Inside the secure world of Office 365
You can sleep soundly knowing your data is safe within Office 365’s multiple layers of security.
Shashin Patel | July 6, 2016
As Office 365 adoption gains momentum, more and more organizations are asking if Office 365 is a secure solution for hosting one of the most critical services provided to corporate customers. Most organizations may not realize it, but Office 365 is probably more secure than their own datacenter implementations. If your organization values secure collaboration—and wants to protect its assets from the inherent insecurities of the Internet—Office 365 is a great collaboration platform solution.
Office 365 was built from the ground up using Microsoft’s extensive experience with its on-premises server collaboration suite as the foundation. This security-hardened service was built knowing organizations would be concerned with protecting their customers’ data. Office 365 implements security via the principles of defense in depth and defense in breadth. This means the service implements multiple layers of security at the physical, logical, and data levels. And each level is subsequently protected with a multitude of various security controls.
At the physical security layer, each data center is built with 24-hour surveillance and monitoring. Access to the datacenter requires multi-factor authentication (MFA) which includes biometric scanning for access/authentication and motion sensors for detection of presence. Microsoft personnel who have access to the datacenters are unaware of the location of specific customer data due to Microsoft’s strategy of separating roles.
“Most organizations may not realize it, but Office 365 is probably more secure than their own datacenter implementations.”
Office 365’s security story doesn’t end at the physical layer. At the logical level, Microsoft employs traditional security best practices—like minimizing active running processes, routinely scanning servers and infrastructure for vulnerabilities, and implementing proactive monitoring and intrusion detection systems to prevent malicious access. Automated operations via the system center operations manager or system center configuration manager (SCOM/SCCM) enable consistent use of an internal security development lifecycle (SDL) process. This helps manage overall risk, and ensures proactive risk mitigation through malware detection, configuration, and patch management.
Microsoft protects your data even from its own employees through the use of a premium process called “Lockbox.” This means that if, for any reason, Microsoft needs to access your data (i.e. for troubleshooting), they need to initiate a request and receive your approval for accessing the specific data. The request is not an umbrella data request—it needs to specifically state what data and for how long the access is needed.
In addition to these measures, there are also dedicated Tiger teams (separated into Red and Blue teams) that simulate penetration attacks—looking for vulnerabilities to exploit—in order to produce proactive measures to prevent and mitigate malicious access in the future.
Microsoft encrypts data at rest using two service-side technologies, BitLocker for volume-level encryption and per-file encryption for Skype for Business, OneDrive for Business, and Sharepoint Online. As of June 2016, BitLocker uses AES-128 bit encryption at the volume level but is in the process of phasing out AES-128 in favor of AES-256 on new server deployments to ramp up the level of security. Master keys for BitLocker are stored in a secured share, and keys themselves are also encrypted with a FIPS 140-2 compliant algorithm. Skype for Business, Sharepoint Online, and OneDrive for Business make use of per-file encryption with AES-128/256.
Unlike many Internet services (i.e. Gmail), Microsoft does not mine your data for advertising purposes. Office 365 customer usage data is only used to improve the overall experience of the collective suite of services. This doesn't mean they access and use your corporate data content—they only use data on how product features are being used.
Customer controls and responsibilities
Having implemented this thorough security framework for Office 365, Microsoft has done its due diligence to secure customers against the myriad number of threats that exist on the Internet. As Office 365 has evolved, each release cycle has introduced more security options to fit ever-expanding customer requirements. However, the built-in security features can only protect so far—it’s ultimately up to customers to understand and implement security features, policies, and controls to safeguard their users and their data.
Customers implementing Office 365 are responsible for implementing the following security controls:
- User account management—A robust internal identity management process is key to a healthy Office 365 environment. Office 365 provides a couple of different options to connect to your existing Active Directory infrastructure, among them Active Directory Connect and Microsoft Identity Manager. AD Connect is a free utility included as part of the subscription that's most widely used and recommended, due to its simplicity, capability, and low-end requirements. In cases where migrations are to take place from an Exchange-based messaging environment, the hybrid-writeback feature eases the transition for users and administrators considerably.
Data privacy and compliance—On the road to making Office 365 a global product for all types of organizations, came the necessity to follow privacy and compliance regulations of the countries that they would offer the services in. Office 365 has gone through the rigorous process of verification against several global regulations, including ISO 27001, ISO 27018, SSAE 16, EU Model Clauses, FISMA, and HIPAA (by way of a Business Associate Agreement). As a corporate member of the non-profit Cloud Security Alliance, Microsoft has met all the compliance and risk management requirements of the CSA-published Cloud Control Matrix. Microsoft provides a publicly-available document that aligns each CCM control to an Office 365 response, which can be found here.
