E-Guide AN INTRODUCTION TO MICROSOFT OFFICE 365 AND...

E-Guide

AN INTRODUCTION TO MICROSOFT OFFICE 365 AND EMAIL SECURITY TOOLS

▲

PA G E 2 O F 1 7 S P O N S O R E D B Y

Home

An introduction to Microsoft Office 365 security

Choosing the best email security tools for your business


n this e-guide, expert Dave Shackleford discusses the security pros and cons of Microsoft Office 365’s cloud-based productivity suite. You’ll also find a section

on email security, including helpful information about choosing between on-premise email security tools, or embracing the cloud.

I


Home




AN INTRODUCTION TO MICROSOFT OFFICE 365 SECURITYDave Shackleford

The Microsoft Office 365 security features are robust, but may not offer the granularity some enterprises need. Expert Dave Shackleford reviews the security pros and cons of Microsoft’s cloud-based productivity suite.

With the end of Windows XP, more organizations are migrating to new operating systems, and in turn taking the opportunity to explore different service models for applications. While there are numerous cloud-based office applications available today, one that is getting a lot of traction and attention is Microsoft Office 365.

This tip explores the key Microsoft Office 365 security technologies, as well as the potential security issues enterprises should be aware of and how to overcome them.


Home




OFFICE 365 SECURITY: FEATURES

With Exchange Online and Outlook 2012, security administrators can develop DLP rules that alert users when they are trying to send email with content or attachments matching well-known or custom patterns for sensitive information.

Microsoft Office 365 runs in a typical multi-tenant public cloud environment. Active Directorycontainers are used for isolation and segregation of customer data, but Microsoft also makes a separate Office 365 environment available to customers at additional cost.

All access to the Office 365 infrastructure is performed via strict role-based access control(RBAC) techniques that use a “lockbox” approach. This is where engineers request access for specific tasks that are independently verified and vetted each time, with access duration and monitoring applied.

All network connections to Office 365 also use SSL/TLS over the Internet by default. Within the Office 365 environment, stored data is encrypted with BitLocker, Microsoft’s encryption feature that leverages the Advanced Encryption Standard algorithm.

Office 365 has customizable encryption policies that can be applied to stored content or used to sign documents. The Windows Rights Management Service


Home




allows administrators to specify who can access encrypted content, what type of access a user has and when they can access the content. In addition, Microsoft now offers configurable encryption for email. Office 365 Message Encryption is built on Azure Rights Management, which allows administrators to flexibly control when and how encryption is applied depending on a number of customizable attributes, including content keywords or internal vs. external recipients.


Home




M I C R O S O F TS P R E A D S H E E T E D I T I N G U S I N G T H E O F F I C E 3 6 5 E X C E L W E B A P P


Home




Administrators can control all access to Office 365 by taking advantage of the built-in Active Directory identity platform from Azure, or by integrating with internal Active Directory stores using on-premises Active Directory. Other directory stores and identity systems include Active Directory Federation Services and third-party Secure Token Services, like those from vendors SecureAuth or Swivel. More advanced federation can be configured to support true single sign-on, allowing enterprise users to authenticate to Office 365 with their existing domain credentials while also tying in multifactor authentication options and client-based access controls for simple NAC functionality. For example, users trying to access Office 365 from public wireless connections or public computers could be restricted using client access policies.

OFFICE 365 SECURITY: BENEFITS

One of the more compelling features within Office 365 is data loss prevention (DLP) policy control. With Exchange Online and Outlook 2012, security administrators can develop DLP rules that alert users when they are trying to send email with content or attachments matching well-known or custom patterns for sensitive information. Content can be allowed with a warning, allowed with an explicit policy override that notifies administrators, or blocked


Home




entirely based on sender, receiver, internal and external addresses, domains and more. DLP is currently being developed forMicrosoft OneDrive, a cloud-based storage drive accessed from users’ mobile devices, laptops and desktops. The OneDrive DLP features areexpected to debut this month.

