Doubting Office 365 security…build security layers!

June 25, 2018

Doubting Office 365 security…build security layers!

Businesses use and continue to adopt Office 365; the driver is mainly to reduce costs and improve productivity. With so many reliant on the service, Microsoft continues to improve its built-in security controls.

Having said that, organisations still face security challenges and are confronted with a broad range of individual use cases and requirements for secure and efficient functioning within their unique environments.

Moreover, compliance responsibilities have intensified. This is primarily due to the increased focus and requirement for enhanced data security for all data (business, employee, customer and client data) and is resulting in dwindling room for any error or risk.

This leaves us asking many questions relating to the corporate services we readily use and how to use them in a more secure manner. Some common thoughts include:

  • Should we choose Microsoft tools to safeguard Microsoft products and platforms?
  • Why are many of us not convinced that Microsoft default security (for desktop, servers and email) is enough?
  • Are third-party tools still necessary to obtain the security that we now require?

 

Default Office 365 security is not enough

Although Microsoft continues to improve its security controls, many gaps still exist subsequent to a singular layer of security. These gaps will always be present, even with the most sophisticated of tools as no one product can do it all. If it claims to – there is a strong likelihood of some untruth in it.

Microsoft offers many product security features but it does not offer a complete security solution. Third- party security solutions complement, support and enhance the Microsoft product and ultimately enhance the overall security.

The service is popular which motivates hackers. The likelihood is that every hacker has their own Office 365 account to figure out how to bypass its security. Hackers work tirelessly on learning ways to circumvent Microsoft’s default security. You could say that Microsoft’s success and popularity is also part of the problem.

This is why adopting a layered approach to security remains highly recommended and good security practice. No matter how positively the security controls of Office 365 stand up to competitive third-party tools, opting for the latter in addition or as an overlay remains the right choice for many businesses to achieve enhanced security.

So, the majority now seek third-party technologies to bolster Office 365 built-in security to achieve the necessary layered defence. As those extra layers are vital!

User numbers don’t always equate to better security

Some argue that the security provided by Office 365 must be good enough based on the vast numbers of businesses or users using the product and the fact that Microsoft is a massive entity.

These aspects are not always a true reflection of a secure product but rather the tight hold a business has on the industry or market. It merely reflects that it is secure enough for a business to accept into their infrastructure not that it is without problems.

If still not convinced, just ask any Yahoo email user (you have 500 million, whose accounts were compromised, to choose from). The volume of users using Yahoo made no difference to the security (or lack thereof) that they received.

However, where organisation size and money does seem to help…it makes it much easier to recover and move on from an incident (or makes the problem ‘go away’ much quicker). Such as the one Yahoo recently had to deal with due to its recklessness with regards to user security. Users, however, are left to deal with the consequences long after.

So, it’s not always wise to base security assumptions on the volume of people using a product or to just go with the flow.

A better view to take is to consider the degree of flexibility the service allows for you to maintain ultimate control of security on all levels.  If you can protect the data whilst maintaining control of it there’s a better chance of keeping the data secure.

Third-party technologies are necessary and layering helps to fill the gaps

For a long time, defence-in-depth has been recommended as the approach to follow to achieve a better security outcome. This entails a multi-layered approach.

If you completely rely on Microsoft default security to protect their own products and platforms, you are not achieving a layered approach to security.

Another way to look at it is-if Microsoft were able to effectively secure their own products, why’s Microsoft not ensuring that the base product is as intrinsically secure as it can be from the get-go? Why’s there still a need (for many businesses) to secure it after?

Considering this, the emphasis is placed on the necessity for added third-party security, even if it is additional to a Microsoft built-in solution. Third-party solutions are likely to fill the gaps missed by Microsoft.

No matter the solutions you choose to use, none are ever 100% secure. Perform due diligence and safeguard data assets in the best ways possible because motivated hackers continue to look for the gaps in security and if the growing success rate of recent cyber attacks is anything to go by, they are likely to find those gaps and succeed. Additionally, they target Microsoft products to find any vulnerabilities as they know the vast majority use them.

The aim remains to mitigate risk and currently the best way to do this is by building security layers. This may require the use of multiple third-party solutions that complement each other and work together to achieve the resultant effect. More security layers mean less risk.

No single solution can secure against all attacks-no one vendor, product or service is able to comprehensively safeguard an entire environment from all attack variations over a period of time.

However, by deploying the most effective solutions, products and services and overlapping them means a security gap in one solution is likely to be filled by another.

Choose technologies that complement and enhance security

Defence-in-depth is a proactive approach to security. It’s a complement of products and solutions utilised to support the pre-emptive process by putting measures in place for physical, technical and organisational security.

Current business environments and functioning do not lend themselves to perimeter only defence and the notion of a perimeter is quickly disappearing. Breaches are commonly initiated from within the network and the vectors of compromise are vast and continuously growing.  The security technologies you choose should go beyond traditional methods and must consider all attack vectors currently possible and even potential future ones. You need to think ahead!

Stricter regulatory requirements demand rigorous security controls on the protection of data and data flow. It demands appropriate technical and organisational measures to protect data.

The approach should be more data-security focused. With special consideration to data stores, data flow and data management as well as how, when and where data is communicated and by whom, to secure it appropriately.  Access control is critical and must be properly managed.

What your security layers should aim to achieve

Ultimately the aim should be to achieve control, integrity and privacy of data.  If you can achieve these fundamentals, it’s likely that the sufficient security layers are in place.

You need to achieve a defence architecture throughout your environment that is proactive and responsive. In addition to filtering, firewalls, malware detection, vulnerability detection and so on, data protection, data management and access control are essential.

You need to protect all communications: emails entering, leaving and those sent internally between employees. All email should be monitored and protected. A single compromised account can quickly become an insider threat. It’s important to note that Office 365 is not only pertinent to email. So, solutions you choose to use to protect email should protect all other relevant services too, like OneDrive for example. Protecting documents and files in cloud storage is essential. This is why a data-centric approach works so well. Wherever the data is, it is protected.

Look for security layers that help to:

  • authenticate and authorise, multifactor authentication is ideal
  • give granular visibility and control
  • protect data (wherever it resides or flows)
  • keep data confidential
  • maintain data integrity
  • manage data and the access to it
  • provide end-point security with policy-based enforcement

The Galaxkey layer

Galaxkey gives businesses all these attributes and more! Galaxkey provides straightforward data protection and data management services that complement Office 365, enabling businesses to protect data and retain their customers’ ownership and control of it.

Build those layers…

Employing multiple security layers is the best way to enhance security. Microsoft Office 365 is a good service, but to use it safely it can’t be used on its own. It must be part of a layered approach, along with great third-party products. If you choose correctly, the right third-party tools will enhance the base product, Office 365, and you’ll be more secure because of it.