As the number of threats to organizations rise, the ones often overlooked are those stemming from the inside. Ensuring that users don't send or transmit sensitive information such as publicly identifiable information (PII), protected health information (e.g., in the case of HIPAA), credit card information (PCI), or financial information (SOX) is a paramount concern for legal and compliance business units. The recommended solutions come in the form of a security and compliance center for Sharepoint Online and OneDrive for Business, as well as the DLP interface in the Exchange Admin Center for Exchange Online.
- Data recovery—Backing up critical data has been a cornerstone of best practices for IT, and with good reason. With the number of threats that exist to organizations, both natural and human, there needs to be a way to maintain continuity of operations. The on-premises model of having redundant/backup datacenters is what Office 365’s data availability design is based off of—but on a much larger scale. At the server level, redundancy has been built into the hardware layer to guard against local incidents. Full data replication is also in place to geographically separate data centers to guard against full datacenter outages. While these redundancies are out of customers' control, some may find it necessary to implement on-premises solutions to back up cloud data as part of third party offerings.
- Authentication—As organizational security needs have grown, so have the number of offerings available. With Office 365, customers control how their users authenticate, whether it’s as simple as password synchronization with AD Connect, using a Single Sign On product like Microsoft Active Directory Federation Services (ADFS), or using other third parties like Okta, Ping, and Tivoli. In any SSO product, one of the top security measures gaining steam is the use of multi-factor authentication (MFA), a highly recommended method to protect against single-factor authentication. MFA leverages the access control concept of “something you know, something you have, and something you are.” In cases where a user password is compromised (the first factor), the second factor—whether it’s a text message to the user’s cell phone, a one-time code in the Office 365 app, or 3rd party OAUTH tokens—will most likely be inaccessible to the attacker, essentially making the password useless. Oftentimes security measures fail due to a lack of suitable ways to enforce the policy, but enabling MFA is one of the best enforcement-free tools available to security personnel. Once MFA is implemented and enabled, by lack of alternative logon methods, it becomes absolutely mandatory—there's no way around it.
- Data encryption in transit—Data in transit is encrypted by Microsoft-provided certificates, but there are certain situations that may necessitate the use of customer-owner certificates—like an on-premises ADFS implementation, Hybrid Exchange for mail services, or Exchange Online Protection as a mail gateway. The best practice is to use trusted third party certificates with strong encryption keys, at a minimum of 2048 bits. Microsoft also provides the option to implement Office 365 Message Encryption as part of its Azure Rights Management Suite (Azure RMS).
- Endpoint protection—Exchange Online Protection filters and protects all email coming into the environment. However, client-side precautions need to be taken to ensure malware doesn't happen from within. Protecting individual laptops, tablets, and mobile devices accessing Office 365 via anti-virus, mobile device management (MDM) solutions, and regular patching is a recommended best practice to prevent malware infection. The use of an MDM solution, such as Microsoft Intune, can alleviate the resources this task requires, especially as your Office 365 user base grows.
- Domain name services—When setting up DNS for Office 365, it’s essential to follow the requirements of each service for proper DNS functionality. For Exchange Online, a best practice is to implement DomainKeys Identified Mail (DKIM) in conjunction with Sender Policy Framework (SPF) records to ensure mail from your domain is properly categorized and filtered to recipients. Geolocation-based DNS routing can also be leveraged to provide low-latency connections to end users if they’re distributed across the globe.
- Security monitoring—The lack of integration with security incident and event management (SIEM) systems, a critical part of an organization’s security suite, is something that has been requested for quite some time. Microsoft noticed customers’ interest in this capability and launched the Office 365 Management Activity API. Using this API, customers can now configure their SIEM of choice to pull all required logs and events.
When it comes to Office 365 security, Microsoft has not taken this challenge lightly. Microsoft understands the importance of the critical services we come to trust in our own enterprises and the need for security to maintain privacy, confidentiality, and integrity of data. Microsoft built Office 365 on a solid security foundation, and has only increased its catalog of offerings to combat ever-increasing threats. The rate at which Microsoft is releasing features, many centered around security, is a direct response to customers still leery of moving services to the cloud. It could be reasoned that for many organizations, Microsoft can better secure their data than customers can themselves, whether that stems from a lack of “how,” budgetary concerns, or just the motivation to do so.
Shashin Patel is a Solution Architect in Slalom’s Cross-Market Next Generation Infrastructure practice. Shashin has partnered with clients of all sizes to design and implement strategic technology solutions, focused primarily on the Microsoft stack of products and services.