Office 365 Security Checklist: 7 Must Haves


With an estimated 50 million Office 365 monthly active users… Office 365 is now officially the number one business application in the world.

That’s great news for Microsoft.

And, that’s great news for the productivity of your organization. However, the one area it’s not necessarily great news… is security.

One of the biggest problems businesses face with Office 365 is the inability to control access from an increasingly mobile workforce. This problem stems primarily from how employees “auto sync” their devices — especially their own devices (i.e., BYOD) — and often results in security breaches, compliance violations, data leakage, painful downtime, and ultimately, lost money.

That’s why — to protect your data and keep Office 365 usage as productive as possible — we’ve put together this checklist of the seven most critical areas your business should address.

For an even more in-depth look at these seven must-haves, download the Skyfence for Office 365 Playbook.

1. Enforce Bring Your Own Device (BYOD) access rules

On Office 365, syncing data from Outlook and OneDrive to devices is automatic. Users are more often than not unaware of the amount of data that is either stored on their personal device or in the cloud.

Access rules basically control who can access which data and files and what they can do with them. So, if this is important to you, a Cloud Access Security Broker (CASB) should enter the discussion.

Using a CASB gives your business fine-grain control over the fundamental problem: who has access to what as well as who can sync which files. In addition, CASBs can limit access of files to “online or view only,” which prevents automatic syncing to untrusted devices – whether it’s a desktop in a hotel kiosk or an employee’s new iPad.

2. Prevent data leakage

Data leakage can occur maliciously or inadvertently. Let’s look at an example of the latter. A financial analyst on a business trip needs to print out an important, but confidential, file stored in his OneDrive account. He’s at his hotel’s business center, using one of their desktops. He downloads the file in question then prints it out. Though his intentions were good, he also created a security risk by downloading the doc to a device that his employer didn’t have visibility or control over.

Another scenario is that same financial analyst sharing a sensitive file with an external user via his OneDrive account.

How can a CASB help?

A CASB can be configured to inventory data and files sitting in OneDrive to understand their content, as well as scan for specific keywords, phrases, or regular expressions in real-time (at upload) so you can better prevent the leakage of sensitive and/or regulated data.

3. Control data and file sharing

With the proliferation of tablets, iPhones, iPads, and such, especially those that are personally owned and used for work purposes, keeping track of who and what is accessing your Office 365 services can be a challenge. At the same time, you want to have the flexibility to set granular policies based on role, department, and/or device. All-or-nothing policies might drag down employee morale and productivity.

Native Office 365 has limited controls over file sharing outside the organization. There’s no user-based sharing controls, no destination-based sharing controls, and no data-aware sharing controls. For instance, sensitive or regulated content can be shared quite easily outside of your organization.

Controlling the sharing of sensitive data and files through granular policies is recommended to prevent data proliferation and to minimize the chances of sensitive data leaking out of your organization. For instance, you can enforce whitelists or blacklists of external users and domains, or block sensitive files from being shared. You can also apply controls on file sharing outside the organization based on various criteria (e.g., by user, destination, type of content, and more).

4. Protect against cyber threats

Account takeovers are a hacker’s number one goal. As such, prevention requires monitoring tools and an alert system to be in place.

For instance, if a user never logs in at 3am, but — out of the blue — there are several failed password attempts from a location thousands of miles away, that is probably not your user.

Of particular note is a new type of attack that just recently started making headlines. It’s called a “Man in the Cloud” attack and it involves the theft of authentication tokens to gain access to OneDrive accounts. The scary thing about this type of attack is that the attacker can access a victim’s account without compromising the victim’s username or password.

CASBs provide an ability to detect anomalies in the way employees use their account. In essence, CASBs can allow you to learn your users’ unique footprints and work habits.

Enforcing two-factor authentication is also an excellent way to ensure that the person logging in is who they say they are. This works by the user entering their name and password, followed by a special code that is texted to a pre-approved device. The user then types in this single-use code to gain access to their files.

5. Manage admin accounts

Who are your Office 365 administrators?
Do they need access to business-critical files?
Can they be trusted to not read sensitive emails?

It’s not uncommon in IT departments for a junior administrator to snoop through his boss’s emails and discover things such as salaries. This causes a lot of internal problems, not to mention the risk of external leaks.

Simply limiting your number of admins, creating job-specific levels of access, and having clear, trust-related conversations with everyone are excellent ways to get proactive about these concerns. Beyond this, CASBs can help secure the admin accounts against account takeovers and monitor and log all activity.

6. Protect ADFS against DDoS attacks

One of the main functions of Active Directory Federation Services (ADFS) is to facilitate single sign-on for Office 365. Because it’s so crucial, many evildoers become laser-focused on bringing down ADFS via distributed denial of service (DDoS) attacks. By taking down ADFS, you’re essentially wiping out access to the various Office 365 services.

Computers are such an integral part of businesses today that if they go down, financial losses are massive. Employees waiting for computers or applications to become available, lost transactions, and loss of data all cost money.

To protect against DDoS attacks, a CASB should ideally be integrated with a content delivery network that also provides DDoS protection for both ADFS and the CASB tenant in the cloud. In this way, the CASB itself does not become a vulnerability point. If the CASB is hit with a DDoS attack, it’ll survive by virtue of sitting within a network with built-in DDoS protection.

7. Compliance and Governance

Businesses these days are subject to all kinds of compliance requirements. If you’re dealing with credit cards, PCI likely comes into play. There are specific security standards on authentication, password strength, encryption, among others, that you need to be aware of. So, even though your Office 365 instance is sitting in the cloud, it’s not entirely all on Microsoft to get customers PCI-compliant. Customers must shoulder some of the responsibility as well to meet PCI requirements. Therefore, benchmarking your Office 365 settings against PCI mandates is essential to identifying where your policies, procedures, and technology may not meet regulatory minimums.

And don’t forget… keep an eye out on ex-employees (see example from above), contractors, or suppliers that could represent areas of risk. They might have access to your Office 365 services, which are home to lots of sensitive (or even regulated) data.

Let’s take the medical field as an example. When it comes to privacy laws, HIPAA compliance is table stakes. A HIPAA breach could be extremely damaging to both patients and doctors. Doctors will face massive fines from the state and federal regulatory boards. Clients could have their identities stolen. They could also have embarrassing illnesses exposed to the general public. Any way you look at it, security and compliance risks lurk around every corner.

To find out exactly how a CASB can help protect your entire Office 365 suite, click here to connect directly with a Skyfence specialist.