Office 365 Strategy: Plan to Be Secure

October 25, 2016

In this series, we take a closer look at what it takes to support a successful Office 365 migration including the decisions, strategy, mobility, monitoring, and on-boarding aspects.

Part two of a series.

Many organizations take great care in securing their networks by not allowing outsiders in, but then nothing is done to secure the data leaving the network through IM, email and mobile devices.

With a couple of clicks, sharing Office 365 services with an outside organization can quickly be toggled on or off. Office 365 does a good job inherently of limiting access to services and information to those users who should have access.

The Office 365 built-in, multi-factor authentication is an easily implemented security solution that takes the basic measures a little further. All of this requires little in the way of initial planning. But, there’s more to consider when thinking about security.

Office 365 and Security

A much larger concern in any size organization is ensuring that data is not intercepted or consumed in error by individuals not entitled to consume it. This kind of protection requires much more planning and forethought because it involves all users, policies, and the complete lifecycle of a document or artifact at a company.

I won’t discuss additional Azure services purchases (at least in this article), but there are many ways to secure the information that resides in Office 365. This is discussed in a bit more detail below. For a full and thorough preparation for a move to Office 365, we can help. But first, let’s explore your security options.

Platform Security

This doesn’t even require planning! Microsoft has policies and processes that limit physical data center access so only authorized staff are allowed inside. Storage devices are encrypted so that even if they are stolen the data will be inaccessible.

Finally, the data itself is encrypted, both while in transit and at rest. The platform itself is inherently secure, and the best part, there will no longer be a need for a company to have onsite infrastructure and support which could equate to millions of dollars in savings year on year.

Secure Access and Sharing

As mentioned above, these are settings in the Office 365 Administration Console that allow resources to be shared with external users. An external user is someone who does not have a user account in an organization’s Office 365 directory.

Some items that can be shared with external users/organizations are:

User Calendar – free or busy time only, details, or everything
Files via:
- Exchange
- OneDrive
- Skype
- Sway
SharePoint Sites
Office 365 Groups

Some Office 365 collaboration sharing features can be switched on or off for the entire organization, and when switched on, can also be set for individual users or groups.

Careful planning in this area ensures that a user won’t share what they aren’t supposed to. Information governance (below) will help secure the data further.

Awareness and Insights

Auditing reports are available in the Office 365 Administration Console for the following categories:

File and folder activities
Sharing and access request activities
Synchronization activities
Site administration activities
Exchange mailbox activities
Sway activities
User/Group administration activities
Application administration activities
Directory administration activities

Ensure that there is a plan in place to monitor and govern these activities.

Information Governance

This requires preparation, not only to define what sensitive data is, but also how it can be used. This also includes legal holds and eDiscovery, and the preservation of data after a user leaves an organization.

There is a limited and varied amount of time that data is recoverable if a user becomes unlicensed from Office 365 or the login account is deleted. Organizations must prepare for this eventuality.

Compliance and Trust

The compliance and trust center is an application center that comes with Office 365 and is focused on threat management, data governance, search and investigation, and reporting on all of these.

Threat management – device management, device security policies, data loss prevention, mail filtering, anti-malware, Dkim (allows messages to be assigned to domains)
Data governance – import, archive, retention
Search & investigation – content and audit log searches, eDiscovery, quarantine
Reports – DLP policy matches, view reports

This is the heart of the information governance planning and policy enforcement. These two topics will need to include representatives from IT, executive management, legal, security, and most likely, the businesses as well. We can help with sorting out the minutiae involved in data loss prevention.

Microsoft has done, or is doing, more every month to ensure the security of a company’s data, however, more is required, and client companies using Office 365 must assume responsibility for their part in planning to protect their data.

This series is meant to be helpful to those organizations preparing to move to the cloud or those who have already moved but neglected to plan fully. We have conducted numerous workshops and planning sessions with various organizations to prepare them for a secure trip to the cloud. Call on us to assist in planning your move.

About the Author

Tad Yoke

Solutions Architect and Senior Consultant | Modern Workplace

Tad has over 20 years of experience assessing, designing and deploying technical solutions for Microsoft 365, Office 365, and Enterprise Mobility + Security (EMS); Azure directory and network management, Microsoft SharePoint and Microsoft SQL Server.

He is particularly passionate about developing Roadmaps, performing Security Assessments, and configuring Microsoft Teams Governance and Policy for our clients. Tad has numerous Microsoft certifications including his most recent accomplishment as a Microsoft Certified Security Customer Immersion Experience(CIE) facilitator. Follow Tad on Twitter.

Contact Centric | More Articles

Want to learn how SharePoint can work for you?

Talk WITH AN EXPERT