SECURITY 7 MIN READ

Office 365 Security's Five Cornerstones

Nathalie Jard
WRITTEN BY NATHALIE JARD JANUARY 27, 2015
Office 365 Security's Five Cornerstones

The fact that security in IT systems is among users’ biggest concerns is something most tech professionals would agree with, and developers are more conscious than ever of the need for robust security measures.

This is particularly true when discussing Cloud based systems. Recent high-profile system breaches have only contributed to heightened concerns about the suitability of the Cloud for storing sensitive data.

In this blog post, we’re going to look at five areas within Office 365 that demonstrate how seriously Microsoft perceives security in their product. For each, we'll look at the features and benefits to end users and admins.

1. Enterprise grade Datacenter

Office 365 Security Cornerstones

In looking to respond to concerns about Cloud computing, reassurance begins with the physical storage and handling of data. The journey to understanding Office 365 security starts with the physical Datacenters that store and hold enterprise information.

Office 365 itself is the latest in a series of “software as service” offerings that began in 2008, when Bill Gates announced that Exchange and SharePoint would be available online.

First known as the Microsoft Business Productivity Online Suite (BPOS) and built on standard server architecture ideals, they weren’t optimized to take advantage of Datacenter security features that Microsoft had for other services. This all changed in June 2011 when Office 365 was launched.

Microsoft have committed to being as transparent as possible by building the Office 365 Trust Center. This facility allows Office 365 security, compliance and standards to be assessed and compared to those of other providers. One major component here is the Security, Certifications and Listings page.

Two certifications that really stand out are ISO27001 and the Safe Harbor. ISO27001 is an Information Security Management Systems standard covering many aspects - from HR Policies to Asset Management. This is obtained after a lengthy audit process and is maintained in a similar fashion.

Further, the fact that Microsoft are willing to insert European specific clauses into their agreements is significant as few other Cloud providers have committed to doing so.

Many European countries have stricter privacy rules than the US, a problem for any US based Datacentre if asked to handle EU data. In order to address this, the European Commission agreed a self-certification process with the US Department of Commerce.

Under this agreement US firms can confirm their adherence with Safe Harbor principles and publicly confirm it. Microsoft Data Centres gained Safe Harbor certification which they review and renew annually.

2. Encryption in Transit (SSL/TSL)

Office 365 Security Cornerstones

Every action carried out within Office 365 is done under the watchful eye of SSL (Secure Sockets Layer) and TLS (Transport Layer Security). SSL is a security technology that establishes an encrypted link between a server and a web browser, and as such acts to make sure that all information exchanged by the server/browser remains private.

TLS is a protocol that works to enforce privacy between applications and end-users and is popular with internet banking and PayPal. For Office 365 security, this means that all customer-facing servers will arrange a secure session for any data in transit.

3. ‘Encryption at Rest’ for Exchange and OneDrive

Office 365 Security Cornerstones

Data at rest’ is data stored on a hard disk on a server, in a Datacenter. It's data that has been uploaded, isn’t being served to a user’s browsers, but is sitting ready to be accessed.

In their Office 365 Security White Paper, Microsoft make one important admission regarding the service: the utilization of BitLocker, a disk encryption tool. It is deployed on servers that hold all messaging data such as emails and IM conversations.

BitLocker encryption is a data protection feature that is integrated with the operating system. It helps address the risks posed by theft of data or from exposure from lost, stolen or badly decommissioned IT Equipment. ISO27001 has guidelines that insist on such measures a proof of how seriously Microsoft take their security commitments.

More recently, a new addition was made to OneDrive known as Perfect Forward Secrecy. This technology provides forwarding secrecy and has been used by other Cloud providers for some time. It's applied to both the desktop site OneDrive applications and all syncing clients, making it harder for attackers to decrypt connections.

4. Data Loss Prevention (DLP)

Office 365 Security Cornerstones

Unlike other security aspects discussed so far, Microsoft actually allow you some choice in how you want to respond to the risk of Data Loss. Historically, they offered Data Loss Prevention utilities within Exchange and Outlook.

Bearing in mind that Office 365 is a joined-up experience that allows multiple means to collaboration, some recent tweaks have been made to the platform in order to allow real-time searches for sensitive information by role protected admins.

Moving forward, Microsoft have discussed plans for Active Policy Evaluation and Enforcement. These features will allow more “real-time” policy enforcement across Office Applications.

5. The SharePoint permissions model

Office 365 Security Cornerstones

The last measures of Office 365 security are the controls the platform provides to users within SharePoint. Since day one, SharePoint has always maintained a permission inheritance model from Parent to Child files. It's however essential to remember that this permission inheritance can be broken. Lists, libraries and sub-sites need not inherit from their parents Item level permissions. Permissions can be edited depending on the kinds of access admins want to give to users, therefore ensuring protection of sensitive data.

SharePoint also uses something known as ‘Security Trimming’. This translates to links not being visible to an end-users if they don’t have permissions to see them.

Office 365 Security is the foundation of a good system

It's no revelation that security is a crucial foundation of any IT System. The costs of not addressing security are potentially enormous, and Microsoft are therefore taking considerable measures to help clients ensure all round protection. Compliance, governance and physical security issues are addressed in Office 365, as seen with the features described in this post. As such, Office 365 Security really can be seen as the epicenter of a good and durable system.

What security measures are in place in your organization? Do you already use these five practices?