The modern workplace is rapidly evolving to become a more remote, wide spread, globally connected environment. To facilitate this growth, the internet is seeing the growth of large-scale email solutions such as Office 365 that bring cloud-based email solutions in an easy to manage and reliable package. This also presents additional challenges because it exposes these tenants to a host of otherwise unavailable connection methods such as OWA, One Drive, legacy apps, and APIs. It can be easy all be it a bit naive for administrators to look at the problem as a not their own and place the blame within the Office 365 frame work. The ultimate realization that organizations need to come to though is that it’s Office 365 and it’s still your problem.
Utilizing Office 365 is not unlike many other applications in the cloud and on premise alike. They are providing a platform in which to utilize a service, but it still up to the client to secure that platform from unauthorized access, malicious actors, and to adhere to compliancy standards. Even with the most common basic E1 plan, Office 365 can still provide more than adequate protection for an organization’s basic needs. While the objective of this blog is not to go over in detail configuration of different technologies offered within Office 365, what I do hope to achieve is a better understanding of protections that Office 365 can offer out of the box if configured appropriately. Anything mentioned in this article will be present in any Enterprise level subscription from E1 and up.
User Management
One of the biggest missteps of any organization is to have inadequate user management. This covers a multitude of issues from misconfigured administrator access to improperly securing your basic user access. Office 365 comes with built in identity management in the form of a cloud based Active Directory. With this Active Directory you can configure tailored permissions to end users for specific tasks they may need access to. Much the same as working with an on premises Active Directory, it is an Administrators job to not grant unnecessary access to users who do not need it. In essence, don’t make all of your users Domain Admins! Access controls aren’t the only user management configuration an administrator needs to worry about. Office 365 offers out of the box MFA capabilities for all accounts. This will allow you to further secure those cloud-based accounts to prevent unauthorized access across the board. This is an absolute must given the number of data breaches and account compromises that happen any given day. Aside from security, Office 365 offers a large quality of life feature of account synchronization in which you can synchronize your on-premises directory with the cloud.
Email Management
Email has evolved from the simple systems of strictly sending and receiving messages. Because email is the #1 platform in which breeches are facilitated from, the security surrounding email has vastly improved. With Office 365 you get all of the basic controls that you would have with an on-premises solution from message rules to connectors for routing email. You also get access to so much more with a basic subscription. For outbound email you have built in DKIM signing with very minimal effort on set up, combine that with SPF and DMARC and you can help ensure no one is pretending to be you out on the internet. Furthermore, your DLP settings will allow you to dictate what types of information are allowed to leave your organization which coincides with items such as PCI and HIPAA compliancy. When it comes
to inbound there is a whole slew of protections from phishing protections, to safe links and attachment filters. There are malware filters, connection filters, and spam filters built into Office 365 to let you have greater control of those inbound emails to further protect your end users, but these filters must be configured to work appropriately.
Device Management
Which devices are connected to an Office 365 tenant is an often-overlooked aspect of security. A misconfigured tenant can allow any sort of device to connect, regardless if it’s a compromised device or using an old form of authentication that is no longer secure. Office 365 has built in MDM (mobile device management) to allow you control over those devices connected to your email platform. Furthermore, utilizing proper policies you can dictate which types of devices are allowed to connect at all. These settings must be configured appropriately to ensure you have a secure environment.
Reporting
The last and most likely to be overlooked aspect of Office 365 is the built-in reporting options that it provides. With your subscription you have access to countless insights provided both in the realm of proper email flow, and with respect to different security aspects you have set up. You can set up alerts via email for more critical infractions, and in general have a better understanding of typical mail flow for your organization. I would highly recommend anyone on Office 365 to review the reports offered to at least see what’s available.
This list is in no way a comprehensive or complete list of all that Office 365 has to offer. It was merely to demonstrate that just because a company has purchased and migrated to Office 365 does not mean that they are off the hook for all of their email security needs. Without proper management and maintenance, you are just as vulnerable, if not more, than if you were to host your own Exchange Server. Luckily with the proper understanding and commitment, using tools provided to you complimentarily, your Office 365 tenant can be extremely secure, despite being available to the entire internet.