BYOD & Office 365: Considerations for Developing Your Company’s Cloud Access Security Policies


Let’s start with two big numbers … and one huge problem.

First, there are now an estimated 50 million Office 365 monthly active users. While that number pales in comparison to on-premises Office 2010 with its high of 750 million, it’s enough to make Office 365 one of the top cloud business applications in the world.

Second, a whopping 74% of businesses either already allow or are planning to allow employees to bring their own devices to work.

The common element across these two trends is security.

One of the biggest concerns with Office 365 is the struggle to control exactly who has access to which specific documents and data.

This problem stems primarily from how employees automatically “sync” their devices — especially their own devices (i.e., BYOD) — and often results in what’s called data leakage or spill.

To prepare your company for the collision of the business world’s two biggest trends — Office 365 and BYOD — we’ve put together a short guide on how to develop an effective BYOD security policy that can work in the real world.

The Basics of a Security Policy

Simply put, a security policy is a clear definition and set of protocols (standard operating procedures) that govern your company’s use of data and devices. Of course, these policies ultimately help ensure security best practices – whether the resource is on-premise or in the cloud.

A Cloud Access Security Broker (CASB) allows administrators to create cloud security policies that enforce access rules across data, devices, and users. Office 365 services such as OneDrive, and similar services such as Box and Dropbox, are often a good place to start when enforcing cloud security policies – especially for policies around unstructured data and files.

For example, a comprehensive security policy could address issues like disabling file auto-synchronization, enforcing multi-factor authentication for accessing regulated data in the cloud, restricting file access from unmanaged devices, and limiting file-sharing permissions based on job role or data type.

Some customers like to go further and enforce policies for users whose accounts are considered dormant – meaning they have not been used in, for example, the past 30-60 days. Or, if the user has a password for a given service that is too weak according to regulatory standards or industry best practices such as those published by the Cloud Security Alliance. While the service provider may allow a weak password, it may not meet your internal corporate governance requirements.

How Is a BYOD “Security Policy” Different?

BYOD security is different than standard Active Directory-managed desktop devices because they aren’t owned and typically not managed by your company’s IT department.

Personal devices can be bought, sold, traded, stolen, or lost at any time, and employees who use them to access company data may not follow appropriate procedures and erase their devices should they change hands.

What this means is that security and SaaS access controls for BYOD – that go beyond those provided by mobile device management products – must be a top priority.

For instance, finance employees may not need BYOD access at all due to the highly sensitive nature of the data they deal with. Executives and salespeople, on the other hand, rely heavily on BYOD, especially when away from corporate headquarters. Balancing job performance with security can be exceptionally tricky.

Bottom Line: What Needs to Be “Secured”?

Here are some issues that merit a closer look when it comes to cloud and mobile security:

  • Sharing rules:
    Establish clear guidelines regarding not only what files are shared with whom but who can extend that sharing and on which devices.
  • Data classification:
    Create policies for IT to periodically identify and review files in the cloud and the exposure those files create; understand access permissions associated with each file.
  • Data synchronization:
    By and large, automatic syncing should only be used where necessary. This will keep corporate data within sanctioned cloud apps and not on an employee’s iPhone, or worse, a hotel kiosk computer.
  • Thick clients and browser access:
    Many applications work differently under the hood – depending on whether the user is accessing from a browser or native mobile app (thick client). You’ll want to support both, although you may want to apply different policies, depending on which one is being used.
  • Account takeover prevention:
    Regular and ongoing multi-factor authentication is a must on all unmanaged devices to prevent account takeovers and protect against anomalous activities. Apply it judiciously, such as when anomalous activities are detected; otherwise, the user experience will suffer.
  • Administrators:
    Lastly, never overlook the human element. Manage and apply policies on your Office 365 and Exchange administrators so as to meet all your specific security and compliance requirements.

Why Invest in a CASB?

Unfortunately, without a CASB, even the best in-house security policies are severely limited:

Three needs stand out.

First, the need to prevent specific unmanaged devices from automatically syncing files. Second, the need to find out what sensitive or regulated data is stored in the cloud and who the owners are. And third, the need to control (at a fine-grained level) file sharing across users, groups, and devices.

These needs each present a powerful reason to invest in a CASB.

To get on-one-one answers to all your BYOD and Office 365 security questions, click here.