Office 365 Security: It Takes Two to Tango

Many cloud apps – including Office 365 – operate under a shared responsibility model. Here’s what that means for your company

By Beth Stackpole, Feature Writer, Symantec

cloud Security concerns, once a long-standing hurdle to cloud deployment, may be on the wane, but the issue is still very much alive when it comes to cloud-based applications such as Microsoft Office 365.

It’s not that Office 365 is inherently less secure than other SaaS offering; it’s that companies still harbor misperceptions related to the shared responsibility model now commonplace for many cloud applications, including Microsoft Office 365. The issue is particularly acute given the rising popularity of the Microsoft cloud platform. Global cloud adoption has topped 81 percent, while Office 365 usage has surged from 34.3 percent to 56.3 percent this last year, eclipsing Google’s G suite, which held steady at 25 percent.

Under the shared responsibility model, security of physical assets, host infrastructure, network controls, and application-level controls are squarely in the hands of cloud service providers (CSPs) like Microsoft, but that hardly covers all the bases. Identity and access management and client and end point protection remain a split responsibility between the CSP and the customer; more importantly, the enterprise needs to take the reins when it comes to data security and classification—a delineation that is often lost on customers expecting that a SaaS solution means security requirements are taken care of.

“One of the most common misperceptions is that Microsoft, by default, is protecting all the data and that’s simply not the case,” says Swapnil Deshmukh, senior director of information security at Visa. “Organizations need to figure out how to protect the application stack and any code that resides there as well as how to protect data stored on the cloud itself.”

Not surprisingly, there have already been some well-publicized breaches. A wave of phishing attacks aimed at stealing passwords used Microsoft 365 Office files posing as tax forms, affecting millions of users. And then there was last year’s mishap when the Office 365 Admin Center itself inadvertently revealed usage data belonging to other tenants, which highlighted the risks in the context of regulations like the European GDPR (General Data Protection Regulations).

A holistic security approach

Symantec’s 2018 Shadow Data Report, which covers the key challenges encountered when trying to secure data and maintain compliance in cloud apps and services, reveals just how high the stakes have become. The report found that 32 percent of emails and attachments in the cloud are broadly shared and 1 percent of those contain compliance-related data, including Personally Identifiable Information (PII), Payment Card Information (PCI), and Protected Health Information (PHI), revealing a much higher risk than anticipated.

Moreover, 68 percent of organizations have some employees who exhibit high-risk behavior in cloud accounts, encompassing everything from data destruction to data exfiltration and accounts takeovers. It gets worse: The 2017 Symantec Internet Security Threat Report (ISTR) found that in 2016 one out of every 131 emails contained a malware attack, and 61 percent of organizations were hit by ransomware incidents.

Microsoft Office 365 delivers an array of security controls, including encryption of data both at rest and via network transmission, threat management and security monitoring capabilities, and online protection to ward against spam and malware. Azure Active Directory is used for authentication, identity management, and access controls and there is support for multi-factor authentication. The platform also has a built-in feature for email encryption, but it isn’t part of the default settings.

This highlights a problem for many users who simply don’t know what’s available beyond Office 365’s default security controls, notes Payton Moyer, president and COO of MLS Technology Group, a managed IT services provider. “Office 365 offers baseline security features baked in and ready to go by default, but to get the maximum security, you have to make an effort to add capabilities and turn them on,” he says.

What’s really important, experts say, is for enterprises to layer on additional security capabilities, including digital rights management; Data Loss Prevention services; as well as threat analytics, blocking, and remediation.

Adds Symantec Senior Technical Sales Manager, Adrian Covich: “People are looking for the base functionality and don’t necessarily proceed with security in mind. They also misunderstand the point to which Microsoft will secure them out of the box versus what they still need to do. There are still fundamental questions you need to answer with SaaS when it comes to the delineation of responsibilities and who has access to data. Are your users who they say they are? What data are you storing and are your business processes sufficiently secure?”

These extra protections should work holistically across the entire enterprise domain, not just for the Microsoft Office 365 cloud silo. To this point, a Cloud Access Security Broker (CASB) can integrate Office 365 and other cloud apps into the broader enterprise security architecture, delivering visibility into shadow IT and cloud application usage, providing data governance and controls for data stored in cloud apps, and leveraging machine learning and user behavior analytics to deliver advanced security and data protection.

“A CASB sits between the enterprise end user and Microsoft Office 365, looks at all the data, and allocates the right controls to it,” says Visa’s Deshmukh. “It stops data exfiltration avenues from an internal perspective and identifies adversaries that may have compromised end users.”

By sharing responsibility and taking a holistic approach, enterprises can close security gaps, minimize potential risks, and ensure a stress-free path to the cloud.

This post was originally published on Sept. 24, 2018, on Symantec.com.

Zero-Day in the Cloud – Say It Ain’t So

By Steve Armstrong, Regional Sales Director, Bitglass

Zero-day vulnerabilities are computer or software security gaps that are unknown to the public – particularly to parties who would like to close said gaps, like the vendors of vulnerable software.

To many in the infosec community, the term “zero-day” is synonymous with the patching or updating of systems. Take, for example, the world of anti-malware vendors. There are those whose solutions utilize signatures or hashes to defend against threats. Their products ingest a piece of malware, run it through various systems, perhaps have a human analyze the file, and then write a signature. This is then pushed to their subscribers’ end points in order to update systems and defend them against that particular piece of malware. The goal is to get the update to systems before there is an infection (sadly, updates are not always timely). On the other hand, there are some vendors who reject this traditional, reactive method. Instead, they use artificial intelligence to solve the problem in real time.

When assessing threats, it comes down to what you don’t know. It can be difficult to respond to unknown threats until they strike. As they say, it’s not what you know that kills you. This is also true in the SaaS space. The analogy is simple, new applications appear daily – some good, some bad – and even the good ones can have unknown data leakage paths. Treat them as a threat.

In order to respond to unknown cloud applications, you can do one of two things.

First, the standard practice from CASBs (cloud access security brokers) is to find the new application, work to understand the originating organization, analyze the application, identify the data leakage paths, gain an understanding of the controls, and then write a signature. This is all done by massive teams of people who have limited capacities to work – very much like the inefficient, signature-based anti-malware vendors. It can take days, weeks, or even months until an application signature is added to a support catalog. For organizations who want to protect their data, this is simply not good enough.

Option two is to utilize artificial intelligence and respond to new applications in the same manner as advanced anti-malware solutions. This route entails analyzing the application, identifying the data leakage paths, designing the control, and securing the application automatically in real time.

New, unknown applications should be responded to in the same fashion that an enterprise would respond to any other threat. Rather than waiting days, weeks, or months, they should be addressed immediately.