Office 365 Security & Shared Responsibility: What You Need to Know to Protect Yourself


There’s a certain sense of security that comes from committing your company’s data and applications to a major provider.

And nobody’s bigger than Microsoft.

Naturally, it’s easy to assume that outsourcing sensitive information to a company of that size and stature means it’s safe.

Unfortunately, this just isn’t true.

Instead, Microsoft — along with many other popular cloud apps — works off a shared responsibility model.

As Microsoft themselves acknowledged earlier this year:

Cloud security is a shared responsibility between Microsoft and all our tenants. We . . . protect the infrastructure, we detect fraud and abuse and we respond to incidents by notifying customers.

What does this mean to you?

At the end of the day — while there are industry-standard security measures cloud providers must abide by — you and only you are responsible for ensuring your data doesn’t fall into the wrong hands.

Below is a brief guide for identifying what security Office 365 applications offer and what responsibilities you have in keeping your information secure.

Microsoft’s Responsibility for Cloud Security

Microsoft’s Office 365, with over 50 million subscribers, remains one of the largest cloud applications. For this reason, and because many of the other cloud providers have similar policies, we’ll focus on what protection Microsoft offers for your data, and what protection you should consider beyond that.

The security strategy used by Microsoft can be broken into the following 4 steps:

Prevent: The first step focuses on the general prevention of data compromise directly from Microsoft’s servers.

Detect: Second, the detect step flags and alerts if and when a breach occurs.

Respond: Third, Microsoft responds to the breach and attempts to remove the comprised access as well as alert their customers.

Recover: Last is the attempt to recover from the breach and modify the current security settings.

The above model has led to the following features that are available in Office 365

  • Encryption at rest or in transit
  • Anti-malware controls
  • Anti-spam controls
  • Anti-virus scanning
  • Multi-factor authentication (on user login only)
  • CCM/SOC certifications for at-rest data

While these features are a great starting point, alone they are not enough.

Your Responsibility for Cloud Security

The shared-responsibility model means that organizations also need to enlist the help of either a dedicated IT team or a cloud access security broker — like Imperva Skyfence — that are specifically designed to augment Microsoft Office 365 in order to fully secure their data.

Here is a sampling of the additional security features needed beyond what Microsoft offers natively:

  • Controlling BYOD access to data and services
  • Preventing data proliferation to untrusted devices
  • Distinguishing between managed and unmanaged devices
  • Preventing against threats such as account takeovers
  • Controlling file sharing and access to regulated data stored in the cloud
  • Protection against data and intellectual property leakage

You can start protecting your data right now by following this list of absolute “musts”:

Protect user passwords: for obvious reasons password protection (and eliminating use of passwords that violate best practices) is the organization’s responsibility and is the first simple step you can do to prevent security breaches. IDaaS vendors such as Okta, Centrify, Ping, OneLogin and SecureAuth can help.

Restrict user access rules: Only give permission for users to access the data they need to complete their jobs. There is no reason to open up access to all of your data to everyone within the organization. Additionally, there is no reason for files stored in Office 365 to have excessive sharing permissions.

Restrict personal access devices: Additionally, BYOD access rules should be determined on a departmental or individual basis to rein in unnecessary and potentially compromising data leakage. We are seeing many organizations opt to restrict or limit cloud access privileges for all devices that are unmanaged.

Enforce Data Leak Prevention for Files in the Cloud: Users love their Box and Dropbox accounts. Evaluate tools that can help identify sensitive and regulated data (both in motion and at rest) and the sharing permissions that are associated with regulated data

Manage admin accounts: Always use audit trails so you can keep a close eye on admin accounts – these accounts hold the Keys to the Office 365 Kingdom.

Use MFA (Multi-factor Authentication) when needed: The key here is to use MFA only when there is questionable or high risk activity. Overapplying MFA and forcing employees or organization members to log in repeatedly will cause productivity to drop.

That’s a tall order. But remember, no matter how big the organization you commit your data and applications to … ultimately you’re the one responsible for ensuring comprehensive cloud security. While your apps may be moving to the cloud, ensuring their safe and productive use is still an in-house job.

To find out exactly how Imperva Skyfence Cloud Access Security Broker (CASB) can help you succeed with your side of the shared security model, click here to connect directly with a Skyfence specialist.