I’m sure you have read a million blogs about what you should be doing when it comes to achieving security for cloud applications like Office 365. I know because admittedly I have written some of them myself. But an idea came to me yesterday as I was training my 7-month-old puppy, Odin, on what NOT to do. He has the tendency to bark at other dogs and becomes extra alert at the sight of strangers. Naturally, I can’t have that taking place. The training is still a WIP…
Now securing Office 365 is not the same as training a puppy, but as IT security professionals, I think we can all benefit from a lesson on what NOT to do when it comes to securing one of the most popular cloud-based productivity suites (O365 is slated to outpace G Suite 29% to 13% in future years.). This reverse approach should make it easier for folks to eliminate the bad, shining some much needed light on some of the mistakes you might be making in your enterprise.
So here is the O365 security lifehack.
1. Stop ignoring the need for SSO and Multi Factor Authentication.
- Single-sign-on plays a crucial role in reducing the attack surface that criminals can use to access your sensitive data. By centralizing access to Office 365 and other cloud apps, you can get hold of unused accounts, identity sprawl, and weak passwords.
- Multi-factor authentication is a quick win for added security, making it tougher for cyber criminals to be successful in nabbing employee credentials and stealing sensitive data.
2. Stop viewing mobile security as a separate issue.
- Cloud apps have made it easy for any device, located anywhere, to access company data, leading to a proliferation of "cloud" data to "mobile" devices. Cloud security and mobile security must be part of the same conversation.
Controlling data accessibility from unmanaged mobile devices, and revoking data when required, such as when an employee leaves the company or when the device is lost or stolen, is key.
3. Stop being unaware of suspicious activity.
- Many companies make the mistake of thinking that O365 has enough security, out of the box cloud. But Office 365 does not provide visibility or audit logging for employee activity taking place within the application, making it impossible to tell that the sales rep that just left the company lifted next quarter's financial projections out of OneDrive on his last day.
4. Stop the leakage!
- JP Morgan, Sony, Anthem and HSBC serve as nasty reminders of the damage leaked data can cause. Office 365 offers some fairly limited DLP, but this only works for data sent between senders and email recipients already within O365. Classifying data and setting policies that secure your data, but don’t inhibit the productivity of your work for is a must have.
If your enterprise is struggling with any of these 4 topics then it’s your mission to make sure your CIO, CSO, CISO, CTO, or whomever has the decision making power, is aware.
Product Marketing Manager