Customers often mention security as a concern when starting Office 365 discussions. Common worries include questions about where the data lives, who can access it, leaks, compromises, administrative controls, upgrades, etc. Many have conducted some preliminary research, and still aren’t totally convinced that their data, services, and processes can be secured in Office 365. One thing that doesn’t often come up in researching the overall security stack that Office 365 offers is “Red vs Blue”.
So, what is Red vs Blue? Microsoft has a Red Team and a Blue Team. The Red Team consists of both Microsoft and non-Microsoft members and is dedicated to trying to hack Office 365 services and endpoints. While the Blue Team is trying to identify and mitigate the exploits used. This is not a once a year practice; these are common, ongoing activities. This video offers an overview of Microsoft Office 365 Security and Red Vs Blue.
A long time ago
A long time ago, I echoed the same concerns about Office 365 security, someone else managing my servers, upgrades, albeit these concerns did not last long. Once I removed myself and my organization from the thought process, I could analyze and evaluate my concerns objectively and realized that this was not another chapter of our technical evolution but a paradigm shift in our industry.
Microsoft takes security seriously, they provide the following built-in security features as part of Office 365 infrastructure security.
Office 365 does not only offer world-class infrastructure security. It also empowers you to customize Office 365 services. It allows you to adapt unique industry and/or country requirements such as HIPPA, FedRAMP, FISMA, ISO 270001, ISO 27018, GLBA, HITRUST, GDPR, etc., or any unique requirements necessary for an internal process or legal accountability. You can create policies using Data Loss Prevention (DLP) and ensure you can employ E-Discovery across Exchange Online, SharePoint Online and OneDrive for Business, as well as features such as legal hold and the ability to apply retention polices to data and email. Services like Intune allow you to manage mobile devices and with Microsoft’s Operations Management Suite (OMS) you can manage on-premises infrastructure in addition to any Azure infrastructure.
Microsoft has also introduced the Compliance Manager which provides a single pane of glass. This allows the management of compliance and helps assign issues to the responsible parties. (I have two blog post that expand on these: Compliance Manager and DLP.) Finally, you can utilize the Office 365 Secure Score to help establish best practices while recommending the necessary changes to raise the secure score. You can also compare your score with the average tenant score. Microsoft is providing all the necessary means to ensure your data and services are protected.
The average discovery time of a breach for organizations in the US between January 2016 and June 2017 was 13.21 days and a discovery to notification time of 29.1 days. These numbers are according to Business Insider and I find them very optimistic. For example, Michaels Stores was breached in 2014 and the time to discovery there was eight months, Home Depot which was breached also in 2014, they had a time to discovery of 5 months and Sony, 2014, time to discovery 1 year! Did we improve our breach discovery time that much in two years? Perhaps, although I do not have enough data to make that assumption.
Either way, these timetables are not even close to the General Data Protection Regulation (GDPR) standards which require a notification time of 72 hours. To be fair, some of the breaches cited do not require enforcement of GDPR. How long before the U.S. adopts a similar posture to GDPR? What would a breach time to discovery be in your organization? Do you have the necessary auditing, logging and analytics in place? Wouldn’t you like an ally like Microsoft? Microsoft offers and utilizes cutting edge tools like Artificial Intelligence and Data Science in its security platforms and services.
Show me the money
If you are not compelled enough the trust of Microsoft and Office 365 yet… Here’s a fun fact. Microsoft spends $1 billion a year on security. Although that figure is impressive, it’s important to note that those are 2015 numbers! Not many companies can afford to spend large amounts of capital on security. Keep in mind that some mid-size businesses do not have a security team or scheduled penetration testing. That most midsize companies have pushed security compliance to the infrastructure team or as an add-on task for a system administrator. Or worst yet some companies do not have proper security processes and procedures.
Now, I am not trying to claim that Microsoft can never be compromised. What I am trying to get across is that our organizations may be more vulnerable to attack than Microsoft. If, along with Microsoft infrastructure security, you apply the tools that Office 365, offers your Office 365 data will be safe (or at least safer than on premises). If utilizing OMS, your servers can be more secure, and you will have insights that may have not existed previously.
Securing your business is not a small feat. It requires dedication of resources in the way training for staff, clear goals and a path to achieve these goals. It will be daunting at first but the move to Office 365 will and can be one that pays great dividends.