What Makes you Think Office 365 is Secure?
You moved your email and documents to the Office 365 cloud and you assume Office 365 security is actually secure. Out of sight, out of mind, right? Microsoft wouldn’t sell anything that was not secure, right? Secure enough for whom?
Raise your hand if you think that any one size fits all solution works for everyone. Have you looked at what they provide? What is standard, what is optional? How about whether what they provide is best-in-class? You didn’t? Well we did.
We Did an Analysis of Office 365 Security and Came to Some Conclusions
- Microsoft gives the illusion that all the security you need is provided in Office 365 bundles.
- However, many Office 365 security features are extra (eg. Adv. threats, Archiving, Adv. Security)
- Third party security is better – Microsoft is not known as a best-in-class security provider.
- Third party solutions can integrate with the rest of your security. Microsoft O365 security ignores the bigger picture.
Next Generation security should provide integrated cloud application, endpoint, gateway, network, email and identity other security together and not treat O365 as an Island.
Here is a checklist of what you should be looking for in your Office 365 security solution.
Office 365 Security Checklist
a Office 365 security should be “integrated into your security infrastructure, not an island”.
Your O365 solution should share visibility, and threat intelligence from firewalls, endpoints, networks, email, Web, and identity management. This sharing can enable system-wide remediation and forensics.
Integrating Office 365 and other cloud applications into one security solutions is important as everything moves to the cloud. Visibility, usage control, threat prevention, and forensics for all your cloud applications, not just O365.
a Your security should be best-in-class security in each security area (cloud, email, web, endpoint etc.).
Bundles are nice, but not necessarily the best way to get good security.
a You need a full email security solution including the following:
- Anti-Phishing, Spear Phishing, CEO fraud protection
- Anti-malware including advanced threats (such as ransomware, APTs)
- Encryption, DLP
- System Interruption Continuity
- Email Archiving & e-discovery
a Data Security such as DLP, encryption, anti-malware for SharePoint, One Drive is important
a Granular data/email backup and restore and the ability to restore mailboxes from a specific date.
How Does Microsoft Office 365 Security Rate?
1. Product Features: Great office product. Great integrated package and easy to consume.
2. Strength of security:
Microsoft does not have best-in-class security. See Microsoft Security Report Card” below. Microsoft is not a leader in most security reports and tests and the breadth of their security solutions in narrow. Other vendors provide solutions for email security, Office 365 security and CASB solutions that are best-in-class. Many third-party solutions are integrated across multiple security areas to provide a strong overall solution.
Many of Microsoft’s Office 365 security solutions are add-ons with additional per user cost. The strength of these solutions lags best-in-class third party vendors. Third party solutions should be evaluated against these optional services before buying.
3. Integrates with Your Other Security: Microsoft does provide integrated multi-factor authentication, email security and some data security, but their solutions are limited to Office 365 and any security intelligence is not sharable by any of your other security solutions like firewalls, endpoints, web security etc. Other vendors provide integrated solutions which aid in prevention and remediation of ransomware and APTs.
4. Integrates with Your Other Cloud Application Security: Microsoft provide a light CASB solution in the E5 Enterprise version, but otherwise does not provide an integrated solution for your cloud apps. The focus is on Office 365 and limited visibility of other cloud applications. Again, third party CASB applications can do a better job of providing visibility, security and management of all cloud applications. If you have cloud applications (and we all do), you should be thinking about the cumulative effect of moving everything to the cloud and how to secure it.
Office 365 Security Checklist Conclusions
1. If you are concerned about security, don’t take the Microsoft bundle, define an integrated best-in-class solution.
2. Microsoft only protects Office 365. It is not the best solution you can get.
3. This is not about the cost of security, this is about the quality of your security.
4. Third party security solutions can provide:
- Better security for advanced malware, ransomware, spam, phishing, CEO fraud, backup
- Solutions that integrate with your other security: providing stronger prevention, detection, remediation, forensics
- Solutions that provide security for all your growing list of cloud applications, not just Office 365
Contact us to discuss how we can help you evaluate the Office 365 security checklist and your company’s security. Integrated best-in-class solutions provide better security for your entire organization and we can help you get there.
Microsoft Office 365 Security Detailed Report Card
Office 365 security does provide integrated security protection for your security infrastructure. It does not protect your endpoints, gateway, other cloud applications nor does it integrate with the rest of your security infrastructure except for your SIEM. It as an island solution and integrated solutions are available.
Customers need advanced ransomware and Advanced Persistent Threat protection. Microsoft has an Advanced Threat Prevention solution that is not included on any O365 subscription except the Enterprise E5 level. It is available as a $2/user/Month option, but at end of the day, do you trust Microsoft to provide best in class protection? See the section “Should you Trust Microsoft Security” below.
Customers need advanced phishing, spear phishing and need to prevent CEO fraud. Office 365 security only provides basic link and attachment security and that is an optional service on all but the Enterprise E5 subscription. Third parties are innovating in this area so best-in-class might be a better bet.
Email Archiving & e-Discovery is missing from the core O365 offerings. It is required for companies to comply with FRCP regulations related to civil lawsuits. While it is available as a $3/user/month option or standard on the Enterprise E5 version, it might be wise to get this feature as part of a more powerful Email or O365 security solution.
Data backup & granular restore. While O365 backs up your data, the ability to restore files or emails deleted accidentally is not provided. The ability to restore your mailboxes from a specific date is also useful which is not provided by Microsoft. This another area where a 3rd party solution might make sense.
Should you Trust Microsoft security? Is it good enough? Is it as good as dedicated security vendors solutions? Analyst and test reports for Microsoft endpoint and email security say it is not best-in-class. Additionally, their security line is not broad and they cannot provide a broadly integrated security solution.
Endpoint Security – Windows Defender reviews.
- Rates near bottom of AV-Test 4-2017 Windows 10 system testing
- PC Magazine rates Windows Defender as “FAIR” 5-15-17. Weak on Phishing detection.
- Per Gartner 1-2017, Microsoft lags all the leading 5 endpoint security brands in vision.
Email Security Quality
- Radicati rates Microsoft with the lowest functionality and vision of all secure email gateway vendors as of Nov. ’16.
- Gartner PeerInsights reviews gives Microsoft Email Security a weak 3.8 out of 5 rating.