just on the capabilities that Microsoft provides and are looking for additional defense specifically around email.

Q: What are you advising clients thinking about going forward with Office 365 implementations?

The first thing to recognize is that the security posture goes beyond Office 365. You have to think of the toolset and technologies beyond those Office 365 applications themselves. The other consideration to really think about is the idea of visibility across a single source of truth that applies across the different applications, across the different web behaviors of employees in their application usage and in their data application usage. You need to be able to paint a palette of what that looks like to be able to start to take action. Once you get that single source of truth in place, you can start to automate.

Q: How might that unfold in practice?

You start to recognize behavior and then based on that behavior, perhaps you can change permissions or shut off access altogether for a certain user. Or maybe not allow that user to access a specific device or have access from a certain network. So instead of mainly getting alerts, you are taking advantage of automation. Also, there is a lot of intelligence offered by providers - Symantec being one of them -  that enterprises can benefit from.

So, using this Machine Learning/Artificial Intelligence advantage, they can look at different threat analytics across their threat intelligence. At that point, an organization can start to make decisions that recognize attacks before they happen and recognize bad behavior before it spreads. That helps them to take action - and in many cases it is an automated action rather than a manual intervention.