Securing Office 365: Get Your Security Right in any Move to the Cloud

[Editor’s note: This is part 2 of a 4-part series of Q&As that Symantec is conducting with experts and practitioners in the field, examining the myriad security issues involved with Office 365. Click here to read our earlier interview with ESG analyst Mark Bowker about the new security burden facing IT shops in the SaaS era.]

When it comes to securing Office 365, customer questions run the gamut. It often starts with the basics around whether the public cloud is more secure than in their private data centers, which to a certain level, it can be.

But as organizations think about how to scale their operations on a cloud infrastructure, they need to adopt adequate security procedures that may be different from the ones that prevailed when everything ran off their own data centers. As they build out their environment, it requires attention to the basics like, 'How do you prevent documents from leaking? Or how do you prevent accidents and make sure to secure the environment?

At the same time, while Microsoft is continually improving the platform and bringing more security functionality to the platform, there are always going to be gaps that will require customers either to innovate or partner with other vendors who can help with integrated solutions.

We caught up recently with Richard Diver, Cloud Security Architect at Insight, to talk about what’s top of mind these days when he talks with customers about handling security challenges around the implementation of a cloud solution like Office 365.

Q: How often are users coming into this process assuming that as a default Microsoft is going to basically protect them?

Most of the companies I deal with have security-savvy people who are doing the pre-reading. They understand that there's only a certain amount that Microsoft can do. If the project was done to promote productivity and they want to provide more functionality to the business, it's going to happen because the business wants it, and it's going to drive their process.

Q: How might their approaches vary if the initiative started with the IT/Security side or the business side of the company?

These two are very different when it comes to ways of adopting technology. If it's being led by an IT or a security team, they might approach it by saying, 'Well, we haven't got much storage and backup resilience, and we need to move to the cloud to get off this dying infrastructure. So let's. Then it becomes a security-led or IT-led drive.

But if it's a business-led initiative, security may present an obstacle. They may just want OneDrive for Business and the priority is to get OneDrive and enable business functionality, not to add more layers of security that they never had in the past. But things like application management and multi-factor authentication – those are the controls that the security team will recommend to implement. And the organization will be left to deal with divided priorities.

Q: What are the security implications of moving to a cloud storage piece of functionality such as OneDrive for Business?

Users might previously have had their files on their PCs. When they create files and content or get an email or attachment, they would save it locally where they would have access to it offline.  There would be some security around a managed device, where you could prevent people from connecting to email with an unmanaged device. In that “private world,” IT managed to maintain a lot of control by saying, 'Well, you can only connect if you're in a corporate network or you can get web access if you're on a corporate PC.'  

When you get a OneDrive – this is where I've seen a lot of organizations trip up – now it's only protected by a user ID and password, by default.  So, as companies go through mass migrations and synchronization, they need to make sure users protect their identity and use multi-factor authentication, which has been a big hurdle for a lot of companies. But it needs to be done every day.

And then the other consideration is the application. You need to control the app and where users get access to that data from in order to prevent against someone exfiltrating that data either on purpose or by accident.

Q: What are your recommendations to potential Office 365 clients as they go about the task of implementing and securing the product. What do they need to do in order to make sure that everything gets battened down properly?

• A move into to the cloud is the opportunity to get it right. For everything you didn't do right in the past – or couldn't because you had whatever legacy obstacles – now's the time to get it right and not carry over the bad habits. Do things the right way. The absolute number one thing is administrative. You need to limit the level of access user accounts have. You need to require multi-factor authentication and do things like identity management or access management where you allow admin rights when needed and it's taken away when it’s not. That helps limit risk and potential exposure of the service in case an account gets compromised in one way or another. That's absolutely number one for any cloud deployment anywhere with any company. You have to do this up front.
   
• The second is to inventory what you've already got. You have to understand the technologies and understand what you've got and what you already paid for and what you're going to buy from another company. What have you already paid for? What is the feature set that's already there and deployed? Stop customers from buying point solutions all over the place to fix what they think is a hole or a gap in the Microsoft stack.
   
• Next, change your approach or methodology to adapt to the cloud instead of trying to manage the cloud to work as you’ve always done on-premise. Understand why Microsoft has made certain decisions and choices and why the cloud works that way and why they'll have a roadmap to make it better all the time. In that stack, make sure you've used every bit of it or at least that you've got a plan to use every bit of it that makes sense to you.
   
• Consolidate. Some companies have between 50 to 60 applications for security in their organization, but no security person can manage 50-something different applications. You want to consolidate to the minimum number. That means understanding what you’re buying and educate yourself about why it matters.
   
• Microsoft offers a range of additional solutions to help secure the cloud environment, such as M365 E3 and E5 - you have you weigh up your options and decide the right fit for your organization. If you are not going to invest in the full Microsoft solution stack, make sure you've got an alternative answer because everything in that stack is really critical to cloud security. If you don't have a better answer, then you probably should consider investing in the Microsoft stack as a minimum, and plan to deploy the solutions as part of your cloud adoption.
   
• Work to make the end-user journey better. This is why you go to cloud in the first place. But be careful not to shoot yourself in the foot. The adoption of cloud is supposed to foster a better collaborative experience and enable greater productivity. So, don't lock it down to the nth degree for everyone, everywhere, all the time. Allow a space where collaboration can occur internally and externally with partners and customers while having the right controls in place to enable security protection in the background, helping the business. Make it a good security experience. For example, make sure there is multi-factor authentication for end users, but don't make it so hard that they get so annoyed with it that they don't enjoy the journey. It should just be part of the natural course of their work routine, like a reflex action when they log on. It’s up to you to educate them, not block their productivity.