Office 365 also has a powerful set of e-discovery policies, available within the Office 365 eDiscovery Center. Access to the eDiscovery Center can be delegated to a compliance or legal officer using RBAC, and the tools allow for simple searches across all Office 365 data storage including email, documents and site mailboxes, with the ability to preserve data. Antispam and antimalware controls are also built into Office 365, and administrators can configure some aspects, such as blocking sensitivity and alerting.

OFFICE 365 SECURITY: DRAWBACKS

One downside to the service is the lack of malware and spam email evidence available to customers from Microsoft. As Microsoft blocks attachments and spam emails, it does not provide the blocked content to customers for threat intelligence and malware analysis. For larger organizations seeking to bolster security intelligence by mining spam and phishing data, this may prove to be a big downside to an otherwise valuable security offering.


Home




The DLP service, while admin-friendly, is fairly simplistic, which may prove to be less granular and configurable than some organizations need.

Finally, while Microsoft has met a number of compliance requirements ranging from EU data protection laws to HIPAA and ISO 27001, there is still some risk in placing sensitive data into a cloud environment, and organizations will continue to be liable for their regulatory concerns regardless of the outsourcing model chosen.

CONCLUSION

Overall, Office 365 aims to offer a powerful and flexible set of cloud application services that include a broad range of security features. As more security features are added, with additional configuration capabilities for consumers, organizations that transition to Office 365 in the coming years will find that its security is more than capable of meeting most enterprises’ needs.

DAVE SHACKLEFORD is the owner and principal consultant of Voodoo Security LLC; lead faculty at IANS; and a SANS analyst, senior instructor and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO at Configuresoft, as CTO at the Center for Internet Security, and as a security architect, analyst and manager for several Fortune 500

PA G E 1 0 O F 1 7 S P O N S O R E D B Y

Home




companies. Dave is the author of the Sybex book Virtualization Security: Protecting Virtualized Environments, as well as the co-author of Hands-On Information Security from Course Technology. Recently, he co-authored the first published course on virtualization security for the SANS Institute. He currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.


Home




CHOOSING THE BEST EMAIL SECURITY TOOLS FOR YOUR BUSINESSKevin Beaver

Once you’ve decided to look at third-party security tools, you’ll have to decide between on-premises or cloud-based options.

Many in IT feel some nostalgia for the days of network simplicity. Back in the ‘90s, you had a basic Exchange Server or two, or you simply had Microsoft Mail running on Windows NT. Your messaging environment may have been rudimentary, but that was the nice thing about it: It wasn’t complex and it got the job done. As for security -- what security? The only semblance of security on our minds back then was user passwords.

Fast forward to today’s complex messaging environments. In many cases, they’re too complex and no single person understands how everything works. The environments are intricately tied in with Active Directory. Sometimes, I’ll even see integration with data loss prevention (DLP) and related technologies to enhance messaging security. But passwords are still often the most common level of security afforded to one of the most critical applications in enterprises.


Home




If this applies to you, it may be time to beef up the resiliency of your Exchange environment.

Once you’ve decided that you need to look into third-party email security tools, there are two main categories of Exchange security tools to consider. These tools can help protect against malware, spam, denial-of-service (DoS) attacks, data loss and hacking expeditions.

ON-PREMISES EMAIL SECURITY TOOLS

The first category involves on-premises tools, which involve software that’s installed on your servers and appliances and sits at your network perimeter. These tools provide the control many IT professionals desire, but the downside is you’re responsible for fixing them when they don’t work.

Consider these important factors with on-premises security tools.Fully understand your risks. Will an in-house tool be enough to ward

off real threats? Even if your server and network-based tools can catch spam, malware or DoS attacks, can you afford to have them enter your network in the first place? Think about Internet bandwidth as well as network and server utilization -- will you have enough to withstand an attack? What about your


Home




current data backups? Will you end up with malware on a backup because of real-time backups and your archiving ore-discovery policies?

Be mindful of your time. Time is your scarcest resource as an IT pro. Do you have enough of it to take on another project, tool or business function? What will you have to give up to find the necessary time for the new tool? It’s easy to say you can handle new email security tools now, but you won’t really know until it’s fully deployed. Network size and complexity certainly play a part in this, and so does management support.

