Posted: 4 Min ReadProduct Insights

Securing Office 365: Keeping a Step Ahead on SaaS Security

Here’s what organizations need to know to reduce threats targeting the world’s most ubiquitous SaaS app

[Editor’s note: This is part 3 of a 4-part series of Q&As that Symantec is conducting with experts and practitioners in the field, examining the myriad security issues involved with Office 365. Click here to read our earlier interview with ESG analyst Mark Bowker about the new security burden facing IT shops in the SaaS era.]

Office 365 remains the world’s most widely-used software-as-a-service application (SaaS) but it also presents myriad new security challenges for organizations – including the fact that it’s very popularity makes Office one of the most targeted cloud apps around. We spoke recently with Symantec senior technical sales manager, Adrian Covich, to find out what measures he recommends customers take to keep attackers at bay.

Q: When customers implement Office 365 into their operations, what are some of the security issues around SaaS implementations that are catching your attention?

One of the interesting things about Office 365 - owing to the fact that it is the most ubiquitous SaaS app out there - is the fact that while it’s designed to make life easier, it also tends to lay bare the vulnerabilities in the process of the business organization.

Q: How does that play out in practice?

When you move to a SaaS environment, you remove a lot of the technical vulnerabilities because, in many respects, those become part of the responsibility of the SaaS providers - and they’re usually pretty good at managing them. But at the same time, we see a lot of instances of people having their Office 365 accounts taken over. These are very well-done attacks born of the cloud era, whereby emails lure victims into giving away their password credentials. By itself, that’s not unusual. But because Office 365 has one single home page - it’s office.com - for companies as big as Symantec or as small as a bicycle repair shop - once you have somebody’s username and password, it's as easy as going to office.com and logging in. Once they’re in, attackers have access to all your mail and OneDrive and that affords them a lot of capability which they take advantage of.

Q: When you compare the security issues around Office 365 implementations with other SaaS apps, is there a higher degree of risk because of its ubiquity?

There certainly are a lot of powerful SaaS applications out there, like Workday and Salesforce. But I think Office 365’s mass appeal in large and small organizations means that it is also very recognizable. And that also makes it a great target for attackers.

Q: Bigger corporations have the means to employ a lot of IT and security specialists. But smaller businesses don’t have the same luxury. Do you find them ignoring the security basics? Are they failing to take advantage of making sure they use 2-factor authentication, for example?

Anecdotally, I would say yes. People are looking for the base functionality and don't necessarily proceed with security in mind. They also misunderstand the point to which Microsoft will secure them out of the box versus what they still need to do. There are still fundamental questions you need to answer with SaaS when it comes to the delineation of responsibilities and who has access to data. Are your users who they say they are? What data are you storing and are your business processes sufficiently secure?

Q: What are some of the worst-case examples that result because of that misapprehension?

We see credentials being stolen and then attackers use them to rifle through employees’ OneDrive, send out fake emails, harvest credentials - and also get a look at people's interactions with each other. It becomes even more insidious with the use of internal impersonation to steal money - and significant amounts of money - where an organization may have business processes that allow the transfer of, say, ½ million dollars to the CFO. If an intruder gets a hold of someone’s credentials, Office 365 lays that weakness bare because all the technical security that would normally should be required doesn’t occur.

Q: So, this goes back to your earlier point about knowing where the lines of responsibility end for one side and start for the other.  

I think it's a bit of both. And there’s another factor to consider because the emphasis when onboarding these solutions isn’t security.

Microsoft focuses on developing these products to promote ease-of-use. Those emails should not make their way into Office 365 and yet they do. So, it’s very clear that in many cases along this journey, they simply don't have the focus or the skills that a dedicated security company would.

Q: Given all that, what should CSOs and CISOs be keeping top-of-mind as they think about how to secure their organizations in any Office 365 rollout?

For me, it's fundamental that we need to understand that as you move to SaaS, there’s a difference. We have created a whole (security) model on the premise that we have built out a perimeter with walls surrounding our castle and that’s been able maintain a level of security throughout that time. But when we move to SaaS, there is no “castle” anymore and there still is responsibility on you, not just the providers. Attackers are evolving, and they are attacking cloud infrastructure. We no longer have that perimeter approach anymore, so it's important for customers to be able to answer fundamental questions about who is accessing their infrastructure and make sure that they are who they say they are. Do they know where their data is? Do they know who is accessing information being stored.  

Symantec Enterprise Blogs
You might also enjoy
4 Min Read

Office 365 Brings its Own Set of Challenges to Data Protection

Responsibility for data protection heightens when data enters the cloud

Symantec Enterprise Blogs
You might also enjoy
3 Min Read

Securing Office 365 - New Challenges for IT

ESG’s Mark Bowker: In a multi-vendor cloud setting, the proliferation of SaaS apps such as Office 365 puts new onus on IT

Symantec Enterprise Blogs
You might also enjoy
5 Min Read

Securing Office 365: Get Your Security Right in any Move to the Cloud

Q&A with Insight’s Richard Diver about what organizations ought to do get everything battened down properly

Click Here for the Office 365 Security Checklist
Click Here for the Office 365 Security Checklist

About the Author

Charles Cooper

Editor in Chief, Big Valley Marketing

Charles Cooper has covered technology and business for more than 25 years as a journalist.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.