[Editor’s note: This is part 4 of a 4-part series of Q&As that Symantec is conducting with experts and practitioners in the field, examining the myriad security issues involved with Office 365.]
There’s no shortage of security questions customers confront when they move to the cloud. That’s why we sought out Gary Gauthier and Jeff Falcon from CDW for their advice about what organizations should consider in order to secure their Office 365 implementations.
Jeff is a principal security architect whose actual day-to-day job revolves around helping customers with any short-term or long-range security initiatives. Gary is the team lead for CDW’s thought solution services team with a focus on cloud security.
Q: Where do you think customers go wrong when it comes to O365 security?
Gary: The biggest thing that I see is with customers making a mistake assuming that security is covered by Microsoft, or that they handle all of that. Many assume that just because they’ve offloaded certain responsibilities from a software perspective, that they’re also covered from a security perspective.
Jeff: Gary's right on the money. Although many security tools are offered in the standard contract through Microsoft, it’s imperative that Office 365 customers don’t skip over the fundamental basics.
Q: What should that entail?
Jeff: Things like multi-factor authentication are an absolute must. Do not use Office 365 without enabling some type of multi-factor authentication. It is also imperative to enlist some type of service that has a deeper set of controls and inspection capabilities around the Office 365 application ecosystem so that there’s a sound set of tools around it.
Q: When it comes to SaaS ecosystems and the components of security hygiene, what are the big security differences you see with other application implementations?
Jeff: From a security practitioner's point of view, we should take a unique approach to securing data, securing those applications, and securing that entire ecosystem in terms of who has access. There are all sorts of conduits in and out of the organization by leveraging that platform. Obviously, the intended use of those applications is to promote better business collaboration with coworkers and customers. But at the same time, all it takes is a slight tap on your phone, and things can go awry pretty quickly.
Q: In other words, a bigger footprint also translates into a bigger potential vulnerability?
Jeff: The surface area of exposure and risk is greatly increased, and that should be the red flag for administrators. Far too often, we find out that security was brought in either right at the last yard line before things go live - or not at all until something bad happens. That is also a pitfall that we unfortunately recognize throughout these projects as well.
Gary: If I had to put a percentage on it, I would probably say that Office 365 is driving 80 percent of those multi-factor authentication conversations. It is quite telling, especially when you start thinking about all the different devices that users can access.
Q: When you talk with customers about how to secure their 365 implementations and proactively protect themselves, how should they think about application security?
Jeff: We want to look at ways that hopefully detect and give us a better chance of finding things like hidden URLs in the message body of an email attachment that could lead to malware or ransomware. There’s a massive amount of malicious content that gets embedded and hidden in the message body of email attachments.
The next thing would be to secure their e-mail flow and try to eliminate spoofing and enable strategies that help detect business email compromise attacks, which are a very real thing. The policy tools that are delivered out of the box are not good enough. Organizations have to look hard at ways to not only train their employees, but to complement that by leveraging Machine Learning technology and integrating that into any system that can help. Lastly, I'll add a higher-level concept to this conversation, which is data-loss prevention. If we look at preventing data loss, or just simply detecting abnormal data movement, that could signal some preempted data filtration by an insider.
There are tools that help wrap themselves around Office 365 and some of its close cousins like OneDrive to ensure that the workspace is protected, to make sure that behavioral patterns are benchmarked and measured and established and reported. That’s going to help me secure your data, stop threats, and refine your policies for controlling access to that email. So, the short list looks like multi factor authentication, cloud application security, securing the email flow, and data loss prevention.
Gary: Security professionals also have to consider their users and the user experience. You know it's one thing to be as secure as possible, but you don't want your end users not being able to easily access Office 365 or other cloud applications. And that's where implementing proper, more modern identity solutions from an identity management perspective comes into play. You can still graph all of those security solutions around Office 365 and still have a great user experience with a user being able to single sign in to their many different cloud applications.
Q: When thinking about combating threats to Office 365 security, what tactics should customers consider?
Gary: We promote education, so we'll sell a solution where a customer can send internal fake malware or a fake phishing email and then the customer can self-assess how their users did and make them go through additional training if they clicked on something malicious etc. We would tell customers to do that regardless whether or not they are using Office 365.
Jeff: That's a great point. If we collectively look at the stack of applications within Office 365 - and I’m thinking about the fundamental principles that security practitioners share - one of those cornerstones that should help drive proper security controls - while, of course, not impeding the user experience - is to enforce the principle of least privilege and build a model that strives to achieve least privilege access to data.
Q: What are some of the questions they ought to ask?
Jeff: Hopefully, when they’re discussing the type of information that they are housing or sharing or where users may have access to, it would sound like this: Who has access to my data? Should those users have access to that data? What type of data exists? How much structured versus unstructured data is permeating throughout that ecosystem? Who are the data owners and how do I begin the daunting task of classifying that?
Q: Why is data classification so key to this?
Data classification is important because it helps enable users to better track and secure sensitive files across all of the enterprise data stores. It helps enforce the principle of least privilege. It helps with compliance and regulation. Simply put, it takes the proper context and story around mislabeled files that can keep sensitive data that everyone may have access to so it closes that surface area by enabling permission and access entitlement rights to the right users for the right information at the right time.