There’s little doubt that Microsoft’s Office 365 services have completely changed the way companies have looked at cloud services. Although others, like Google, offered cloud productivity like office applications and email first, it’s Office 365 that has turned interest in the cloud into deploying in the cloud.
One of the keys to Office 365’s success has been their Outlook service. It offers enterprise-grade email without the overhead of establishing and maintaining your own infrastructure. However, it’s not a complete email service. A critical element in deploying an enterprise-grade email system is security.
With many email administrators and researchers reporting that in excess of 90% of email is spam, it’s critical that email security is considered as a specific requirement. It’s not good enough to assume Office 365’s spam filtering and security is adequate in today’s business environment.
Chris Elisan from RSA's FirstWatch tem focusses on reverse engineering malware. It's through that work that he's come to understand how organised the malware business has become.
Developers of malicious software are only interested in the functionality of a piece of malware. So, rather than reinventing the wheel, they simply take an existing application and repackage it. Elisan's observation is that most of the attacks come from recycled malware.
"All they need to do is subject it to different armouring tools like packers or encrypters – any tool that obfuscates the malware," he said.
Elisan says this has spawned the 'malware factory' – an automated approach to creating and delivering malware with tools that enable the bad guys to create and distribute new malware in just seconds using tools that are readily available.
Those tools allow malware developers and distributors to create highly targeted attacks through phishing, watering hole attacks and other specific threat vectors.
With such sophisticated adversaries it’s little wonder anti-malware vendors are constantly scrambling to keep up. This is why a security strategy that depends on a single vendor breaks down. No one vendor can keep up with every new threat.
What can you do to secure Office 365 and take your experience from great to exceptional?
1. Threat Protection
Microsoft offers a number of different security strategies as part of its service offering for Office 365. For example, there’s “Exchange Online Protection (EOP) – Advanced Threat Detection” that sandboxes potential threats and executes them in a sandboxed environment. This feature however, adds a significant time delay for mail to be delivered to recipient. In addition, this service increases the cost per user per month by US$2. In a medium sized company with 250 employees this adds US $6,000 to the annual operational cost of Office 365.
This isn’t a bad approach but it means you are putting all your security eggs in Microsoft’s basket.
A more robust approach is to apply a multi-faceted tool that uses threat detection engines from multiple security vendors. If you try to take this approach yourself, you will end up paying high licensing costs and bear the overhead of needing to manage multiple tools. However, there are solutions in the market that can apply multiple threat detection engines without the high costs and overhead of running multiple systems yourself.
CEO of cloud security vendor MailGuard, Craig McDonald comments, “Today’s threat landscape means you need to defend against motivated and resourceful adversaries. Along with a multipronged security solution, businesses need the cloud email filtering layer to reduce the window of time vulnerability from zero day malware attacks”.
2. Managing spam
It's one of the biggest annoyances users face with email. Although spam accounts for about 90% of the email flowing across the internet, and spam filters are generally pretty good at stopping most of the flow to user mailboxes, there are times when a legitimate email gets caught in the net.
The Office 365 spam filter does a reasonable job but graymail – email that the filter isn’t certain about – gets treated as spam. That means users don’t see messages that are potentially useful.
Microsoft’s standard EOP offering Office 365 does not offer specific threat protection techniques such as URL reputation checks or real-time link following. A recent whitepaper by Osterman highlights this, adding that additional security layers may be needed, especially with the increase of phishing and spearphishing attacks over recent times.
While all Office 365 plans offer administrator management of the spam quarantine, some plans limit access to the quarantine through to the Exchange Admin Center management interface. Office 365 doesn’t directly support the deployment of redundant spam filters in parallel with Office 365’s built-in spam protection.
That means email administrators may need to consider a different solution so spam can be better managed.
The issue of spam needs to be addressed from two angles: stopping bad email from entering inboxes and not falsely marking good email as spam.
That means looking for an expert at understanding the content and origin of email who is able to protect users from malicious and time-wasting email as well as ensuring important messages aren’t incorrectly quarantined.
3. Service Levels
Take a look at Microsoft’s Service Levels Agreement for Office 365. Do they actually address your risks and requirements? If your company operates in multiple jurisdictions you might find the way service levels are calculated and service credits are allocated following an outage might not properly compensate you1.
In a company with staff split between North America and Europe, unplanned downtime in one territory, which impacts the entire business, could be downplayed in uptime calculations resulting in no service penalties being paid.
Although Microsoft provides significant levels of system redundancy as well as backups and other protective measures, their service guarantee doesn’t extend to “factors outside [Microsoft’s] control”. This means companies still need to put measures in place to protect themselves should Microsoft’s measures fail.
Companies need to conduct a thorough risk analysis in order to properly understand the consequences of their email service being compromised. That means not only thinking about the consequences of email being offline but what happens if inboxes are flooded with spam – resulting in performance issues and the potential entry of malicious software – and the impact of important email being incorrectly identified as spam.
Once those risks are properly articulated and quantified it's possible to evaluate options for better managing spam and the impact of a system outage.
Businesses can then evaluate Office 365 and other solutions to determine which is the best match for the company's risk profile.'
"While some Office 365 customers start by relying on Microsoft's security tools, a large number are turning to third parties to complement Office 365," says MailGuard CEO Craig McDonald.
Office 365 offers businesses many significant benefits. However, it’s not a perfect solution. Taking it from great to exceptional means finding a robust security system that complements the services it delivers.
Office 365 (TM) is a registered trademark of Microsoft®