Know your budget. Do you have the money for on-premises tools? Cloud-based services may be less expensive to initially deploy. Their ongoing costs are competitive as well. You need to know how the budget looks for next year and beyond.

You can also look at what trade rag reviews say about the product you’re considering. Talk to your colleagues in the industry as well. Direct discussions with vendor references will help you determine, likely better than anything else, whether the security tools you’re looking at for your organization are a good fit.


Home




CLOUD-BASED EMAIL SECURITY TOOLS

The second category involves cloud-based tools. Third-party application and managed service providers run these tools, which sit between your in-house messaging environment and outsiders communicating with you.

Cloud-based email security tools are great for shielding your network fromphishing, malware-laced emails and direct hacking attacks. In the event your Exchange server or Internet connection goes offline, these tools can also queue up your messages so they don’t get lost in the shuffle.

There are important factors to consider with cloud-based email security tools:

Know the level of protection you have. In other words, are the tools protecting against what you’ve determined to be threats, vulnerabilities and risks to your Exchange environment? Malicious attachments and links, DLP, content filtering and DoS protection will likely be high on your list.

Check on outbound protection. Does the service provide outbound pro-tection if one of your systems is hacked and is wreaking havoc on others outside your network? Will you be okay with sensitive information reaching your DLP systems outside your realm of control?

Know who monitors the tools. Will the cloud provider monitor


Home




everything, or is that function still yours? I prefer to let someone else take care of monitoring, but the decision is up to you.

Learn the provider’s reporting habits. Can it deliver messaging security reports that have some substance that management will understand and appreciate?

Read the service-level agreement (SLA) fine print. What does the provider’s SLA actually say? It’s possible they may not guarantee security. Make sure your expectations and management’s expectations are set. Uptime promises may not be good enough, either. Read the fine print beyond what the marketing slicks and sales weasels promise.

Make sure the tools work for legal and compliance. Will the service pass muster with your legal counsel and compliance officer? Get these people involved and let them guide you through the many legal and compliance issues associated with cloud-based technologies, including data ownership, jurisdiction and privacy.

Certain messaging security tools may be a hybrid of on-premises and cloud-based options, which may help strike a better balance of control and risk. Some of these tools might be available with Office 365 and other hosted Exchange options.


Home




An information risk assessment is the only reasonable way to find out which email security tools will work best. Know your environment, understand your risks and put the right Exchange tools into place. If you take the time and do it correctly, your Exchange system will be much more secure and likely easier to manage, just like in the good ole days.

KEVIN BEAVER has worked for himself for more than 11 years as aninformation security consultant, expert witness and professional speaker at Atlanta-based Principle Logic LLC. He specializes in performing independent security assessments revolving around information risk management, and is the author and co-author of many books, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking for Dummies.


Home




FREE RESOURCES FOR TECHNOLOGY PROFESSIONALSTechTarget publishes targeted technology media that address your need for information and resources for researching products, developing strategy and making cost-effective purchase decisions. Our network of technology-specific Web sites gives you access to industry experts, independent content and analysis and the Web’s largest library of vendor-provided white papers, webcasts, podcasts, videos, virtual trade shows,

research reports and more —drawing on the rich R&D resources of technology providers to address market trends, challenges and solutions. Our live events and virtual seminars give you access to vendor neutral, expert commentary and advice on the issues and challenges you face daily. Our social community IT Knowledge Exchange allows you to share real world information in real time with peers and experts.

WHAT MAKES TECHTARGET UNIQUE?TechTarget is squarely focused on the enterprise IT space. Our team of editors and network of industry experts provide the richest, most relevant content to IT professionals and management. We leverage the immediacy of the Web, the networking and face-to-face opportunities of events and virtual events, and the ability to interact with peers—all to create compelling and actionable information for enterprise IT professionals across all industries and markets.

Date post:	21-Jul-2020
Category:	Documents
Upload:	others
View:	7 times
Download:	0 times

E-Guide AN INTRODUCTION TO MICROSOFT OFFICE 365 AND...

Documents