Security "Bits"

Office 365 Security - Data Leakage Prevention

By Rich Campagna | October 8, 2015 at 6:30 AM

This the final post in a five-part series on Securing Office 365 (Post #1, Post #2, Post #3, Post #4). In this post, we'll tackle the topic of Data Leakage Prevention.

The consequences of data leaking getting into the wrong hands can be brutal. Home Depot, Sony, JP Morgan, Anthem, Premera all fell victim to breaches that exposed customer data to the world. Companies must be able to protect against data leakage, but since most data leakage prevention solutions protect only premises applications, migration to Office 365 makes those solutions irrelevant.

Office 365 does offer some basic built-in DLP functionality, but its capabilities are limited: it focuses only on data egress, or data sent between sender and email recipients already within the app. It doesn’t take into account the fact that the point of consumption, the employee’s device, is no longer a trusted/secured asset. DLP must flow in both directions—preventing sensitive data from leaving the organization but also on the outward path preventing that same data from being download to an unmanaged employee devices by tracking, encrypting, masking or blocking content.


CASBs allow the enterprise to set policies on data access, limiting who can access sensitive data, ensuring that compliance and security goals are met.

It is also important to remember that all data is not created equally. For example, most marketing materials are meant to be shared whereas customer credit card numbers and company secrets must be kept secure at all times. A CASB can help classify data and build security controls based on the sensitivity of the data being accessed. These controls include tracking, encrypting, masking or blocking data that is leaving your Office 365 cloud application, less sensitive data would most likely be embedded with data tracking technologies sensitive data would be encrypted, masked or even blocked from leaving the cloud app altogether.

Pro Tip: Many set out on a path of attempting to “block” certain transactions. Such an extreme measure must be applied only when absolutely necessary. Today’s employees know that they can find ways to “go rogue” if they don’t like the applications and security measures that IT puts into place— providing a desirable employee experience is the first step towards a successful data protection program.


You Can’t Outsource All of Security

That just about wraps up this 5-part series on Securing Office 365. Remember that a move to Office 365 can help you gain control over company data and online employee activity, but only if you rethink your information security strategy and recognize that outsourcing an application to a cloud app vendor doesn't mean that you can outsource all of security. Emerging technologies like Cloud Access Security Brokers can fill the security gaps in cloud applications. 


To help provide more color on Office 365 security challenges, we have created The Definitive Guide to Office 365 Security. We're providing the entire document via a series of posts on this blog. Of course, if you binge watched all of Game of Thrones on Netflix in one sitting, you might want to binge-read the Definitive Guide by "streaming" it to your device right here



see all