Security "Bits"

The Data Blind Spot: Where O365 Security Falls Short

By Chantelle Patel | October 13, 2016 at 1:04 PM


Over time, the number of enterprises migrating from their premises-based applications to cloud applications has dramatically increased. Surveys show that Office 365 is the leading SaaS productivity suite, far surpassing apps like G Suite and Box.

There are a number of reasons for this shift including cost reduction, increased productivity, and the ability to allow employees to be more mobile.

The great thing about these cloud apps is that responsibility for physical security of the infrastructure and vulnerabilities lie with the app vendor. Unfortunately, apps like Office 365 only focus on certain security features that make it impossible for enterprises to solely rely on native app security.

So where does O365 fall short? Enterprise data protection.

Once data in the cloud is accessed or downloaded to an end-user’s device, an organization with inadequate control and visibility over that data has no recourse. Every security-conscious enterprise should have the following: end-user device protection, visibility and analytics, detailed logs on activity involving corporate data, and overall protection of data-at-rest.

O365 security requires that IT leaders consider four key components: cloud, mobile, access, and identity. Out of the box, these capabilities are lacking.

Cloud: For data-at-rest in the cloud, the primary concern is data leakage via external sharing, made easier than ever with O365. Enterprises need the ability to limit external shares based on the content of files to keep sensitive PII and PHI from leaking out, a capability that requires third-party solutions that leverage O365’s robust APIs.

Access: Protecting data in the cloud requires granular control over access. With O365, you can outright block or allow access to certain files, but cannot redact, encrypt, or DRM files based on the context of access.

Mobile: Traditionally organizations have turned to mobile device management solutions to help them monitor employee owned devices, but MDM solutions are often rejected by employees because they are too invasive. O365 is unable to distinguish between managed and unmanaged devices making it impossible to tell whether the device being used to download sensitive data is secure.

Identity: Native O365 security provides limited cross-app visibility. While IT can easily identify a suspicious login to Office from a new device, the ability to see activity across applications provides a much better sense of potentially malicious behavior.

For complete security and control over data in O365, organizations need a complete solution that provides total cloud and mobile security. Learn more in our webinar.

 watch the webinar 



see all