An Introduction to Microsoft Office 365 Security

An Introduction to

Microsoft Office 365 Security

An Introduction to Microsoft Office 365 Security

In an ideal world, cloud security could be 100 percent outsourced, allowing for a set-it-and-forget-it fix that covers your organization across all boundaries, no matter what. 

The reality is, many companies end up settling for a confusing patchwork of security measures in order to protect their data, their users, and their applications. As more IT leaders are learning to find their unique sweet spot between public, private, and hybrid cloud solutions, they’re quickly realizing that the learning curve for cloud migration has not yet flattened out for them. Now, they have found themselves still in need of figuring out what role their cloud service providers (CSPs) play in data security. 

Luckily, Microsoft makes its role clear when it comes to Office 365 security. If you’re new to their service, here’s what you’ll need to know about security. 

Every CSP Offers Security, But How Much? And Where Does it End?

Microsoft uses a Shared Responsibility Model that clarifies Office 365 security questions like these. Perimeters of responsibility are clearly mapped out, making it simple for IT departments, CIOs, and CPOs to understand where their organization needs to shore up in-house cloud security measures.

Exactly What Protection Does Office 365 Come With?

The Office 365 Trust Center outlines the role of Microsoft as “data processor” in its role as a provider of cloud services. Customers can be assured that security is no afterthought. Indeed, security concerns have been built into each phase of development by their software engineers as per Microsoft’s internal development process.

The Office 365 package comes with certain security measures already enabled:

  • Physical Security. Data centers are protected with two-tier authentication: access badges and biometric access controls. They also perform quarterly audits of data center access, employing a “least-privileged access level” protocol standard.

  • Data Encryption. A baseline, volume-level encryption is provided via BitLocker and Distributed Key Manager (DKM).

  • 3rd-Party Data Privacy. Data is not shared with advertisers nor is it shared with Microsoft’s advertiser-supported services, let alone third-party advertisers.

  • Data Privacy Within Microsoft. Microsoft does not use customer data for its own advertising or marketing.

  • Data Ownership. Even when subscriptions end, client data is still client data. As the owner of your own data you get to take your data with you even if you leave the Office 365 ecosystem.

  • Malware and Ransomware Protection. Microsoft auto-scans the environment and the file system, scans files in real time, applies automatic signature updates from virus definition sites, and sends alerts about/cleans detected malware. It will be up to the client to define the policies for each threat tool that comes with the Office 365 subscription, however.

All the rest? That will be for your organization to figure out.

What’s Your Security Strategy?

CIOs, CPOs, IT executives, or IT Admins will need to create a successful in-house security strategy that works synergistically with their Office 365 environment. That may involve the integration of Enterprise Mobility & Security (EMS) solutions, in addition to other add-on capabilities.

At the very least, the strategy should cover these three areas of risk:

  1. Identity and Access Management. IT admins who desire to use a centralized policy for managing identities and controlling access to apps will need to develop that capability themselves.

  2. Mobile Device Management. It’s up to the client to manage mobile devices to protect enterprise apps, data, and resources.

  3. Additional Defense Against Targeted Attacks, Insider Threats, & Malware. Office 365 covers threat protection and monitoring (including anti-virus measures). But to minimize exploitation from zero-day cyber-attacks, for example, clients will need to implement additional security technology. They’ll also need to take measures to ensure end users don’t fall victim to phishing scams.

Let’s take a deep dive into that third item on the “must-have list” outlined above: the defensive wing of your security forces that deals with attacks, threats, and malware.

What’s the Smartest Way to Augment Office 365 Security?

As an Office 365 customer, you should know that the rising popularity of Office 365 makes its log-in page an attractive target. For this reason alone, additional protection against external threats is one of the smartest ways you can augment and secure Office 365.

Microsoft offers spam filtering with Office 365 but many clients choose to augment this protection — here’s why.

Recognizing the value of a hacked email account, phishers are constantly looking for new ways to exploit end-user vulnerabilities in corporate email systems. Since 44% of businesses experienced successful email account takeovers last year, sealing up this security gap is paramount.

The built-in Office 365 security measures listed previously are at the infrastructure level. User error protection is a segment of endpoint security which falls squarely within the customer’s jurisdiction of responsibility. You’ll still need to worry about educating your users about external threats like phishing attacks (plus, while we’re on the subject, you’ll need to protect your system from internal threats like accidental deletion, too).

So, back to those end-user vulnerabilities... what can you do? Enter the artificial eye, a third-party security measure that picks up the reins on end-user security to ensure enhanced protection from external threats like these.

Beyond the Office 365 Realm: Why You Need an ‘Artificial Eye’

Ever-more sophisticated phishing strategies are sending increasingly convincing emails to users of enterprise email systems. Unwary users are directed to mock Office 365 login pages — complete with valid SSL, the Microsoft favicon, and all — to capture sensitive login credentials.

An “artificial eye” is AI-assisted technology that works on the end-user side — beyond what comes with Office 365’s anti-malware and spam filtering — to help defend unwary users against phishing emails. Much like the ideal savvy and informed end user might do, the artificial eye scans incoming emails, assessing their threat level by answering the following questions:

  • Who is the sender?

  • Who is the receiver?

  • What clickable URL is contained in the email?

  • Is the clickable URL a trusted site?

It’s cutting-edge, AI-assisted technology like this that form one of many essential components of an augmented security plan to keep your organization protected.

Achieving Tighter Cyber-Security Through Managed Security Services

All of this can be managed by a service provider like SoftwareONE. Our Security for Microsoft Managed Security Service covers proactive threat protection and monitoring as well as help with configuring the threat management area of your Office 365 environment. That’s in addition to other features like complimentary packaged deployment for Office 365, EMS, and Windows 10 Security.

Get an Insight

It’s Managed Security Services that pick up where Office 365 Security package leaves off. Learn more about how our Managed Service can help you stay ahead of threats and compliance requirements and protect your data and applications.

Discover Managed Security Services
  • Managed Security

Comment on this article

Leave a comment to let us know what you think about this topic!

Leave a comment


Bala Sathunathan

Bala Sethunathan

Director, Security Practice & CISO

Software Portfolio Management

Related Articles

Cyber Security Update August / September 2020
  • 07 September 2020
  • Bala Sethunathan
  • Cybersecurity, Managed Security

Cyber Security Update - August/September 2020

Data breaches like these show that one single breach can not only irreparably damage the firm’s brand, but also jeopardize clients’ names and operations. Read more about recent attacks.

  • 01 September 2020
  • Bala Sethunathan
  • Managed Security

Securing Workforces with ATP & SOC

Microsoft ATP promises cutting-edge security to remote workforces – but your workforce should still invest in a SOC to stay secure. Here’s why.

Protect Your Remote Workers against the new Voicemail Phishing Campaign

Protect Against Voicemail Phishing

Cybercriminals use fake voicemail messages to lure victims into entering their M365 email credentials. Learn how to protect your M365 environment.