Security. If there's one thing that concerns organizations contemplating a move of their data to the cloud, or that are already there, it's security. With new threats being introduced on a regular basis, organizations need to use all the tools they have at their disposal to secure their data.
Brian Reid of NBConsult presented a session at Microsoft Ignite called 10 Ways to Secure Your Office 365 Tenants. In it, Reid explained at length the 10 security features available (or soon to be available) to organizations using Office 365.
Always use a policy and password expiration to help secure your data and service access. There are different expiration settings based on the various user identities.
For cloud-only users, passwords expire after 90 days by default, however Active Directory synced users have passwords that expire according to the on-premises policy. Self-service password reset is available free of charge to cloud identity users. With Azure Active Directory, you can also allow an on-premises synced user to change their password in the cloud.
You can authenticate a password reset in four ways -- via office phone, mobile phone, alternate email address and security questions.
Data Loss Prevention (DLP)
A data loss prevention strategy ensures that confidential or personal data can't be uploaded, shared or emailed. DLP is available in SharePoint Online and Exchange, and can also be integrated into Enterprise Search. With this, you can create policies to restrict content being saved to certain locations, such as One Drive for Business and SharePoint Online sites. By configuring DLP to run in “test” mode, it will report on where your users are downloading and storing their data, without being enabled.
Rights management protects documents and email with encryption and an associated usage policy. Documents can then only be used by the intended recipients for the intended purpose. You can set up content expiration rules and set offline access settings, as well as set policies at the document level so that unauthorized users can't open a Word document saved to a shared drive, for example. This requires an E3 license or the purchase of an Azure rights management add-on license.
Office 365 Message Encryption
Message encryption in Office 365 requires the recipient to log in to read and reply to the encrypted message. It typically works through a one-time passcode to access the email in question, and you can customize the email notification and portal that users interact with. Message encryption is available on E3 Office 365 plans.
Mobile Device Management (MDM)
Mobile device management helps protect data on end user devices. MDM allows you to set up conditional access, user level policies, manage the users’ devices, and fully or selectively wipe the device if necessary. MDM will come free with Office 365 commercial subscriptions starting in May 2015.
Multi-factor authentication requires more than just a user name and password to authenticate to Office 365. It can be set up on a user-by-user basis. Users must login with a user name and password, and then they’ll either receive a phone call or text message (depending on the configuration) and they must answer the call or enter the access code received via text into the browser. IP addresses can be whitelisted, meaning when users are in your office, they don’t need to use multi-factor authentication, but if they’re at Starbucks, it will be required. Multi-factor authentication is a free feature available on all Office 365 plans.
Advanced Threat Protection
Exchange Online Protection currently covers all Exchange Online mailboxes as part of their subscription. Advanced threat protection will be available later this year as an additional subscription to protect your tenant from advanced threats such as spear-fishing and zero-day malware attacks.
Don’t overlook security on the client machines that will access your Office 365 environment. Make sure security patches on the client machines are up to date. You can also set client policy rules using Active Directory Federation Services that restricts users from logging in if they are on a given range of IP addresses. Note that Office 365 mobile device management conditional access will supersede this feature.
Office Client Deployment
Office client deployment keeps client versions of Office up to date through the latest security updates. You do have flexibility with regard to updates, for example you can opt in to feature and bug fixes quarterly. You can control your Office deployments using an XML-based deployment process called Click2Run (available on Office 365 Pro Plus plans only).
The admin portal offers the option to enable or disable content sharing. You can turn sharing on or off for different apps within Office 365, including Sites, Calendar, Skype for Business and Integrated Apps. Reports are available that show what has been shared with whom, and you can revoke sharing directly from the admin center without needing to go directly into the app’s settings.
Want to see Reid's presentation for yourself? You can watch the session in its entirety on the Microsoft Ignite website.